Limited Scopes
Utilizing limited scopes enables you to restrict the access of the Azure AD Application to specific users, Microsoft Teams, SharePoint Sites, and Microsoft 365 Groups.
This document provides a comprehensive overview of the process and requirements for creating the Azure AD Application through PowerShell while opting for Limited Scopes.
The following article provides instructions on executing the script to reach this stage.
Modern Authentication - Authenticating manually using the powershell script
Please ensure that you utilize Windows PowerShell ISE when executing the scripts referenced in this article, including the CreateAzureADApplication.ps1 script. Additionally, it is important that you execute these scripts with administrative privileges.
Script Operations
The following section outlines the operations that the script will execute when selecting the limited scopes option.
- Installation of the following PowerShell Modules:
- Microsoft.Graph.Identity.DirectoryManagement v2.10.0
- Microsoft.Graph.Applications v2.10.0
- Microsoft.Graph.Groups v2.10.0
- Microsoft.Graph.Files v2.10.0
- Microsoft.Graph.Sites v2.10.0
- ExchangeOnlineManagement v3.2.0
- Prompt for Microsoft Graph PowerShell login. At this stage, authentication is required using a global administrator account for your Microsoft 365 tenant.
- Utilize the Microsoft Graph PowerShell SDK to:
- Create an Azure AD Application in your tenant with the specified name provided in the ‘-appName’ parameter, and assign it restricted roles. For the purpose of this document, we will refer to this application as ‘CloudM-LimitedTestApp’.
- Create a ‘Mail Enabled Security’ group with the title of the application created in step 1 (CloudM-LimitedTestApp)
- Add the access right ‘RestrictAccess’ to the application created in step 1 (CloudM-LimitedTestApp)
Setup
The below section explains the setup involved for this process.
- Create a working directory (e.g. c:\CloudM).
- Download the following scripts and save to the above directory (right click and save link as).
CSV Files
EmailDrive.csv
- This file is used to import a CSV list of users into the restricted mail enabled security group.
- The CSV should include the email address of the user and the ItemType. The ItemType options are described below.
- Email - Select this option if you only want to grant access to mail for the user.
- Drive - Select this option if you only want to grant access to OneDrive for the user.
- EmailDrive - Select this option if you want to grant access to both mail and OneDrive for the user.
- You can download the CSV file from the following link: EmailDrive.csv
MicrosoftTeamGroup.csv
- This file is used to import a CSV list of Microsoft Teams and Groups into the restricted mail-enabled security group.
- The CSV should contain the email address of the Team/Group and the ItemType. The ItemType options are described below:
- Email - Select this option if you only want to access mail for the Team/Group.
- Site - Select this option if you only want to access the files for the Team/Group.
- EmailSite - Select this option if you want to access both mail and files for the Team/Group.
- You can download the CSV file from the following link: MicrosoftTeamGroup.csv
SharePointSites.csv
- This file is used to grant the application full control of a CSV list of SharePoint sites.
- The CSV should contain the URLs of the SharePoint sites that you want the application to access.
- You can download the CSV file from the following link: SharePointSites.csv
Processing CSV Scripts
After creating the Azure AD Application with limited access and populating the CSV files, it is necessary to execute the PowerShell scripts below to process the CSVs.
The CSV files that need to be processed should be located in the working directory alongside the scripts. The scripts should be run from the working directory. You can download the scripts using the links provided above.
-
CloudM-ProcessEmailDriveCsv.ps1
- This script will process the users in the EmailDrive.csv file, if it exists in the working directory, and add those users to the mail-enabled security group.
- Before running this script, please open and modify the below variables.
- $WorkFolder - Full path of your working directory.
- $MailGroupAlias - Mail group alias generated from the CreateAzureADApplication script.
- $TenantName - Domain name of your Microsoft 365 tenant.
- $ClientAppId - Client ID generated from the CreateAzureADApplication script.
- $ClientAppCertificate - Full path of the certificate generated from the CreateAzureADApplication script.
- $Environment - Microsoft 365 environment (this is Global by default).
To ensure that the script can effectively process mail and drive for users listed in the CSV, please ensure that the account executing the script has site collection administrator privileges for the OneDrives of the users listed in the CSV.
-
CloudM-ProcessMicrosoftTeamGroupCsv.ps1
- This script will process the Teams and Groups in the MicrosoftTeamGroup.csv file, if it exists in the working directory, and add them to the mail-enabled security group.
- Before running this script, please open and modify the below variables.
- $WorkFolder - Full path of your working directory.
- $MailGroupAlias - Mail group alias generated from the CreateAzureADApplication script.
- $TenantName - Domain name of your Microsoft 365 tenant.
- $ClientAppId - Client ID generated from the CreateAzureADApplication script.
- $ClientAppCertificate - Full path of the certificate generated from the CreateAzureADApplication script.
- $Environment - Microsoft 365 environment (this is Global by default).
In order for the script to successfully process the Teams and Groups in the CSV, it is necessary to ensure that the account executing the script is an owner of each Team or Group.
-
CloudM-ProcessSharePointSiteCsv.ps1
- This script will process the SharePoint sites in the SharePointSites.csv file, if it exists in the working directory, and grant the Azure AD Application full control over them.
- Before running this script, please open and modify the below variables.
- $WorkFolder - Full path of your working directory.
- $MailGroupAlias - Mail group alias generated from the CreateAzureADApplication script.
- $TenantName - Domain name of your Microsoft 365 tenant.
- $ClientAppId - Client ID generated from the CreateAzureADApplication script.
- $ClientAppCertificate - Full path of the certificate generated from the CreateAzureADApplication script.
- $Environment - Microsoft 365 environment (this is Global by default).
To ensure that the script can effectively process each site in the CSV, it is necessary for the account executing the script to have site collection administrator privileges for the SharePoint sites specified in the CSV.
Microsoft Team Migrations
In order to migrate Microsoft 365 Groups and Microsoft Teams, there are specific additional requirements that need to be met. These requirements are outlined below:
- For Microsoft 365 Groups, the Admin Username specified in CloudM Migrate must belong to an account that has licenses for Exchange Online (Plan 2).
- For Microsoft Teams, the Admin Username specified in CloudM Migrate must belong to an account that has licenses for Exchange Online (Plan 2) and Microsoft Teams.
- The Admin Username specified in CloudM Migrate must also be added to the EmailDrive.csv file and processed with an ItemType of Email. This user is responsible for migrating email and is impersonated during the migration of Microsoft 365 Groups or Teams mail.