Public Preview: Exchange Online RBAC management in Microsoft Graph using Unified RBAC Schema

by | Jul 5, 2023 | Technology | 0 comments

This article is contributed. See the original author and article here.

Today, we’re excited to announce the public preview of Exchange Online Role Based Access Control (RBAC) management in Microsoft Graph. The preview is designed for admins who want a consistent management interface, and for developers who want to programmatically control RBAC.


The public preview supports create, read, update, and delete APIs in Microsoft Graph which conform to a Microsoft-wide RBAC schema. Exchange Online RBAC role assignments, role definitions, and management scopes are supported through this new API.


With this preview, Exchange Online joins other RBAC systems in the Microsoft Graph Beta API, namely, Cloud PC, Intune, and Azure AD directory roles and entitlement management.


How Unified RBAC for Exchange Online works


Admins assigned the appropriate RBAC role in Exchange Online can access Unified RBAC using the Microsoft Graph beta endpoint or by using Microsoft Graph PowerShell. RBAC data remains stored in Exchange Online and can be configured using Exchange Online PowerShell.


In addition to Exchange RBAC permissions, you will also need one of these permissions:



  • RoleManagement.Read.All

  • RoleManagement.ReadWrite.All

  • RoleManagement.Read.Exchange

  • RoleManagement.ReadWrite.Exchange


Actions and entities supported in this preview:



























































 


Entity

 


Endpoint

Allowed API Actions

Read

Create

Update

Delete

Roles

graph.microsoft.com /beta/roleManagement/exchange/roleDefinitions



X

X



Assignments

graph.microsoft.com /beta/roleManagement/exchange/roleAssignments









Scopes

graph.microsoft.com /beta/roleManagement/exchange/customAppScopes









Role Groups

Not supported

X

X

X

X

Transitive Role Assignment

Not supported

X

X

X

X

Reading the list of role assignments assigned with a management scope:


UnifRBAC01.jpg


Reading the list of Management Scopes:


UnifRBAC02.jpg


List roles using Microsoft Graph PowerShell:


UnifRBAC03.jpg


Try the Public Preview Today


Unified RBAC is available to all tenants today as a part of the public preview. See Use the Microsoft Graph SDKs with the beta API and roleManagement resource type for more information.


We’d love your feedback on the preview. You can leave a comment here or share it with us at exourbacpreview@microsoft.com.


FAQs


Does this API support app-only access?
Not yet. This will be added to the preview later.


Exchange Online Team

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Submit a Comment