MicrosoftDocs
diff --git a/‎exchange/docs-conceptual/app-only-auth-powershell-v2.md
Lines changed: 5 additions & 2 deletions b/‎exchange/docs-conceptual/app-only-auth-powershell-v2.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎exchange/docs-conceptual/find-exchange-cmdlet-permissions.md
Lines changed: 69 additions & 52 deletions b/‎exchange/docs-conceptual/find-exchange-cmdlet-permissions.md
Lines changed: 69 additions & 52 deletions
diff --git a/‎exchange/docs-conceptual/toc.yml
Lines changed: 2 additions & 0 deletions b/‎exchange/docs-conceptual/toc.yml
Lines changed: 2 additions & 0 deletions
@@ -50,13 +50,16 @@ The following examples show how to use the Exchange Online PowerShell V2 module
   When you use the _Certificate_ parameter, the certificate does not need to be installed on the computer where you are running the command. This parameter is applicable for scenarios where the certificate object is stored remotely and fetched at runtime during script execution.
 
 > [!TIP]
-> In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the  _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
+>
+> - In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the  _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
+>
+> - App-only authentication does not support delegation. Unattended scripting in delegation scenarios is supported with the Secure App Model. For more information, go [here](https://docs.microsoft.com/powershell/partnercenter/multi-factor-auth#exchange).
 
 ## How does it work?
 
 The EXO V2 module uses the Active Directory Authentication Library to fetch an app-only token using the application Id, tenant Id (organization), and certificate thumbprint. The application object provisioned inside Azure AD has a Directory Role assigned to it, which is returned in the access token. Exchange Online configures the session RBAC using the directory role information that's available in the token.
 
-## Setup app-only authentication
+## Set up app-only authentication
 
 An initial onboarding is required for authentication using application objects. Application and service principal are used interchangeably, but an application is like a class object while a service principal is like an instance of the class. You can learn more about this at [Application and service principal objects in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals).
 
 
@@ -20,31 +20,31 @@ You can use PowerShell to find the permissions required to run any Exchange or E
 
 - Estimated time to complete this procedure: less than 5 minutes.
 
-- You can only use PowerShell to perform this procedure.
+- You can only use PowerShell to perform these procedures.
 
-- Basically, you need to be an administrator to complete this procedure. Specifically, you need access to the **Get-ManagementRole** and **Get-ManagementRoleAssignment** cmdlets. By default, access to these cmdlets is granted by the **View-Only Configuration** or **Role Management** roles, which are typically assigned to the **View-Only Organization Management** and **Organization Management** role groups.
+- Basically, you need to be an administrator to complete this procedure. Specifically, you need access to the **Get-ManagementRole** and **Get-ManagementRoleAssignment** cmdlets. By default, access to these cmdlets is granted by the **View-Only Configuration** or **Role Management** roles, which are only assigned to the **View-Only Organization Management** and **Organization Management** role groups by default.
 
-- The procedures in this topic don't work in Security & Compliance Center PowerShell. For more information about permissions in the Security & Compliance Center, see [Permissions in the Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center).
-
-- The procedures in this topic don't work in standalone Exchange Online Protection (EOP) PowerShell (Microsoft 365 organizations without Exchange Online mailboxes). For more information about permissions in standalone EOP, see [Feature permissions in EOP](https://docs.microsoft.com/microsoft-365/security/office-365-security/feature-permissions-in-eop).
+- The procedures in this article don't work in Security & Compliance Center PowerShell or standalone Exchange Online Protection (EOP) PowerShell (Microsoft 365 organizations without Exchange Online mailboxes). For more information about permissions in these environments, see the following articles:
+  - [Permissions in the Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center).
+  - [Permissions in standalone EOP](https://docs.microsoft.com/microsoft-365/security/office-365-security/feature-permissions-in-eop).
 
 > [!TIP]
 > Having problems? Ask for help in the Exchange forums. Visit the forums at: [Exchange Server](https://go.microsoft.com/fwlink/p/?linkId=60612) or [Exchange Online](https://go.microsoft.com/fwlink/p/?linkId=267542).
 
