Overview of required access rights stanocPowerHelper.ps1

Procedure:

One looks for the modules/processes relevant for the own environment in the table and takes over then the entries in the column "Needed Role/Rights" in the appropriate Admin center into the configuration.

For ExchangeOnlineManagement:

In the Exchange Admin Center under "Admin Roles" → "Roles" (https://admin.exchange.microsoft.com/#/adminRoles ) create a new "Role Group", store the Roles and assign the newly created Role Group:

With Basic Auth(Attention, deprecated since October 1, 2022): The user whose credentials are stored in stanocPowerHelper.ps1.

For the combination of Modern Auth and App, the App must be assigned the "Exchange Administrator" role in Azure AD - there is no more granular solution available at the moment.

For AzureAD:

In the Azure AD Admin Center under "App Registrations" ( https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps ) open the stanocPowerHelper app and under "API Permissions" find and add the API permissions ("Microsoft Graph API", "Application")

Note on coloring:

Green: ExchangeOnlineManagement (Roles)

Yellow: AzureAD (MS Graph API rights)

Blue: local Active Directory

Module	Process	used PowerHelper commands	used PowerShell CMDlets	Required Role / Rights	Comments

Module	Process	used PowerHelper commands	used PowerShell CMDlets	Required Role / Rights
AC	Read foreign address book	ReadAllMailBoxproperties ReadAllGroups ReadUsers (Azure AD / AD) ReadGroups (Azure AD)	Get-EXOMailbox Get-Mailbox Get-RemoteMailbox Get-CalendarProcessing Get-MailboxCalenderConfiguration Get-Group Get-AzureADUser Get-ADUser Get-AzureADGroup	View-Only Recipients User.Read.All Directory.Read.All
SWAP!	Check Exchange accounts	ReadAllMailBoxproperties ReadAllGroups	Get-EXOMailbox Get-Mailbox Get-RemoteMailbox Get-CalendarProcessing Get-MailboxCalenderConfiguration	View-Only Recipients
SWAP!	Check Exchange Forwardings	ReadMailForward	Get-Mailbox	View-Only Recipients
SWAP!	Check access rights to Exchange mailboxes	GetMailboxPermission	Get-EXOMailboxPermission Get-MailboxPermission	View-Only Recipients
SWAP!	Check account" action	ReadMailBoxProperties ReadOneGroup	Get-Mailbox Get-EXOMailbox Get-Group	View-Only Recipients
SWAP!	Set Mail Addresses/Forwards Action	DisableMailForward ConfigureMailForward	Set mailbox	Mail Recipients
SWAP!	Create mailbox" action	CreateMailbox	New-Mailbox New-RemoteMailbox	Mail Recipient Creation
SWAP!	Action "Create mail distribution group	CreateGroup	New-DistributionGroup	Security Group Creation and Membership
SWAP!	Create Security Group Action	CreateGroup	New-DistributionGroup	Security Group Creation and Membership
SWAP!	Create Microsoft 365 Group action	CreateGroup	New-UnifiedGroup	Mail Recipients
SWAP!	Create Equipment Action	CreateResource	New-Mailbox New-RemoteMailbox Set-CalendarProcessing Set-MailboxCalendarConfiguration	Mail Recipient Creation Mail Recipients
SWAP!	Create Space Action	CreateResource	New-Mailbox New-RemoteMailbox Set-CalendarProcessing Set-MailboxCalendarConfiguration	Mail Recipient Creation Mail Recipients
SWAP!	Action "Transfer Domino group members to Exchange group members".	AddGroupMembers	Add-DistributionGroupMember Add-UnifiedGroupLinks	Distribution Groups Mail Recipients
SWAP!	Action "Set Domino mail address(es) as Exchange alias(es)	SetMailAlias (AD) AddMailAddress	Set-ADUser Get-ADUser Set mailbox	Mail Recipients
SWAP!	Transfer Domino access to Exchange mailbox" action	AddMailboxPermission RemoveMailboxPermission	Add-RecipientPermission Add-MailboxPermission Remove-MailboxPermission	Mail Recipients
SWAP!	Exchange - Create mail distribution group	CreateGroup	New-DistributionGroup	Security Group Creation and Membership
SWAP!	Exchange - Create Security Group	CreateGroup	New-DistributionGroup	Security Group Creation and Membership
SWAP!	Exchange - Create Microsoft 365 Group	CreateGroup	New-UnifiedGroup	Mail Recipients
SWAP!	Exchange - Transfer Domino group members to Exchange group members	AddGroupMembers	Add-DistributionGroupMember Add-UnifiedGroupLinks	Distribution Groups Mail Recipients
SWAP!	Exchange - Transfer Domino accesses to Exchange user mailbox	AddMailboxPermission RemoveMailboxPermission	Add-RecipientPermission Add-MailboxPermission Remove-MailboxPermission	Mail Recipients
SWAP!	Exchange - Transfer domino accesses to Exchange shared mailbox	AddMailboxPermission RemoveMailboxPermission	Add-RecipientPermission Add-MailboxPermission Remove-MailboxPermission	Mail Recipients
SWAP!	Exchange - set forwarding to Domino - if not controlled by connection.	DisableMailForward ConfigureMailForward	Set mailbox	Mail Recipients
SWAP!	Check Azure Active Directory accounts	ReadUsers (Azure AD) ReadGroups (Azure AD)	Get-AzureADUser Get-AzureADGroup	User.Read.All Directory.Read.All
SWAP!	Azure Active Directory - convert inactive user to equipment	ConvertToNonUserMailbox (MSOnline / ExchangeOnline)	Set mailbox	Mail Recipients
SWAP!	Azure Active Directory - convert inactive user to shared mailbox	ConvertToNonUserMailbox (MSOnline / ExchangeOnline)	Set mailbox	Mail Recipients
SWAP!	Azure Active Directory - convert inactive user to space	ConvertToNonUserMailbox (MSOnline / ExchangeOnline)	Set mailbox	Mail Recipients
SWAP!	Check Active Directory accounts (local)	ReadUsers (AD) ReadGroups (AD)	Get-ADUser Get-ADGroup
SWAP!	Active Directory - Create groups for mail distribution lists	CreateGroup (AD)	New-ADGroup Add-ADGroupMember Get-ADGroup Get-ADObject
SWAP!	Active Directory - Create Groups for Security	CreateGroup (AD)	New-ADGroup Add-ADGroupMember Get-ADGroup Get-ADObject
SWAP!	Active Directory - Copy Domino group members to Active Directory group members	AddGroupMembers (AD)	Set-ADGroup Get-ADGroup Get-ADObject
SWAP!	Active Directory - create inactive user to convert to equipment	CreateUser (AD)	New-ADUser Get-ADUser
SWAP!	Active Directory - create inactive user to convert to shared mailbox	CreateUser (AD)	New-ADUser Get-ADUser
SWAP!	Active Directory - create inactive user to convert to room	CreateUser (AD)	New-ADUser Get-ADUser