azure-active-directory azure-automation azure-managed-identity microsoft-entra-id exchange-online

List Managed Identities that have access to the ExchangeOnline.ManageAsApp API

I have a couple of Azure Automation runbooks that update Dynamic Distribution Lists. To make this work, I gave the Azure Automation System-Assigned Managed Identity permissions to access and make changes to Exchange Online using steps here; https://learn.microsoft.com/en-us/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps#step-4-grant-the-exchangemanageasapp-api-permission-for-the-managed-identity-to-call-exchange-online. These runbooks work as designed.

I'm in the process of developing more automation using a separate Automation account and Managed Identity. I want to confirm the Managed Identities that have access to Exchange Online. How can I list which Managed Identities have access to Exchange Online? I've tried Get-MgServicePrincipalAppRoleAssignedTo, but this only lists Entra ID Enterprise and Registered Apps, not Exchange Online.

Similarly, is there a way to list all permissions and roles assigned to an Azure Automation Managed Identity? I granted a new Managed Identity the User Management role in Entra ID, but this does not show up under the Managed Identity, but the Managed Identity is listed under the individual Roles.

Solution

I enabled system managed identity for the Automation account and granted Exchange API permissions:

$AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440"
$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id
$MI_ID = "ManagedIdentityServicePrincipalObjID"

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI_ID -PrincipalId $MI_ID -AppRoleId $AppRoleID -ResourceId $ResourceID

To get the permissions assigned to managed identity, make use of below command:

Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ManagedIdentityServicePrincipalObjID | select -Property Id, AppRoleId, PrincipalDisplayName

To list the managed identities with Exchange API permissions/Office 365 Exchange Online permissions, make use of below code:

# Define the Office 365 Exchange Online ResourceId  
$ExchangeOnlineResourceId = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id

# Retrieve all managed identities  
$ManagedIdentities = Get-MgServicePrincipal -Filter "ServicePrincipalType eq 'ManagedIdentity'"

# Iterate over each managed identity  
foreach ($ManagedIdentity in $ManagedIdentities) {  
$ServicePrincipalId = $ManagedIdentity.Id  
$AppRoleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalId  
$ExchangeOnlinePermissions = $AppRoleAssignments | Where-Object { $_.ResourceId -eq $ExchangeOnlineResourceId }  
if ($ExchangeOnlinePermissions) {  
Write-Output "Managed Identity $($ManagedIdentity.DisplayName) (ID: $($ManagedIdentity.Id)) has Office 365 Exchange Online permissions:"  
$ExchangeOnlinePermissions | Select-Object -Property Id, AppRoleId, PrincipalDisplayName  
Write-Output ""  
}  
}

I assigned User administrator role to the Managed identity:

To retrieve the roles, make use of below script:

$response = $null  
$uri = "[https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId](https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveroleassignments?`$count=true&`$filter=principalid") eq 'ManagedIdentityServicePrincipalObjID'"  
$method = 'GET'  
$headers = @{'ConsistencyLevel' = 'eventual'}

$response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method $method -Body $null).value