Share via

How to assign managed identity access to the exchange

Suleman Fasasi 0 Reputation points
2025-12-12T14:56:11.18+00:00

How do i assign managed identity access to the exchange

Exchange | Other
Exchange | Other
A powerful email and collaboration platform developed by Microsoft, designed to support enterprise-level communication and productivity. Miscellaneous topics that do not fit into specific categories.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-12T14:56:22.1266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To assign managed identity access to Exchange, you need to follow these steps:

    1. Create and Configure a Managed Identity: You can create either a system-assigned or user-assigned managed identity. For a system-assigned managed identity, you can follow the steps outlined in the documentation for creating and configuring it.
    2. Assign Microsoft Entra Roles: After creating the managed identity, you need to assign it the appropriate Microsoft Entra roles. For example, you can assign the Exchange Administrator role. To do this:
      • Go to the Roles and administrators page in the Azure portal.
      • Find and select the Exchange Administrator role.
      • On the Assignments page, select Add assignments and choose the managed identity you created.
    3. Grant API Permissions: Ensure that the managed identity has the necessary API permissions to call Exchange Online. You can do this by assigning the Exchange.ManageAsApp API permission to the managed identity.
    4. Verify the Assignment: After assigning the role, verify that the role has been successfully assigned to the managed identity.

    By following these steps, you can successfully assign managed identity access to Exchange.

    0 comments
  2. Vasil Michev 123.6K Reputation points MVP Volunteer Moderator
    2025-12-12T15:15:51.2966667+00:00

    There are two parts to this. First, you need to assign the Exchange.ManageAsApp permission. This is NOT a Graph API permission, but permission for the Exchange Online resource (id 00000002-0000-0ff1-ce00-000000000000). To add it, you must select the APIs my organization uses tab and search for Office 365 Exchange Online. If you need step by step instructions see https://michev.info/blog/post/3180/exchange-api-permissions-missing

    This however only ensures you can connect to Exchange Online, it does not grant you permissions to run any cmdlet, which is the next step comes in. You need to provision the corresponding service principal object in Exchange Online, there is no automatic sync for that. After that is than, you can assign permissions to it just like with any user, thanks to RBAC for applications: https://v4.hkg1.meaqua.org/en-us/exchange/permissions-exo/application-rbac

    Tony has a detailed guide on how to automate all these steps via PowerShell if needed: https://practical365.com/rbac-for-applications-azure-automation/

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.