stackoom
  简体   繁体   中英

Access O365 Exchange Online with an Azure Managed Identity or Service Principal

 原文  2020-09-18 10:09:42       azure/ powershell/ exchange-server/ azure-managed-identity

Question

I have a program in Powershell which runs in an Azure Function app which also has a managed identity called "AuditO365". It uses the managed identity to connect to Azure Key Vault to retrieve user credentials. It uses these credentials to connect to O365 Exchange Online to get the required data. This works fine:

    $uSecret = $ENV:APPSETTING_SecretUsername
    $pSecret = $ENV:APPSETTING_SecretPassword 
    $sasSecret = $ENV:APPSETTING_SecretSAS

    $securePassword = ConvertTo-SecureString -String $pSecret -AsPlainText -Force

    $UserCredential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $uSecret, $securePassword

    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $session

The credential is a basic user account created in Azure Active Directory and the user is visible to the data source (O365 Exchange Online). In O365 under Exchange Admin Centre, I can see the username and I am able to assign the username to the correct custom role group ("View Audit Readers") with the required permission ("View-Only Audit Logs").

在此处输入图片说明

However I would now like to try using a managed identity instead so that the solution is more robust. Since the Function already has a managed identity ("AuditO365"), I'd like to replace the current user account with this identity in the custom role group in Exchange Online above, but it appears that O365 can't see the managed identity! All the Azure resources and O365 are running under the same account/subscription.

I have also tried creating a service principal (with API permissions for O365) in Azure but this also cannot be seen by O365:

在此处输入图片说明

1. How can I make the Azure Function's managed identity visible to O365 / Exchange Online?

2. Can I use this managed identity to authenticate the app against Exchange Online, connect and retrieve the data as it currently does with a normal user account?

1 answers

solution1
 3  2020-09-21 07:26:03

If you want to connect Exchange Online in Azure function with Azure MSI, please refer to the blog

The detailed steps are as below.

  1. Create Azure function

  2. Enable Azure MSI for Azure function

  3. Configure some settings for the MSI

    a. Assign Exchange Online API permissions Exchange.ManageAsApp to the MSI. After doing that, the application has permission to manage Exchange Online

     Connect-AzureAD #assign permmions $sp =Get-AzureADServicePrincipal -Filter "displayName eq 'Office 365 Exchange Online'" $permision=$sp.AppRoles.Where({$_.Value -eq 'Exchange.ManageAsApp'}) New-AzureADServiceAppRoleAssignment -ObjectId <the Objectid of MSI> -Id $permision[0].Id -PrincipalId <the Objectid of MSI> -ResourceId $sp.ObjectId

    b.Assign Azure AD roles. The application needs to have the appropriate AD roles assigned. Because the apps are provisioned in Azure AD, you can use any of the built-in roles. The following roles are supported:

    • Global administrator
    • Compliance administrator
    • Security reader
    • Security administrator
    • Helpdesk administrator
    • Exchange administrator
    • Global Reader

    Regarding how to assign a role, please refer to here . For example

    Connect-AzureAD #assign role $role=Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Reader'" Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId a5d5a5e1-0f26-474d-a105-3553004c973b

  4. Function

#get token with MSI
$resourceURI = "https://outlook.office365.com/"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$Authorization = "Bearer {0}" -f $accessToken 
$Password = ConvertTo-SecureString -AsPlainText $Authorization -Force

$Ctoken = New-Object System.Management.Automation.PSCredential -ArgumentList "OAuthUser@<your tenant GUID>",$Password
 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $Ctoken -Authentication Basic -AllowRedirection -Verbose
Import-PSSession $Session | Format-List

Get-Mailbox 

Remove-PSSession $Session

在此处输入图片说明

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access denied with Azure Automation / o365 Exchange connection Grant O365 Mailbox Permission to a Managed Identity Service principal or Managed Identity How to reset the password of the Service Principal created for the System Managed Identity in Azure? Azure service principal vs managed identity vs (enterprise) application Deploying 2012 SSRS Report to Azure SSRS? o365 SharePoint Online options? How to integrate Azure + O365 subscription Azure Expressroute for O365 and IaaS Building a multi-tenant app for SharePoint Online O365 Azure Graph API - Check if user has full access to an O365 mailbox
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM