Assign management roles and grant scope to those roles as a way of granting access or restricting access to Azure resources. You can scope a role assignment to a single resource group, a subscription, or a management group. The goal is to grant only the required permissions. While in the future, there may be additional features that require additional permissions, the below list identifies the required permissions:

  • Application Calendars.ReadWrite The app modifies the email metadata such as filed category, filing location, and so on

  • Application Mail.Read Gives the app read access to the mail

  • Application Mail.ReadWrite The app modifies the email metadata such as filed category, filing location, and so on

  • Application MailboxSettings.Read Required to find out whether the mailbox is shred or individual

Follow the steps to assign required application roles to the registered iManage Work for Outlook application.

  1. In PowerShell, enter: New-ManagementRoleAssignment -Role <RoleIdParameter> -App <String> -CustomResourceScope <String>

    User the following values for the parameters in the command above.

    • RoleIDParameter is Application Calendars.ReadWrite

    • App is ClientID

    • CustomResourceScope is the -Name value you created as the management scope in the Create a New Management Scope procedure

  2. Repeat Step 1 for each of the following Roles, substituting the following RoleIDParameters in the PowerShell command in Step 1:

    • Application Mail.Read

    • Application Mail.ReadWrite

    • Application MailboxSettings.Read

Verify permissions

The next step is to verify that the mailboxes in the mail-enabled security group have been granted this permission.

  1. In PowerShell, enter: Test-ServicePrincipalAuthorization -Identity <AppID> -Resource <security group member’s email> where

    1. AppID is ClientID

    2. Resource is an individual in the security group’s email address.

  2. In the results, verify that every value in the InScope column is “True,” and the AllowedResourceScope is the Management Scope Name

NOTE: After you add/remove a member from a mail-enabled security group, even if the results of the command above shows the permission granted, it might actually take longer, from a few minutes to a few hours, to see the change take effect.