'Adding users to Exchange admin role groups via API?

Is it possible to add users/members to Exchange admin role groups via an API? The equivalent PowerShell cmdlet would be Add-RoleGroupMember and the specific group I wish to add to is View-only Organization Management.

Microsoft Graph has an endpoint to add to directory roles, however I can't seem to find a "View-only Organization Management" group listed in my tenant's DirectoryRoles or DirectoryRoleTemplates, so I suspect MS Graph hasn't got access to these Exchange role groups. Poking around the Outlook API has not revealed much in the form of user/member functions either.

Extra info added from further poking around

I ran this PowerShell cmdlet:

Add-RoleGroupMember -identity "View-only Organization Management" -member "[email protected]"

Then ran:

Get-RoleGroupMember -identity "View-Only Organization Management"

To confirm that the user was in fact added to it. I then ran the following MS Graph call:

GET https://graph.microsoft.com/v1.0/users/[email protected]/memberOf

And it returned zip:

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
  "value": []
}

So it looks like this particular View-only Organization Management roleGroup is not accessible via MS Graph? Are there any other APIs that would allow me to add to this roleGroup?



Solution 1:[1]

So https://graph.microsoft.com/v1.0/directoryRoleTemplates lists the available out-of-the-box "Directory" roles that you can set. I put Directory in quotes, because these roles do include Exchange, SharePoint and Skype service admins (as well as other roles). The thing to note here is that only the "implicit" user role and the Company Administrator role are available from the get go. The others need to be enabled/activated if you want them to show up and use them. This is described here: https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/directoryrole. Once you've activated the "Exchange Service Admin" role, you should be able to assign users to this role using https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/directoryrole_post_members.

If you are looking to use Azure AD PowerShell, this capability is ALSO available. You can find info here for V2 Azure AD PowerShell https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory. In the search type "DirectoryRole" and you'll find all the DirectoryRole cmdlets.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 TylerH