I need to use the following cmdlets from ExchangeOnline Powershell module with an unattended connection.
- Get-QuarantineMessage
- Preview-QuarantineMessage
- Release-QuarantineMessage
- Export-QuarantineMessage
Following this first documentation https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps, I created an Azure App registration with self-signed certificate, assigned the "Exchange.ManageAsApp" API permission, then grant consent.
Then I created an Azure Security Group and add my application as a member of this group.
Then I created a Custom Role in Microsoft 365 Defender portal following this documentation:
https://learn.microsoft.com/en-us/defender-for-identity/role-groups
In this role, I added the following custom permission:
- Email quarantine (manage)
- Email advanced actions (manage)
And Read-Only for Raw Data (Email & collaboration)
- And of course, I assigned my group created at step 2 to this new role
All of this allow me to use the first 2 cmdlets without any issue but I can't get access to the Export-QuarantineMessage and Release-QuarantineMessage.
We can list permissions needed for this cmdlet through those commands (from there: https://learn.microsoft.com/en-us/powershell/exchange/find-exchange-cmdlet-permissions?view=exchange-ps)
PS > $Perms = Get-ManagementRole -Cmdlet Export-QuarantineMessage
PS > $Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-Table -Auto Role,RoleAssigneeType,RoleAssigneeName}
Role RoleAssigneeType RoleAssigneeName
---- ---------------- ----------------
Security Admin RoleGroup Organization Management
Security Admin RoleGroup SecurityAdmins_782500194
Role RoleAssigneeType RoleAssigneeName
---- ---------------- ----------------
Transport Hygiene RoleGroup Hygiene Management
Transport Hygiene RoleGroup Organization Management
I tried this last command :
PS > Add-RoleGroupMember "Hygiene Management" -Member <name of the application created at step 1>
I can see my application member if I run :
PS > Get-RoleGroupMember "Hygiene Management"
But I still don't have access to the the Export-QuarantineMessage and Release-QuarantineMessage cmdlets.
UPDATE
I try the following https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#assign-custom-exchange-online-role-groups-to-the-application-using-service-principals
Creating a custom Exchange Role with "Transport Hygiene" + "Security Administrator"
PS > $AadApp = Get-AzureADServicePrincipal -SearchString ""
PS > New-ServicePrincipal -AppId $AadApp.AppId -ServiceId $AadApp.ObjectId -DisplayName "ServicePrincipal For my app"
PS > $SP = Get-ServicePrincipal -Identity "ServicePrincipal For my app"
PS > Add-RoleGroupMember -Identity "<role created a step 1>" -Member $SP.Identity
Without any luck.
UPDATE
Changing my custom Exchange Role with only:
-Mailbox Import Export
-Mailbox Search
-MailboxSearchApplication
-Message Tracking
-Transport Hygiene
-View-Only Configuration
-View-Only Recipients
seems to work. I will let go the week-end to see if this is not another changes that take time to replicate on microsoft-side
