0

Is it possible to add users/members to Exchange admin role groups via an API? The equivalent PowerShell cmdlet would be Add-RoleGroupMember and the specific group I wish to add to is View-only Organization Management.

Microsoft Graph has an endpoint to add to directory roles, however I can't seem to find a "View-only Organization Management" group listed in my tenant's DirectoryRoles or DirectoryRoleTemplates, so I suspect MS Graph hasn't got access to these Exchange role groups. Poking around the Outlook API has not revealed much in the form of user/member functions either.

Extra info added from further poking around

I ran this PowerShell cmdlet:

Add-RoleGroupMember -identity "View-only Organization Management" -member "user@domain.onmicrosoft.com"

Then ran:

Get-RoleGroupMember -identity "View-Only Organization Management"

To confirm that the user was in fact added to it. I then ran the following MS Graph call:

GET https://graph.microsoft.com/v1.0/users/user@domain.onmicrosoft.com/memberOf

And it returned zip:

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
  "value": []
}

So it looks like this particular View-only Organization Management roleGroup is not accessible via MS Graph? Are there any other APIs that would allow me to add to this roleGroup?

Ian
  • 241
  • 3
  • 16

1 Answers1

0

So https://graph.microsoft.com/v1.0/directoryRoleTemplates lists the available out-of-the-box "Directory" roles that you can set. I put Directory in quotes, because these roles do include Exchange, SharePoint and Skype service admins (as well as other roles). The thing to note here is that only the "implicit" user role and the Company Administrator role are available from the get go. The others need to be enabled/activated if you want them to show up and use them. This is described here: https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/directoryrole. Once you've activated the "Exchange Service Admin" role, you should be able to assign users to this role using https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/directoryrole_post_members.

If you are looking to use Azure AD PowerShell, this capability is ALSO available. You can find info here for V2 Azure AD PowerShell https://learn.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory. In the search type "DirectoryRole" and you'll find all the DirectoryRole cmdlets.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Dan Kershaw - MSFT
  • 5,833
  • 1
  • 14
  • 23
  • Thanks for your response - I'm across activating the directoryRole by posting to the directoryRoleTemplate, I am just having troubles finding the specific "View-only Organization Management" rolegroup. Are you suggesting that "Exchange Service Admin" == "View-only Organization Management"? – Ian Dec 05 '16 at 17:22
  • I edited my question to add some further information. It looks like the Exchange Service Admin directoryRole is not the one I am after, as it has some write access (the View-only one can only read) – Ian Dec 05 '16 at 18:15
  • So the role you are adding is an Exchange specific role. This role is mastered in Exchange and is unknown to the directory (which is why you can't find a role template for it, and why your query doesn't show it). Over time we *might* add RBAC capabilities to Microsoft Graph that could encompass all constituent services, but we don't have that yet. We only have some high level roles for Office services in the directory, and this isn't likely to change for the time being. Exchange PS is your only option for now. – Dan Kershaw - MSFT Dec 08 '16 at 00:04
  • Dang. Thanks for the info. – Ian Dec 08 '16 at 14:02
  • 1
    Please make sure to go to https://officespdev.uservoice.com/ and ask for O365 management APIs to be part of Microsoft Graph (including being able to manage Exchange roles) – Dan Kershaw - MSFT Dec 10 '16 at 23:42