User purpose property
The purpose of the mailbox. Differentiates a mailbox for a single user from a shared mailbox and equipment mailbox in Exchange Online. Possible values are: user, linked, shared, room, equipment, other
Userpurpose property explained
Userpurpose is an exchange property that can tell what a users mailbox is used for.

To allow Bsure Insights to read these values you have to give the managed identity inside the application access to read these settings by adding the following permission MailboxSettings.Read
MailboxSettings.Read gives access to read the following information https://learn.microsoft.com/en-us/graph/api/resources/mailboxsettings?view=graph-rest-1.0#properties
How to add permissions
Start cloud shell with a user having Global administrator privileges - https://portal.azure.com/#cloudshell/
Copy script below and paste as plain text to run it in cloud shell.
There is no need to edit script. Script will search for all installations (managed identities) used by Bsure Insights and add this new permission
$BSureSpnName = 'Bsure-Umi-'
$BsurePermissions = @(
"Directory.Read.All"
"AuditLog.Read.All"
"Domain.Read.All"
"Reports.Read.All"
"Policy.Read.All"
"MailboxSettings.Read"
)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}
(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{
$script:graphAPIReqHeader = @{
Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token | ConvertFrom-SecureString -AsPlainText)"
Host = "graph.microsoft.com"
}
$currentSPN = $_
$currentSPN
$assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"
$currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
$RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
foreach($AppRole in $RolesToAddClean)
{
$body = @{
principalId = $currentSPN.Id
resourceId = $msGraphSpn.id
appRoleId = $AppRole.id
} | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
}
$RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
foreach($AppRole in $RolesToRemoveClean)
{
$toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
}
}
Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"
Last updated
Was this helpful?