Section 9 - Restrict the Service Principals

SPARK utilizes a System Assigned Managed Identity (SAMI) and a Registered Application to manage SPARK components within Exchange1. The SAMI and Registered Application are represented within Exchange as service principals. They must be restricted in scope.

Requirements

The Exchange Administrator will be required for this step. The user must have:

  • Exchange Administrator role
  • Access to the Microsoft Exchange admin center

Manual Steps:

Video Walkthrough

Step 1: View Enterprise Applications

  1. Browse and log into Microsoft Entra

Use the correct URL for your environment:

Worldwide (Commercial) & GCC https://entra.microsoft.com
GCC-High and DoD https://entra.microsoft.us
  1. Select Enterprise apps from the left menu
  2. Click on All applications under Manage
  3. Click on the X for each default filter
View App Registrations

If you do not clear the filters, you may not be able to see the automation account

Step 2: View Automation Account SAMI

  1. Search for aa-spark
  2. Click on the aa-spark-automation0 enterprise application
View Automation Account
  1. Annotate the Application ID and Object ID values
App Information

Annotate the following variables in the template spreadsheet:

  • SAMI appId: The application id of the aa-spark-automation0 enterprise application
  • SAMI objID: The object id of the aa-spark-automation0 enterprise application

Step 3: Get App Registration Send Mail Information

  1. Select Enterprise apps from the left menu
  2. Search for sendmail
  3. Click on the appreg-spark-sendmail application registration
View Send Mail App Registration
  1. Annotate the Application (client) ID and Object ID values
Send Mail App Registration

Annotate the following variables in the template spreadsheet:

  • v_exo_sendEmailApp: The application id of the appreg-spark-sendmail enterprise application
  • SendMail appID: The application id of the appreg-spark-sendmail enterprise application
  • SendMail objID: The object id of the appreg-spark-sendmail enterprise application

Step 4: Restrict aa-spark-automation0 SAMI

Restricts the aa-spark-automation0 SAMI to manage the DL-SPARK-SiteOwners distribution lists.

  1. Reference the 01_Restrict_SAMI_aa_spark_automation0_DL_MGT_v01
  2. Uncomment the appropriate connection string based on your tenant
  3. Edit the script and update the following variables listed in the table below
  4. Run the script
Name Value
$appID The application id of the aa-spark-automation0 enterprise application
$objID The object id of the aa-spark-automation0 enterprise application

These values were retrieved in Step 2: View Automation Account SAMI above.

Step 5: Restrict aa-spark-sendmail Enterprise Application

Create the management scope to restrict the SendMail registered app to send only from the SPARK notifications Shared Mailbox (NPE).

  1. Reference the 02_Restrict_appreg-spark-sendmail.ps1
  2. Uncomment the appropriate connection string based on your tenant
  3. Edit the script and update the following variables listed in the table below
  4. Run the script
Name Value
$appID The application id of the appreg-spark-sendmail enterprise application
$objID The object id of the appreg-spark-sendmail enterprise application
$domain Set the domain value for the tenant

Continue to creating the Storage Account

References

  1. Reference Link