1.3 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| reference_investigator_exo_manageasapp_gap | Why the remediation-tool investigator-exo tier 401s on EXO adminapi; use exchange-op instead |
|
The Security Investigator app (bfbc12a4-f0dd-4e12-b06d-997e7271e10c) registration grants only the full_access_as_app (EWS) Office 365 Exchange Online app role — it is missing Exchange.ManageAsApp. The EXO REST admin API (outlook.office365.com/adminapi/beta/{tid}/InvokeCommand — Get-Mailbox, Get-InboxRule, Search-UnifiedAuditLog, etc.) requires Exchange.ManageAsApp, so the investigator-exo token returns 401 on every cmdlet.
The Exchange Administrator directory role is NOT the cause — it is already assigned to the Investigator SP. The gap is the API permission on the app registration, which is a manual Entra portal change (suite rule: app registrations stay manual) and arguably shouldn't be added to the read-only Investigator at all.
How to apply: for any EXO InvokeCommand work (mailbox reads, inbox rules, message trace, TABL, audit), use the exchange-op tier — the Exchange Operator app (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) carries BOTH full_access_as_app and Exchange.ManageAsApp. Don't waste a round trip on investigator-exo for adminapi. See reference_tedards_tenant_facts.