Time to use RBAC for applications in EXO

Now that Microsoft announced to remove Application Impersonation for Exchange Web Services from Exchange Online, you might want to check if you are affected.

Also when you have used the mechanism of Application Access Policy, you should migrate all of your policies to RBAC as this is also going to fade away.

I wrote an article for Practical 365 about this topic:

Migrate from EWS Application Access Policy to RBAC for Applications

Azure Functions, PowerApps and Exchange Online

Lately we were approached by different teams to help with some scenarios. These scenarios were a bit tricky and complex as there is currently no solution out-of-the-box. Here some examples:

• no PowerShell support (on requesting system)
• data from Exchange needed (which are not available in Microsoft Graph e.g: mailbox or SendAs permissions)

With that I started to look into Azure Functions as the main component for connecting to Exchange Online and retreive requested data.

Continue reading →

Microsoft Graph PowerShell SDK v2 upgrade

A few days ago the new version of the Microsoft Graph PowerShell SDK module v2 was released. The team blogged about the module and shared more info:

Upgrade to Microsoft Graph PowerShell SDK v2, now generally available

Everything looks easy and makes you feel confident that this is an easy upgrade process. But not only me also teammates and other MVPs had other experiences.

Read more: Microsoft Graph PowerShell SDK v2 upgrade

What happened?

You should always keep your machine up-to-date. And so you should also keep your PowerShell modules at the latest bits.
Note: In prod environments I highly recommend to use only GA releases!
I knew that I had to update one of my mahines and used the Cmdlet Update-Module for this task. I didn’t pay attention and did n ot expect to be upgraded to v2.
First everything looked good and I experienced no issues, yet.

Until I tried to elevate my administrative account and use the Cmdlet Get-MgRoleManagementDirectoryRoleDefinition. All I got was the following error:

Almost at the same time I was approached by teammates, which suffered either the same or other errors from this module.

I also asked the community and received also various feedback about errors or not to use v1 and v2 side-by-side (even it’s explicitly supported!).

Fixing the issue

Long story short: to fix the issue perform the following steps:

• uninstall all Microsoft Graph PowerShell SDK v1 modules (this includes user and machine-wide installations!)
  Note: Using the Cmdlet Uninstall-Module can take a very long time, which is a known issue!
• reboot your machine
• install the lates module from PowerShell Gallery
• reboot your machine

That’s it.

Conclusion

There can always be an issue with software. That’s why you should properly test new versions before upgrading to a new one. However, Microsoft should spent more time for quality management. Maybe just me, but the number of revoked or broken updates is increasing (besides outages of certain services!).

The thing with CustomRouting

In most cases you don’t have to be worried about this. However, when you have M365 Multi-Geo, you need to pay attention to. Another reason would be preformance as it’s the same as X-AnchorMailbox header.

Continue reading →

Scripts and functions for M365 with dynamic parameters: Impossible? No!

Recently I wanted to updated an old function, which I use in my daily work for Privilege Identity Management. Initially I just wanted to move over from using AzureADPreview to Microsoft Graph PowerShell SDK, but sometimes you just do more.

However, this was a good learning curve for me and I thought sharing would be helpful.

Continue reading →

MS servicePrincipals and verified publisher

When you are using Publisher verification, you might know the challenges I’m writing today about. Especially with 3rd party vendors. However, I never expected that it’s like that even the functionality is GA for quite a while.

What I mean by that is the fact that Microsoft introducing this feature, recommends this as best practises and starting with September 30, 2022 makes this as a default setting, but don’t get their own apps verified:

One example, while Christie tries connecting to MS Graph using PowerShell SDK

Continue reading →

Format MessageTraceDetail in Exchange Online

Over the last weeks, I had to perform more than usual message traces in Exchange Online. For more details how to run such traces, Tony recently updated his article:

Exchange Online Message Traces are Different to On-Premises Searches (practical365.com)

However, the details you want to look at are not really formatted in a readable format.

Continue reading →

Check for ApplicationAccessPolicy

Maybe you are aware that you can scope application registered in Azure AD and configured with OAuth 2.0 application permissions. It is well documented here Limiting application permissions to specific Exchange Online mailboxes – Microsoft Graph | Microsoft Docs and finally also Exchange Web Services (EWS) is supported.

However, I think it is important to perform regular checks in your tenant whether policies exists or not.

Continue reading →

Maintain MAPI permissions recursive

I strongly believe that many of you already run into this scenario:

“Hey, can you help me and grant access to all my folders in my mailbox to this one person?”

When it starts like this, in most cases this user has folders, where the total number is for sure more than 2 digits.

Continue reading →

Outlook and private items

This is something, which cannot be stressed enough:

When you flag e-mails or calendar items as private, it will not ensure privacy!

You might argue that you have not granted “Delegate can see my private items”, but this is ONLY honored by certain clients and in certain conditions.

Continue reading →