问题
Is it possible to add users/members to Exchange admin role groups via an API? The equivalent PowerShell cmdlet would be Add-RoleGroupMember and the specific group I wish to add to is View-only Organization Management.
Microsoft Graph has an endpoint to add to directory roles, however I can't seem to find a "View-only Organization Management" group listed in my tenant's DirectoryRoles or DirectoryRoleTemplates, so I suspect MS Graph hasn't got access to these Exchange role groups. Poking around the Outlook API has not revealed much in the form of user/member functions either.
Extra info added from further poking around
I ran this PowerShell cmdlet:
Add-RoleGroupMember -identity "View-only Organization Management" -member "user@domain.onmicrosoft.com"
Then ran:
Get-RoleGroupMember -identity "View-Only Organization Management"
To confirm that the user was in fact added to it. I then ran the following MS Graph call:
GET https://graph.microsoft.com/v1.0/users/user@domain.onmicrosoft.com/memberOf
And it returned zip:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": []
}
So it looks like this particular View-only Organization Management roleGroup is not accessible via MS Graph? Are there any other APIs that would allow me to add to this roleGroup?
回答1:
So https://graph.microsoft.com/v1.0/directoryRoleTemplates lists the available out-of-the-box "Directory" roles that you can set. I put Directory in quotes, because these roles do include Exchange, SharePoint and Skype service admins (as well as other roles). The thing to note here is that only the "implicit" user role and the Company Administrator role are available from the get go. The others need to be enabled/activated if you want them to show up and use them. This is described here: https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/directoryrole. Once you've activated the "Exchange Service Admin" role, you should be able to assign users to this role using https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/directoryrole_post_members.
If you are looking to use Azure AD PowerShell, this capability is ALSO available. You can find info here for V2 Azure AD PowerShell https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory. In the search type "DirectoryRole" and you'll find all the DirectoryRole cmdlets.
来源:https://stackoverflow.com/questions/40935849/adding-users-to-exchange-admin-role-groups-via-api