Assign management roles and grant scope to those roles as a way of granting access or restricting access to Azure resources. You can scope a role assignment to a single resource group, a subscription, or a management group.

Follow the steps to assign required application roles to the registered iManage Work for Outlook application.

  1. In PowerShell, enter: New-ManagementRoleAssignment -Role <RoleIdParameter> -App <String> -CustomResourceScope <String>

    User the following values for the parameters in the command above.

    • RoleIDParameter is Application Calendars.Read

    • App is ClientID

    • CustomResourceScope is the -Name value you created as the management scope in the Create a New Management Scope procedure

  2. Repeat Step 1 for each of the following Roles, substituting the following RoleIDParameters in the PowerShell command in Step 1:

    • Application Calendars.ReadWrite

    • Application Mail.Read

    • Application Mail.ReadWrite

    • Application MailboxSettings.Read

Verify permissions

The next step is to verify that the mailboxes in the mail-enabled security group have been granted this permission.

  1. In PowerShell, enter: Test-ServicePrincipalAuthorization -Identity <AppID> -Resource <security group member’s email> where

    1. AppID is ClientID

    2. Resource is an individual in the security group’s email address.

  2. In the results, verify that every value in the InScope column is “True,” and the AllowedResourceScope is the Management Scope Name

NOTE: After you add/remove a member from a mail-enabled security group, even if the results of the command above shows the permission granted, it might actually take longer, from a few minutes to a few hours, to see the change take effect.