Assign management roles and grant scope to those roles as a way of granting access or restricting access to Azure resources. You can scope a role assignment to a single resource group, a subscription, or a management group. The goal is to grant only the required permissions. While in the future, there may be additional features that require additional permissions, the below list identifies the current required permissions:

• Application Mail.ReadWrite

  • Required for all tasks associated with email management

• Application MailboxSettings.ReadWrite

  • Required to manage Category field values in users' mailboxes

Follow the steps to assign required application roles to the registered iManage Work for Outlook application.

1. In PowerShell, enter: New-ManagementRoleAssignment -Role <RoleIdParameter> -App <String> -CustomResourceScope <String>

   User the following values for the parameters in the command above.

   • RoleIDParameter is Application Mail.ReadWrite

   • App is ClientID

   • CustomResourceScope is the -Name value you created as the management scope in the Create a New Management Scope procedure

2. Repeat Step 1 for each of the following Role, substituting the following RoleIDParameters in the PowerShell command in Step 1:

   • Application MailboxSettings.ReadWrite

Verify permissions

The next step is to verify that the mailboxes in the mail-enabled security group have been granted this permission.

1. In PowerShell, enter: Test-ServicePrincipalAuthorization -Identity <AppID> -Resource <security group member’s email> where

   1. AppID is ClientID

   2. Resource is an individual in the security group’s email address.

2. In the results, verify that every value in the InScope column is “True,” and the AllowedResourceScope is the Management Scope Name