 ## Use PowerShell to find the permissions required to run a cmdlet
 
-1. Open the PowerShell environment where you want to run the cmdlet.
-
+1. If you haven't already, open the Exchange PowerShell environment that you're interested in:
    - **Exchange Online**: [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md).
-
    - **Exchange Server**: [Open the Exchange Management Shell](open-the-exchange-management-shell.md) or [Connect to Exchange servers using remote PowerShell](connect-to-exchange-servers-using-remote-powershell.md).
 
-2. Run the following command to identify the cmdlet and, optionally, one or more parameters on the cmdlet. Be sure to replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the actual cmdlet and parameter names you are interested in. If you specify multiple parameters separated by commas, only the roles that include **all** of the parameters are returned.
+2. Replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the values that you want to use, and run the following command:
 
    ```powershell
    $Perms = Get-ManagementRole -Cmdlet <Cmdlet> [-CmdletParameters <Parameter1>,<Parameter2>,...]
    ```
 
+   **Note**: If you specify multiple parameters, only roles that include the cmdlet with **all** of the parameters are returned.
+
 3. Run the following command:
 
    ```powershell
@@ -57,78 +57,95 @@ The results contain the following information:
 
 - **Role**: Indicates the role that gives access to the cmdlet or the combination of cmdlet and parameters. Note that role names that begin with "My" are user roles that allow regular users to operate on objects they own (for example, their own mailbox or their distribution groups).
 
-- **RoleAssigneeType** and **RoleAssigneeName**: These values are inter-related. **RoleAssigneeType** is the type of object that has the role assigned to it, and **RoleAssigneeName** is the name of the object. **RoleAssigneeType** can be a role group, role assignment policy, security group, or user. Typically, administrator roles are assigned to role groups.
+- **RoleAssigneeType** and **RoleAssigneeName**: These values are inter-related:
+  - **RoleAssigneeType** is the type of object that has the role assigned to it. For administrator roles, this value is typically a role group, but it can also be a role assignment policy, a security group, or a user.
+  - **RoleAssigneeName** is the name of the role group, role assignment policy, security group, or user.
 
 ## Troubleshooting
 
 What if there are no results?
 
 - Verify that you entered the cmdlet and parameter names correctly.
 
-- You might have entered too many parameters, and all of the parameters on the cmdlet aren't defined in a single role. Try specifying only the cmdlet name in Step 2, and run Step 3 to verify that the cmdlet is available in your environment. Then, add parameters one at a time to Step 2 before running Step 3.
+- The parameters that you specified are actually available for a cmdlet in a single role. Try specifying only the cmdlet name in the first command before you run the second command. Then, add the parameters one at a time to the first command before you run the second command.
 
-- These possible causes have the same solution:
+Otherwise, no results are likely caused by one of the following conditions:
 
-  - You might have entered a cmdlet or parameters that are defined in a role that isn't assigned to anyone by default.
+- The cmdlet or parameters are defined in a role that isn't assigned to any role groups by default.
+- The cmdlet or parameters aren't available in your environment. For example, you specified an Exchange Online cmdlet or Exchange Online parameters in an on-premises Exchange environment.
 
-  - You might have entered a cmdlet or parameter that isn't available in your environment. For example, when you enter an Exchange Online cmdlet or parameters in an on-premises Exchange 2016 environment.
+To find the roles in your environment (if any) that contain the cmdlet or parameters, replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the values that you want to use and run the following command:
 
-  Run the following command to find the role that contains the cmdlet or parameters. Be sure to replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the actual cmdlet and parameter names you are interested in. Note that you can use wildcard characters (*) in the cmdlet and parameter names (for example, `*-Mailbox*`).
+```powershell
+Get-ManagementRoleEntry -Identity *\<Cmdlet>  [-Parameters <Parameter1>,<Parameter2>,...]
+```
 
-  ```powershell
-  Get-ManagementRoleEntry -Identity *\<Cmdlet>  [-Parameters <Parameter1>,<Parameter2>,... ]
-  ```
+**Note**: You can use wildcard characters (*) in the cmdlet and parameter names (for example, `*-Mailbox*`).
 
