Create a Custom Role Group

If you want to protect distribution lists or mail-enabled security groups in Microsoft Entra tenant through the Microsoft Entra ID service, or to protect Microsoft 365 Defender or Exchange admin center settings through the Admin Portal Settings service, you can choose to assign the Exchange administrator role to the app that you created for Microsoft Entra ID and Admin Portal Settings services. If you are using a custom app and you do not want to assign the Exchange administrator role to the app in this case, you can now create a role group through Exchange admin center with minimum permissions and add the app as the group member.

Note that this configuration is only applicable to the custom app.

Follow the steps below:
  1. Sign into the Exchange admin center with an administrator account.
  2. Navigate to Roles > Admin roles.
  3. Click Add role group.
  4. Provide the basic information for the role group and go to the Permission step.
  5. In the Add permissions page, select the following permissions:
    • Mail Recipients
    • View-Only Configuration
    • View-Only Recipients
  6. Click Next, continue to complete the other settings, and click Add role group to finish.
  7. After the role group with the required permissions has been added, follow the steps below to add the app to the role group as a group member:
    1. Run PowerShell as an administrator on your computer.
    2. Install Exchange Online via PowerShell using the following command lines:
      Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.4.0

Set-ExecutionPolicy RemoteSigned
    3. Execute the following command lines to add the app as a member of the role group that you have created:
      Note: You must provide the Application ID, Object ID, and the Display Name of the app. You can go to the Azure portal > Enterprise applications page for the app information.
      Connect-ExchangeOnline

New-ServicePrincipal -AppId <Application ID on Azure Portal> -ObjectId <Object ID on Azure Portal> -DisplayName <Same name as in Azure Portal>

Add-RoleGroupMember "<Roles Groups Name on Exchange Admin page>" -Member <ServicePrincipal Object ID>