To allow Bsure Insights to read these values you have to give the managed identity inside the application access to read these settings by adding the following permission MailboxSettings.Read
Copy script below and paste as plain text to run it in cloud shell.
Copy $BSureSpnName = 'Bsure-Umi-'
$BsurePermissions = @(
"Directory.Read.All"
"AuditLog.Read.All"
"Domain.Read.All"
"Reports.Read.All"
"Policy.Read.All"
"MailboxSettings.Read"
)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}
(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{
$script:graphAPIReqHeader = @{
Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
Host = "graph.microsoft.com"
}
$currentSPN = $_
$currentSPN
$assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"
$currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
$RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
foreach($AppRole in $RolesToAddClean)
{
$body = @{
principalId = $currentSPN.Id
resourceId = $msGraphSpn.id
appRoleId = $AppRole.id
} | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
}
$RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
foreach($AppRole in $RolesToRemoveClean)
{
$toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
}
}
Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"