|
1 | 1 | --- |
2 | 2 | title: App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell |
3 | | -ms.author: chrisda |
4 | | -author: chrisda |
5 | | -manager: orspodek |
6 | | -ms.date: 12/05/2025 |
| 3 | +ms.date: 02/27/2026 |
7 | 4 | ms.audience: Admin |
8 | 5 | audience: Admin |
9 | 6 | ms.topic: article |
@@ -167,9 +164,7 @@ For a detailed visual flow about creating applications in Microsoft Entra ID, se |
167 | 164 |
|
168 | 165 | 4. [Attach the certificate to the Microsoft Entra application](#step-4-attach-the-certificate-to-the-microsoft-entra-application) |
169 | 166 |
|
170 | | -5. [Assign Microsoft Entra roles to the application](#step-5-assign-microsoft-entra-roles-to-the-application) |
171 | | -
|
172 | | - The application needs to have the appropriate RBAC roles assigned. Because the apps are provisioned in Microsoft Entra ID, you can use any of the supported built-in roles. |
| 167 | +5. [Assign roles permissions to the application](#step-5-assign-role-permissions-to-the-application) |
173 | 168 |
|
174 | 169 | ### Step 1: Register the application in Microsoft Entra ID |
175 | 170 |
|
@@ -404,19 +399,30 @@ If you made the application multitenant for **Exchange Online** delegated scenar |
404 | 399 |
|
405 | 400 | For more information about the URL syntax, see [Request the permissions from a directory admin](/entra/identity-platform/v2-admin-consent#request-the-permissions-from-a-directory-admin). |
406 | 401 |
|
407 | | -### Step 5: Assign Microsoft Entra roles to the application |
| 402 | +<a name="step-5-assign-microsoft-entra-roles-to-the-application"></a> |
| 403 | + |
| 404 | +### Step 5: Assign role permissions to the application |
| 405 | + |
| 406 | +You have the following options: |
| 407 | + |
| 408 | +- **Option 1: Assign Microsoft Entra roles to the application**: Use built-in Microsoft Entra roles to grant all permissions of the role. You can't customize or scope these roles. |
| 409 | + |
| 410 | +- **Option 2: Assign custom role groups to the application using service principals**: We recommend this option in the following scenarios: |
| 411 | + - You need to restrict the available commands in your application. |
| 412 | + - You need to use a Write scope to limit which recipients can be modified. |
408 | 413 |
|
409 | | -You have two options: |
| 414 | + - **Option 3: Combine Microsoft Entra roles with custom role groups**: We recommend this method to extend a built-in Microsoft Entra role (for example, the **Exchange Recipient Administrator** role) by granting extra permissions from a custom role. |
410 | 415 |
|
411 | | -- **Assign Microsoft Entra roles to the application** |
412 | | -- **Assign custom role groups to the application using service principals**: This method is supported only when you connect to Exchange Online PowerShell or Security & Compliance PowerShell in [REST API mode](exchange-online-powershell-v2.md#rest-api-connections-in-the-exo-v3-module). Security & Compliance PowerShell supports REST API mode in v3.2.0 or later. |
| 416 | +These options are described in the following subsections. |
413 | 417 |
|
414 | 418 | > [!NOTE] |
415 | | -> You can also combine both methods to assign permissions. For example, you can use Microsoft Entra roles for the "Exchange Recipient Administrator" role and also assign your custom RBAC role to extend the permissions. |
| 419 | +> RBAC combines permissions from all sources. For example, you can use the **Exchange Recipient Administrator** role in Microsoft Entra and also assign your custom RBAC role to extend the permissions. |
416 | 420 | > |
417 | 421 | > For multitenant applications in **Exchange Online** delegated scenarios, you need to assign permissions in each customer tenant. |
418 | 422 |
|
419 | | -#### Assign Microsoft Entra roles to the application |
| 423 | +<a name="assign-microsoft-entra-roles-to-the-application"></a> |
| 424 | + |
| 425 | +#### Option 1: Assign Microsoft Entra roles to the application |
420 | 426 |
|
421 | 427 | The supported Microsoft Entra roles are described in the following table: |
422 | 428 |
|
@@ -487,12 +493,12 @@ For general instructions about assigning roles in Microsoft Entra ID, see [Assig |
487 | 493 |
|
488 | 494 |  |
489 | 495 |
|
490 | | -#### Assign custom role groups to the application using service principals |
| 496 | +<a name="assign-custom-role-groups-to-the-application-using-service-principals"></a> |
| 497 | + |
| 498 | +#### Option 2: Assign custom role groups to the application using service principals |
491 | 499 |
|
492 | 500 | > [!NOTE] |
493 | 501 | > You need to connect to Exchange Online PowerShell or Security & Compliance PowerShell _before_ completing steps to create a new service principal. Creating a new service principal without connecting to PowerShell doesn't work (your Azure App ID and Object ID are needed to create the new service principal). |
494 | | -> |
495 | | -> This method is supported only when you connect to Exchange Online PowerShell or Security & Compliance PowerShell in [REST API mode](exchange-online-powershell-v2.md#rest-api-connections-in-the-exo-v3-module). Security & Compliance PowerShell supports REST API mode in v3.2.0 or later. |
496 | 502 |
|
497 | 503 | For information about creating custom role groups, see [Create role groups in Exchange Online](/exchange/permissions-exo/role-groups#create-role-groups) and [Create Email & collaboration role groups in the Microsoft Defender portal](/defender-office-365/mdo-portal-permissions#create-email--collaboration-role-groups-in-the-microsoft-defender-portal). The custom role group that you assign to the application can contain any combination of built-in and custom roles. |
498 | 504 |
|
|
0 commit comments