App mailbox permission
The Entra ID App requires permission to access the related Shared Mailbox. This section documents steps to assign the permission.
Before you start
Prerequisite stages
Confirm the following stages have been completed:
Parameters
The following values from the parameters workbook are required:
- {Entra-App-ClientId}
- {Entra-App-ObjectId}
- {Mailbox-Display-Name}
- {Mailbox-Email-Address}
Permission required
Use an account with the following permissions.
- Global Administrator
- Exchange Administrator (must be granted explicitly, even for a Global Administrator)
App Mailbox Permission
The following link provides details for assigning the RBAC permission:
PowerShell Script
Execute the following PowerShell script.
IMPORTANT: Variables at top of script must be updated before proceeding.
- $EntraAppClientId : populate with {Entra-App-ClientId} for the instance
- $EntraAppObjectId : populate with {Entra-App-ObjectId} for the instance
- $DisplayName: populate with {Mailbox-Display-Name} for the instance
- $MailboxEmail: populate with {Mailbox-Email-Address} for the instance
- $MailboxUser: override with User principal name of shared mailbox, if different from {Mailbox-Email-Address}
IMPORTANT: $MailboxEmail should be the full email address (e.g. alias@domain.com) and NOT just the alias
$EntraAppClientId = ""
$EntraAppObjectId = ""
$DisplayName = ""
$MailboxEmail = ""
$MailboxUser = $MailboxEmail
$ManagementScopeName = "$DisplayName Mailbox"
$RestrictionFilter = "UserPrincipalName -eq '$MailboxUser'"
Connect-ExchangeOnline
New-ServicePrincipal -AppId $EntraAppClientId -ObjectId $EntraAppObjectId -DisplayName $DisplayName
New-ManagementScope -Name $ManagementScopeName -RecipientRestrictionFilter $RestrictionFilter
New-ManagementRoleAssignment -App $EntraAppObjectId -Role "Application Mail.Send" -CustomResourceScope $ManagementScopeName
NOTE: You may be prompted to run the Enable-OrganizationCustomization cmdlet before you create or modify objects in your Exchange Online organization.
Test authorization
Execute the following PowerShell script.
IMPORTANT: Variables at top of script must be updated before proceeding.
- $EntraAppClientId : populate with {Entra-App-ClientId} for the instance
- $MailboxEmail: populate with {Mailbox-Email-Address} for the instance
- $MailboxUser: override with User principal name of shared mailbox, if different from {Mailbox-Email-Address}
$EntraAppClientId = ""
$MailboxEmail = ""
$MailboxUser = $MailboxEmail
Test-ServicePrincipalAuthorization -Identity $EntraAppClientId -Resource $MailboxUser
All rows returned by the test should have value InScope True. Contact Pro-Sapien if the test is not successful and assistance is required. Example valid results below.
