azure 权限不正确

xqkwcwgp  于 2023-06-24  发布在  其他
关注(0)|答案(1)|浏览(115)

我在Azure Automation中创建了一个Runbook,它运行一些命令,包括以下命令:

Add-MailboxPermission -Identity $shared_mailbox -User $mailbox_user -AccessRights FullAccess -Confirm:$false
Write-Output  "Granting full access permission..."
Add-RecipientPermission -Identity $shared_mailbox -Trustee $mailbox_user -AccessRights SendAs -Confirm:$false
Write-Output  "Granting full send permission..."

但是,当运行Add-RecipientPermission Cmdlet时,它会抛出以下错误。
|Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|源服务器:xxxx.prod.exchangelabs.com没有对目标DC:xxxx. PROD. OUTLOOK. COM的写入权限。通常它表示目标林不是源林的帐户分区。其他信息:访问被拒绝。Active Directory响应:00000005:SecErr:DSID-03152 E13,问题4003(INSUFF_ACCESS_RIGHTS),数据0
我已经给它的Exchange管理员权限的服务帐户,这就是为什么添加邮箱权限工程,但不确定为什么第二个命令不工作

5hcedyr0

5hcedyr01#

我创建了一个Azure AD应用程序并授予API权限,如下所示:

现在我使用以下命令创建了服务主体

Connect-AzureAD
Connect-ExchangeOnline
$app = Get-AzureADApplication -SearchString 'TestExchangeApp'
$sp = Get-AzureADServicePrincipal -SearchString $app.DisplayName
$sp1 = New-ServicePrincipal -AppId $app.AppId -ServiceId $sp.ObjectId -DisplayName "Exchange Service Principal for $($app.DisplayName)"

现在,Add-MailboxPermissionAdd-RecipientPermission命令成功运行,如下所示:

Add-MailboxPermission -Identity "user1@xxxx.onmicrosoft.com" -User $sp1.ServiceId -AccessRights FullAccess

Add-RecipientPermission -Identity "user1@xxx.onmicrosoft.com" -Trustee "user@xxx.onmicrosoft.com"  -AccessRights SendAs

若要为服务账号分配权限**,请勾选以下**:

您可以查看哪个Exchange命令需要哪些权限

Get-ManagementRole -Cmdlet Add-RecipientPermission
 
 Get-ManagementRoleAssignment -Role "Mail Recipients" -Delegating $false | Format-Table -Auto Role,RoleAssigneeType,RoleAssigneeName

因此,要解决错误,请为用户分配**Recipient Management/Organization Management**角色,如下所示:

参考:

Permissions in Exchange Online

相关问题