Would it be possible for a System Managed Identity to be granted delegate access to certain Office 365 Shared Mailboxes, then query them using Graph API?
I have an Azure Automation runbook running a PowerShell script that has the necessity to access the Calendar contents of such mailboxes.
Since it's a runbook, it's running unattended, I know I could grant Calendars.Read application API permissions but that would require the addition of creating a secret and then setting up an Application Access Policy to prevent the runbook from accessing all the mailboxes across the organization.
Instead of that, it would be beautiful to just grant delegated access to the required mailboxes to the System Managed Identity, just like we can do with normal users, using the Add-MailboxPermission -User <[email protected]> PowerShell command and access those without any added complexity.
I tried to run the Add-MailboxPermission -User command passing the Object (principal) id (GUID) of the System Managed Identity, but that didn't work.
I created a web app and enabled system assigned identity:
Check whether the user has mailbox:
When I tried to run the
Add-MailboxPermissioncommand by passing theObjectIDI got the same error:To resolve the error, you need to explicitly create the service principal by passing the
ObjectIDand theApplicationIDlike below:Search the system managed identity Enterprise application:
Now to add the Mailbox Permission to the managed identity, copy
ObjectIDfrom the response and pass it in the user parameter:You can verify by using below command: