--roleDefinitionId [roleDefinitionId] |
Id of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both. |
--roleDefinitionName [roleDefinitionName] |
Name of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both. |
--principalId [principalId] |
Id of a service principal to which the assignment is granted. Specify either principalId or principalName, but not both. |
--principalName [principalName] |
Name of a service principal to which the assignment is granted. Specify either principalId or principalName, but not both. |
--scopeUserId [scopeUserId] |
Id of a user to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeUserName [scopeUserName] |
UPN of a user to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeGroupId [scopeGroupId] |
Id of a group to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeGroupName [scopeGroupName] |
Name of a group to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeAdministrativeUnitId [scopeAdministrativeUnitId] |
Id of an administrative unit to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeAdministrativeUnitName [scopeAdministrativeUnitName] |
Name of an administrative unit to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeCustomAppId [scopeCustomAppId] |
Id of a custom application scope to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeCustomAppName [scopeCustomAppName] |
Name of a custom application scope to which the assignment is scoped. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
--scopeTenant |
Specify whether the tenant-wide scope is applied. Specify either scopeTenant, scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, scopeAdministrativeUnitName, scopeCustomAppId, or scopeCustomAppName, but not multiple. |
Usage
m365 exo approleassignment add [options]
Description
Grants permissions to an application that's accessing data in Exchange Online and specify which mailboxes an app can access.
Options
--roleDefinitionId [roleDefinitionId]roleDefinitionIdorroleDefinitionName, but not both.--roleDefinitionName [roleDefinitionName]roleDefinitionIdorroleDefinitionName, but not both.--principalId [principalId]principalIdorprincipalName, but not both.--principalName [principalName]principalIdorprincipalName, but not both.--scopeUserId [scopeUserId]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeUserName [scopeUserName]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeGroupId [scopeGroupId]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeGroupName [scopeGroupName]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeAdministrativeUnitId [scopeAdministrativeUnitId]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeAdministrativeUnitName [scopeAdministrativeUnitName]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeCustomAppId [scopeCustomAppId]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeCustomAppName [scopeCustomAppName]scopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.--scopeTenantscopeTenant,scopeUserId,scopeUserName,scopeGroupId,scopeGroupName,scopeAdministrativeUnitId,scopeAdministrativeUnitName,scopeCustomAppId, orscopeCustomAppName, but not multiple.Alternate options
-s, --scope <scope>tenant,administrativeUnit,group,user,custom.--userId [userId]userIdoruserNamewhen scope is set touser.--userName [userName]userIdoruserNamewhen scope is set touser.--groupId [groupId]groupIdorgroupNamewhen scope is set togroup.--groupName [groupName]groupIdorgroupNamewhen scope is set togroup.--administrativeUnitId [administrativeUnitId]administrativeUnitIdoradministrativeUnitNamewhen scope is set toadministrativeUnit.--administrativeUnitName [administrativeUnitName]administrativeUnitIdoradministrativeUnitNamewhen scope is set toadministrativeUnit.--customAppScopeId [customAppScopeId]customAppScopeIdorcustomAppScopeNamewhen scope is set tocustom.--customAppScopeName [customAppScopeName]customAppScopeIdorcustomAppScopeNamewhen scope is set tocustom.Examples
Assign a role specified by id to a service principal specified by id and scope the assignment to the whole tenant
Assign a role specified by id to a service principal specified by id and scope the assignment to a user specified by id
Assign a role specified by name to a service principal specified by name and scope the assignment to a group specified by name
Assign a role specified by name to a service principal specified by id and scope the assignment to an administrative unit specified by name
Default properties
No response
Additional Info
Exchange Online RBAC is alternate to application permissions for accessing mailboxes, but without a need to allow application access policy for specific mailboxes via Exchange Online PowerShell.
It simplifies the whole process and admin can avoid to use Exchange Online PowerShell to configure application access policy.
https://learn.microsoft.com/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&tabs=http#example-5-create-a-role-assignment-for-exchange-online-provider-with-administrative-unit-scope
https://learn.microsoft.com/graph/api/resources/customappscope?view=graph-rest-beta
https://learn.microsoft.com/exchange/permissions-exo/application-rbac#supported-application-roles
I will work on this