Public/generated/Get-KriticalUtcmEXOManagementRoleAssignment.ps1

# Kritical.PS.UTCM | Microsoft Graph UTCM REST API toolkit
# (c) 2026 Kritical Pty Ltd | https://kritical.net
# Kritical brand banner is rendered at module load via Write-KriticalUtcmBanner.

function Get-KriticalUtcmEXOManagementRoleAssignment {
<#
.SYNOPSIS
    Kritical.UTCM shim for M365DSC resource EXOManagementRoleAssignment.

.DESCRIPTION

    Search-replace safe: callers that today invoke
        Get-M365DSCEXOManagementRoleAssignment -Credential $cred -TenantId $tid
    can rename to
        Get-KriticalUtcmEXOManagementRoleAssignment -Credential $cred -TenantId $tid
    with ZERO other edits. Parameter shape matches the M365DSC .schema.mof
    exactly. By default -PreferM365DscBehavior is true.

    Actual Graph dispatch is delegated to Invoke-KriticalUtcmM365DscSchemaBridge.
    Bridge maps resource → Graph endpoint per per-resource wave; where mapping
    is not yet shipped, bridge returns an object with Verdict='UNMAPPED'.

.NOTES
    Workload: Exchange
    Param count: 20
#>

[CmdletBinding()]
param(
        # The Name parameter specifies a name for the new management role assignment. The maximum length of the name is 64 characters.
[Parameter(Mandatory)] [string]$Name,
        # The Role parameter specifies the existing role to assign. You can use any value that uniquely identifies the role.
[Parameter(Mandatory)] [string]$Role,
        # The App parameter specifies the service principal to assign the management role to. Specifically, the ServiceId GUID value from the output of the Get-ServicePrincipal cmdlet (for example, 6233fba6-0198-4277-892f-9275bf728bcc).
[string]$App,
        # The Policy parameter specifies the name of the management role assignment policy to assign the management role to.
[string]$Policy,
        # The SecurityGroup parameter specifies the name of the management role group or mail-enabled universal security group to assign the management role to.
[string]$SecurityGroup,
        # The User parameter specifies the name or alias of the user to assign the management role to.
[string]$User,
        # The CustomRecipientWriteScope parameter specifies the existing recipient-based management scope to associate with this management role assignment.
[string]$CustomRecipientWriteScope,
        # The CustomResourceScope parameter specifies the custom management scope to associate with this management role assignment. You can use any value that uniquely identifies the management scope.
[string]$CustomResourceScope,
        # The ExclusiveConfigWriteScope parameter specifies the exclusive configuration-based management scope to associate with the new role assignment.
[string]$ExclusiveRecipientWriteScope,
        # The RecipientAdministrativeUnitScope parameter specifies the administrative unit to scope the new role assignment to.
[string]$RecipientAdministrativeUnitScope,
        # The RecipientOrganizationalUnitScope parameter specifies the OU to scope the new role assignment to. If you use the RecipientOrganizationalUnitScope parameter, you can't use the CustomRecipientWriteScope or ExclusiveRecipientWriteScope parameters.
[string]$RecipientOrganizationalUnitScope,
        # The RecipientRelativeWriteScope parameter specifies the type of restriction to apply to a recipient scope. The available types are None, Organization, MyGAL, Self, and MyDistributionGroups. The RecipientRelativeWriteScope parameter is automatically set when the CustomRecipientWriteScope or RecipientOrganizationalUnitScope parameters are used.
[string]$RecipientRelativeWriteScope,
        # Specify if the Management Role Assignment should exist or not.
[ValidateSet('Present','Absent')] [string]$Ensure,
        # Credentials of the Exchange Global Admin
[string]$Credential,
        # Id of the Azure Active Directory application to authenticate with.
[string]$ApplicationId,
        # Id of the Azure Active Directory tenant used for authentication.
[string]$TenantId,
        # Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
[string]$CertificateThumbprint,
        # Username can be made up to anything but password will be used for CertificatePassword
[string]$CertificatePassword,
        # Path to certificate used in service principal usually a PFX file.
[string]$CertificatePath,
        # Managed ID being used for authentication.
[bool]$ManagedIdentity
)
    Invoke-KriticalUtcmM365DscSchemaBridge -ResourceName 'EXOManagementRoleAssignment' -Workload 'Exchange' -Verb 'Get' -CallerParams $PSBoundParameters
}