To enable EXRA 365 to manage resources in your system you must grant the EXRA 365 Hosted Provisioning Service access to Graph Api and Exchangeonline PowerShell.
Add Entra Service Principal and consent the required permissions
You need Entra ID Global Administrator permissions to accomplish this task.
- Click the Entra Id Consent link
- Accept the consent
Required service principal permissions explaination
- Read all applications: https://graph.microsoft.com/Application.Read.All
This permission is essential for retrieving assigned role groups for in-app permission management.
- Read domains: https://graph.microsoft.com/Domain.Read.All
This permission is used to fetch and validate tenant domain and custom domains.
- Manage Exchange As Application https://outlook.office.com/Exchange.ManageAsApp
This is used to administrate Exchange Online as an app principal. Additional permissions in Exchange Online are required to execute provisioning tasks.
Add Exchange Online Role permissions
Option 1 (simple)
- Open Microsoft Entra Admin Center and navigate to Applications / Enterprise Applications
- Enter EXRA in the search window and open the EXRA 365 Provisioning Service (Application ID = 8936bef4-7aa2-43af-afd2-8363296adc77)
- Copy the Object ID.
- Navigate to Identity / Roles and admins
- Open the Exchange Recipient Administrator role
- Click Add Assignment
- Click Select Member(s)
- Paste the Object ID in the search box copied in step 3.
- Select the EXRA 365 Provisioning Service entry and click select
- Keep the assignment type as Active and the duration as permanent and click Assign
Option 2 (least priviledge)
- Open Microsoft Entra Admin Center and navigate to Applications / Enterprise Applications
- Enter EXRA in the search window and open the EXRA 365 Provisioning Service (Application ID = 8936bef4-7aa2-43af-afd2-8363296adc77)
- The Object ID is to be used in the code below.
- Connect to Exchange Online PowerShell with privileges to create and assign Role Based Access Permissions
- Copy the code below to a text editor and replace the principalObjectId to the Object Id from step 3.
- Paste the code in PowerShell. If there are no errors you've successfully assign permissions to the EXRA Provisioning Service.
$ObjectId = "00000000-0000-0000-0000-000000000000" #Replace with the "EXRA 365 Provisioning Service" Object ID $AppId = "8936bef4-7aa2-43af-afd2-8363296adc77" $sp = New-ServicePrincipal -AppId $AppId -ObjectId $ObjectId -DisplayName "EXRA 365 Provisioning Service" New-ManagementScope -Name "EXRA365" -RecipientRestrictionFilter "RecipientTypeDetails -eq 'EquipmentMailbox' -or RecipientTypeDetails -eq 'RoomMailbox' -or RecipientTypeDetails -eq 'RoomList' -or ExtensionCustomAttribute2 -like 'EXRA*'" New-RoleGroup -Name "EXRA365 Recipient Management" -Roles "Mail Recipient Creation","Mail Recipients", "Distribution Groups" -CustomRecipientWriteScope "EXRA365" -Members $sp.ExchangeObjectId -Description "Allows creation and management of recipients related to the EXRA365 service"
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article