![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 72%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
Exchange Online
A Microsoft email and calendaring hosted service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 19%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hi Rising Flight,
Thank you for posting your question in the Microsoft Q&A forum and for sharing your setup and requirements.
Please correct me if I’m wrong but I understand that you’re currently migrating Exchange on-premises mailboxes to Exchange Online using a PowerShell script, and for authentication, you’re leveraging an Azure App Registration with certificate-based authentication. This is a great approach, especially with Microsoft enforcing MFA soon, as it allows for secure and automated operations.
You’ve successfully assigned the Exchange Administrator role to the App Registration, and the migration is working as expected. However, you’re now looking to minimize permissions by assigning only the minimum required API permissions for:
- Recipient Management
- Distribution List (DL) Management
- Microsoft 365 Group Management
Based on my research, here are some insights and recommended roles that can help you reduce app access while maintaining functionality:
Recipient Management
You can assign the Recipient Management role group instead of the full Exchange Administrator role. This role group includes several sub-roles that are relevant to your scenario:
- Distribution Groups
- Mail Recipient Creation
- Mail Recipients
- Message Tracking
- Migration
- Move Mailboxes
- Recipient Policies
- Reset Password
This role group should cover most of the operations your script performs related to mailbox migration and recipient handling.
Distribution List (DL) Management
The Distribution Groups role is specifically designed for managing DLs. However, since this role is already included in the Recipient Management role group, you don’t need to assign it separately if you’ve already assigned Recipient Management.
Microsoft 365 Group Management
Exchange Online does not natively include roles for managing Microsoft 365 Groups. For this, you can assign the Groups Administrator role in Microsoft Entra ID (formerly Azure AD). This role allows you to:
- Create, update, and delete Microsoft 365 groups
- Manage group memberships
- Perform group-related operations via Graph API or PowerShell
These roles should help you minimize app access while still enabling your PowerShell script to function correctly. Of course, depending on the exact operations your script performs, you might be able to scope permissions even further.
For more details, please refer to:
- Permissions in Exchange Online | Microsoft Learn
- Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn
I hope the resources and information I've provided are useful to you as you work through this setup.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.