List Managed Identities that have access to the ExchangeOnline.ManageAsApp API
I have a couple of Azure Automation runbooks that update Dynamic Distribution Lists. To make this work, I gave the Azure Automation System-Assigned Managed Identity permissions to access and make changes to Exchange Online using steps here; https://learn.microsoft.com/en-us/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps#step-4-grant-the-exchangemanageasapp-api-permission-for-the-managed-identity-to-call-exchange-online. These runbooks work as designed.
I'm in the process of developing more automation using a separate Automation account and Managed Identity. I want to confirm the Managed Identities that have access to Exchange Online. How can I list which Managed Identities have access to Exchange Online? I've tried Get-MgServicePrincipalAppRoleAssignedTo, but this only lists Entra ID Enterprise and Registered Apps, not Exchange Online.
Similarly, is there a way to list all permissions and roles assigned to an Azure Automation Managed Identity? I granted a new Managed Identity the User Management role in Entra ID, but this does not show up under the Managed Identity, but the Managed Identity is listed under the individual Roles.
I enabled system managed identity for the Automation account and granted Exchange API permissions:
$AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440"
$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id
$MI_ID = "ManagedIdentityServicePrincipalObjID"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI_ID -PrincipalId $MI_ID -AppRoleId $AppRoleID -ResourceId $ResourceID
To get the permissions assigned to managed identity, make use of below command:
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ManagedIdentityServicePrincipalObjID | select -Property Id, AppRoleId, PrincipalDisplayName
To list the managed identities with Exchange API permissions/Office 365 Exchange Online permissions, make use of below code:
# Define the Office 365 Exchange Online ResourceId
$ExchangeOnlineResourceId = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id
# Retrieve all managed identities
$ManagedIdentities = Get-MgServicePrincipal -Filter "ServicePrincipalType eq 'ManagedIdentity'"
# Iterate over each managed identity
foreach ($ManagedIdentity in $ManagedIdentities) {
$ServicePrincipalId = $ManagedIdentity.Id
$AppRoleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalId
$ExchangeOnlinePermissions = $AppRoleAssignments | Where-Object { $_.ResourceId -eq $ExchangeOnlineResourceId }
if ($ExchangeOnlinePermissions) {
Write-Output "Managed Identity $($ManagedIdentity.DisplayName) (ID: $($ManagedIdentity.Id)) has Office 365 Exchange Online permissions:"
$ExchangeOnlinePermissions | Select-Object -Property Id, AppRoleId, PrincipalDisplayName
Write-Output ""
}
}
I assigned User administrator role to the Managed identity:
To retrieve the roles, make use of below script:
$response = $null
$uri = "[https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId](https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveroleassignments?`$count=true&`$filter=principalid") eq 'ManagedIdentityServicePrincipalObjID'"
$method = 'GET'
$headers = @{'ConsistencyLevel' = 'eventual'}
$response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method $method -Body $null).value
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200