question

PeterHesse-6255 avatar image
0 Votes"
PeterHesse-6255 asked KyleXu-MSFT edited

Get-RecipientPermission and Get-EXORecipientPermission does not work with Global Reader permission

We have created a Global Reader account in order to run some PowerShell scripts to help with maintenance and security reviews.

One of the tools we are running is the CrowdStrike CRT, a reporting tool that examines Azure Active Directory and Exchange Online, and creates lists of hard-to-find or hard-to-expose permissions and settings.

In CRT, one of the commands, "SendAsGranted", runs this command to do Get-EXORecipientPermission against every mailbox in the domain. The specific line is:

 $DelegateSendPerms += Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue | Get-EXORecipientPermission -ErrorAction Stop | Where-Object {$_.Trustee -ne "NT AUTHORITY\SELF"}

When running this script as a Global Administrator, it works. When running the script as a Global Reader, it fails.

I ran the command Get-EXORecipientPermission -UserPrincipalName user@domain.name manually as the Global Reader account and this was the output (after a substantial delay):

 Get-EXORecipientPermission : Error while querying REST service. HttpStatusCode=401
 ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed to call
 Get-RecipientPermission","innererror":{"message":"User is not allowed to call
 Get-RecipientPermission","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}
 At line:1 char:1
 + Get-EXORecipientPermission -UserPrincipalName user@domain.na ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : ProtocolError: (:) [Get-EXORecipientPermission], RestClientException
 + FullyQualifiedErrorId : An error occurred while processing this request.,Microsoft.Exchange.Management.RestApiCl
 ient.GetExoRecipientPermission

I believe that the Get-EXORecipientPermission (and its original version, Get-RecipientPermission) command should be able to be run as Global Reader, and this should be fixed.

azure-active-directoryoffice-exchange-server-administrationoffice-itpro
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Works fine for me as Global Reader. What module are you using to connect?

0 Votes 0 ·

Version 2.0.4 of ExchangeOnlineManagement module.

 PS C:\WINDOWS\system32> Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
    
 ModuleType Version    Name                                ExportedCommands
 ---------- -------    ----                                ----------------
 Script     2.0.4      ExchangeOnlineManagement            {Get-EXOCasMailbox, Get-EXOMailbox, Get-EXOMailboxFolderPe...
0 Votes 0 ·

Here is an image of me doing the whole process:

80841-screenshot-2021-03-23-135829.png


0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered michev commented

Yea, I just ran that same query and no issues.

$DelegateSendPerms += Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue | Get-EXORecipientPermission -ErrorAction Stop | Where-Object {$_.Trustee -ne "NT AUTHORITY\SELF"}


I would send an email to: exocmdletpreview@service.microsoft.com and ask them to look into it.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. I have sent an email.

Does your ID have any permissions other than Global Reader? The account I'm testing with only has that permission. CrowdStrike's own error message in the code says that if it fails it's because you don't have Global Administrator permission, and I don't think that should be necessary.

0 Votes 0 ·
AndyDavid avatar image AndyDavid PeterHesse-6255 ·

Correct, just Global Reader. I verified no other Exch Level perms with this account.

@michev, same for you? Does Global Reader work?

0 Votes 0 ·

Works fine here. Might be just a replication issue. Just in case, check whether the GlobalReaders_xxxxxxxx grouip is added as member of the "View-Only Organization Management" Role Group, and that the Recipient Permissions role is assigned to said group - I believe that's where the ExO cmdlet inherits permissions from.

0 Votes 0 ·
KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered PeterHesse-6255 commented

@PeterHesse-6255

I try to add a mailbox into this group and get the same error:
80975-qa-kyle-13-29-33.png

Based on testing, it is an expected behavior, here are detailed information about it:

  1. By default, the GlobalReaders group is not assigned any roles. However, it will be a member of the "View-Only Organization Management" role group and will inherit the rights of that group.
    81104-qa-kyle-16-29-56.png

  2. Here are role that contained in the "View-Only Organization Management" group:
    81121-qa-kyle-16-33-10.png

  3. I check on those two roles, the "Get-RecipientPermission" command doesn't contained in them:
    81073-qa-kyle-16-34-34.png

So, your account doesn't have the permission to run “Get-RecipientPermission” and “Get-EXORecipientPermission”

Since this group is hosted on AAD, I add the AAD tag on this thread to introduce AAD engineers work on this thread.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, Kyle. I hope AAD team will respond. I guess I can manually add those permissions to those roles, but in my belief that role should have that permission as it is a simple Get call.

0 Votes 0 ·