Reputation: 11
How to grant delegate access to a specific O365 Shared Mailboxes for a System Managed Identity
Would it be possible for a System Managed Identity to be granted delegate access to certain Office 365 Shared Mailboxes, then query them using Graph API?
I have an Azure Automation runbook running a PowerShell script that has the necessity to access the Calendar contents of such mailboxes.
Since it's a runbook, it's running unattended, I know I could grant Calendars.Read application API permissions but that would require the addition of creating a secret and then setting up an Application Access Policy to prevent the runbook from accessing all the mailboxes across the organization.
Instead of that, it would be beautiful to just grant delegated access to the required mailboxes to the System Managed Identity, just like we can do with normal users, using the Add-MailboxPermission -User <[email protected]> PowerShell command and access those without any added complexity.
I tried to run the Add-MailboxPermission -User command passing the Object (principal) id (GUID) of the System Managed Identity, but that didn't work.
Upvotes: 1
Views: 1487
Answers (1)
Reputation: 16064
I created a web app and enabled system assigned identity:
Check whether the user has mailbox:
Connect-ExchangeOnline
Get-Mailbox -Identity [email protected]
When I tried to run the Add-MailboxPermission command by passing the ObjectID I got the same error:
Add-MailboxPermission -Identity [email protected] -User ManagedIdentityObjectId -AccessRights FullAccess
To resolve the error, you need to explicitly create the service principal by passing the ObjectID and the ApplicationID like below:
Search the system managed identity Enterprise application:
New-ServicePrincipal -AppId EnterpriseApplicationApplicationID -ServiceId EnterpriseApplicationObjectId
Now to add the Mailbox Permission to the managed identity, copy ObjectID from the response and pass it in the user parameter:
Add-MailboxPermission -Identity [email protected] -User ObjectId -AccessRights FullAccess
You can verify by using below command:
Get-MailboxPermission -Identity [email protected] -User EnterpriseApplicationObjectId
Upvotes: 2
Related Questions
- Azure PowerShell Runbook to export Exchange Online configuration and store it in a Blob
- which permission required for SP to run 'az vm extension' with 'System-assigned managed identity'
- Grant read access to a user assigned identity to a storage account with Azure
- Using Managed Identities for containers running in PCF to access Azure Blob Storage
- Access O365 Exchange Online with an Azure Managed Identity or Service Principal
- Use a Azure Virtual Machine System-Assigned Managed Identity to access Azure SQL from Powershell
- Microsoft Graph Service/Daemon Access Specific Shared Mailbox
- Retrieving Shared Mailbox Access from Microsoft Graph/Office 365 API