AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Appendices > How to Add Custom Roles to an App?

    Export to PDF

    How to Add Custom Roles to an App?

    To add custom roles to an app, you need to add a new role group and add custom roles to the group in the Exchange admin center first, and then add the app to the group.

    Refer to the following steps to add a new role group and add custom roles to the group:

    1. In the Exchange admin center, go to Roles > Admin roles.

    2. On the Admin roles page, click Add role group. The Add role group page appears.

    3. In the Basics step, enter a name and an optional description for the group.

    4. Click Next to go to the Permissions step.

    5. Select the following roles for the group based on the app type.

    TypePermission NamePurpose
    SourceMail Recipients Retrieve mailboxes when migrating mailbox permissions, migrating mailbox aliases, performing email forwarding, etc.
    SourceDistribution GroupsRequired if you want to migrate distribution lists or dynamic distribution lists.
    DestinationMail RecipientsRetrieve mailboxes when migrating mailbox permissions, migrating mailbox aliases, etc.
    DestinationMail Recipients CreationRequired if you want to create shared mailboxes, resource mailboxes, and dynamic distribution lists in the destination.
    DestinationDistribution GroupsRequired if you want to migrate distribution lists or dynamic distribution lists.
    DestinationSecurity Group Creation and MembershipRequired if you want to create mail-enabled security groups in the destination.

    2. Click Next to go to the Admins step.

    3. Skip the Admins step and click Next to go to the Review and finish step.

    4. Click Add role group to add the group with the selected permission.

    After you add a new role group, you can refer the following steps to add custom roles to the app via Windows PowerShell:

    1. Connect to Exchange Online using PowerShell. Refer to for details.

    2. Open Windows PowerShell, enter the following command in the Windows PowerShell window, and press Enter on the keyboard to create a service principal object for application.

    3. New-ServicePrincipal -AppId xxxxx –ObjectId xxxxx -DisplayName "Display name"

    4. *Note: To get the application ID and object ID of an app, navigate to Microsoft Entra admin center > Identity > Applications > Enterprise applications and click the app.

    5. The application ID and object ID of an app.

    6. Enter the following command, and press Enter on the keyboard to store the details of the service principal in a variable.

    7. $SP = Get-ServicePrincipal -Identity "Display name"

    8. Enter the following command, and press Enter on the keyboard to add the service principal as a member of the custom role group.

    9. Add-RoleGroupMember -Identity "Name of custom role group" -Member $SP.Identity

    10. Enter the following command, and press Enter on the keyboard to verify if the service principal has been added to the custom role group.

    11. Get-RoleGroupMember "Name of custom role group"

    For more instructions, refer to .