Backstory
I registered an app in Azure AD with an app secret and a certificate to login. I assigned the permission "Exchange.ManageAsApp" to the app, but still I cannot add group members to groups where the app is not owner. This can usually be mitigated by using the parameter "BypassSecurityGroupManagerCheck". But this parameter needs the Exchange role "Security Group Creation and Membership".
Question How can I assign an Exchange Role Group (containing the role "Security Group Creation and Membership") to a registered app?
Most probably I'm stating the most obvious stuff here, but just for another beginner who stumbles across this problem like I did here is the solution:
To be able to add an app to an Exchange role group you need to create a service principal for the app in Exchange Online.
creating a service principal is as easy as calling a powershell command:
Connect-ExchangeOnline
New-ServicePrincipal -DisplayName "<Name of the App>" -AppId <Application (client) ID> -ServiceId <Object ID>
The display name can be anything but I'd recommend to use the name of the app. The other two values can be easily found in the app registration in Azure Active Directory.
After registering the service principal you can assign this principal to any role group by simply using the command:
Add-RoleGroupMember -Identity "<Name of role group>" -Member <Application (Client) ID>