-  - If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't available in your environment.
+If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't available in your environment.
 
-  - If the command returns one or more entries for **Name**, **Role**, and **Parameters**, the cmdlet (or parameters on the cmdlet) is available in your environment, but the required role isn't assigned to anyone. To see all roles that aren't assigned to anyone, run the following command:
+If the command returns results, the cmdlet or parameters are available in your environment, but the required role isn't assigned to any role groups. To find roles that aren't assigned to any role groups, run the following command:
 
-    ```powershell
-    $na = Get-ManagementRole ; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -Delegating $false) -eq $null) {$_.Name}}
-    ```
+```powershell
+$na = Get-ManagementRole; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -Delegating $false) -eq $null) {$_.Name}}
+```
 
 ## Related procedures
 
-- Management role scopes define where cmdlets can operate (in particular, write scopes).
+### Include management role scopes
+
+Management role scopes (in particular, write scopes) define where cmdlets can operate. For example, the entire organization or only on specific user objects.
+
+To include scope information in the [Use PowerShell to find the permissions required to run a cmdlet](#use-powershell-to-find-the-permissions-required-to-run-a-cmdlet) output, add `*Scope*` to the second command:
+
+```powershell
+$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List Role,RoleAssigneeType,RoleAssigneeName,*Scope*}
+```
+
+For detailed information about management role scopes, see [Understanding management role scopes](https://docs.microsoft.com/exchange/understanding-management-role-scopes-exchange-2013-help).
+
+### Find all roles assigned to a specific user
+
+To see all roles that are assigned to a specific user, replace `<UserIdentity>` with the name, alias, or email address of the user and run the following command:
+
+```powershell
+Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
+```
 
-  To include scope information in Step 2, substitute the following command:
+For example:
 
-  ```powershell
-  $Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List Role,RoleAssigneeType,RoleAssigneeName,*Scope*}
-  ```
+```powershell
+Get-ManagementRoleAssignment -RoleAssignee [email protected] -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
+```
 
-- To see all roles assigned to a specific user, run the following command:
+**Note**: The _RoleAssignee_ parameter returns both direct role assignments to users (uncommon) and indirect role assignments granted to the user through their membership in role groups.
 
-  ```powershell
-  Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
-  ```
+### Find all users who have a specific role assigned
 
-  For example:
+To see all users who have a specific role assigned to them, replace `<Role name>` with the name of the role and run the following command:
 
-  ```powershell
-  Get-ManagementRoleAssignment -RoleAssignee [email protected] -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
-  ```
+```powershell
+Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
+```
 
-- To see all users who are assigned a specific role, run the following command:
+For example:
 
-  ```powershell
-  Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
-  ```
+```powershell
+Get-ManagementRoleAssignment -Role "Mailbox Import Export"  -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
+```
 
-  For example:
+### Find the members of a role group
 
-  ```powershell
-  Get-ManagementRoleAssignment -Role "Mailbox Import Export"  -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
-  ```
+To see the members of a specific role group, replace `<Role group name>` with the name of the role group and run the following command:
 
-- To see the members of a specific role group, run the following command:
+```powershell
+Get-RoleGroupMember "<Role group name>"
+```
 
-  ```powershell
-  Get-RoleGroupMember "<Role group name>"
-  ```
+For example:
 
-  For example:
+```powershell
+Get-RoleGroupMember "Organization Management"
+```
 
-  ```powershell
-  Get-RoleGroupMember "Organization Management"
-  ```
+**Note**: To see the names of all available role groups, run `Get-RoleGroup`.
@@ -23,6 +23,8 @@
               href: filter-properties.md
             - name: Filterable properties for the RecipientFilter parameter
               href: recipientfilter-properties.md
+        - name: Values for the CustomPropertyNames parameter
+          href: values-for-custompropertynames-parameter.md
     - name: Exchange Online PowerShell
       href: exchange-online-powershell.md
       items: