question

SkipHofmann-5788 avatar image
0 Votes"
SkipHofmann-5788 asked JayceYang-MSFT edited

Microsoft Graph PowerShell prevent exchange online and sharepoint online permissions

Hello

I want to start allowing Admins to use "Microsoft Graph PowerShell" however i have concerns when it comes to Exchange online and sharepoint online. How can i block or prevent admin's from using "Microsoft Graph PowerShell" to add permissions to Exchange and Sharepoint online ?

windows-server-powershellmicrosoft-graph-sdkoffice-exchange-server-dev
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SkipHofmann-5788

Just checking in to see if above information was helpful.
Please let us know if you would like further assistance.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered SkipHofmann-5788 commented

Which admins are you referring to? What roles? If they are admins with those rights, you can't prevent that. Its no different than having that ability with Powershell or via the GUI.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I understand. I was hoping i could prevent the following permissions, but it sounds like thats not possible. These would be users in the GA role. My understanding is Microsoft doesn't recommend adding the permissions that are in the screen shot to manage sharepoint and exchange online. What are your thoughts on this ?

196248-image.png


0 Votes 0 ·
image.png (64.2 KiB)
AndyDavid avatar image
0 Votes"
AndyDavid answered

Well, those are all delegated perms. so in that case, it would allow the user to access mailboxes they all ready have access to.
You would generally use "Application" perms and then in that case, you can limit the mailbox access the app has using an access policy

https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.