Integration Event log for SCM is showing a failed synchronization with the error:Errors when getting user information: ['Failed to get resource users: Azure request failed: 403 - {"error":{"code":"Forbidden","message":"User is not allowed to call Get-Mailbox","innererror":{"message":"User is not allowed to call Get-Mailbox","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException","stacktrace":"","internalexception":{"message":"cmdlet Get-Mailbox is not present in the role definition of the current user","type":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDenied
This is caused by an API Permission issue within the Microsoft App Registration. This can be corrected by adding the following API Permission to your App Registration
| Use-Case | API | Permission Type | Permission |
|---|---|---|---|
| M365 (Email) / Entra ID | Microsoft APIs / Microsoft Graph |
Application | MailboxSettings.Read |
The App Registration may also require an additional IAM role.
- Navigate to Entra ID in the Azure portal
- Expand Manage and select "Roles and Administrators" on the left hand side
- Search for the "Global Reader" role and click on it
- On the next screen, select Add Assignment
- In the "Search" field, enter the whole App ID that you created in the above steps and assign it to the Global Reader role:
