question

NancyAdmin-0608 avatar image
0 Votes"
NancyAdmin-0608 asked NancyAdmin-0608 commented

HTTP 401 on Exchange Online cmdlets when running in app-only mode

Receiving a 401 error on some EXO cmdlets when running in app-only mode.
The app that was authorized into the tenant consented to the Exchange.ManageAsApp scope. Are there additional scopes that are required?

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.4 -Force
Connect-ExchangeOnline -CertificateFilePath '<path_to_cert>' -CertificatePassword (ConvertTo-SecureString -String '<password>' -AsPlainText -Force) -AppID <app_id> -Organization 'tenant.onmicrosoft.com'


Get-EXOMailbox -ResultSize unlimited
Get-EXOMailbox: Error while querying REST service. HttpStatusCode=401 ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed to call Get-Mailbox","innererror":{"message":"User is not allowed to call Get-Mailbox","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}

Get-Mailbox -ResultSize Unlimited
Get-Mailbox: The term 'Get-Mailbox' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.












windows-server-powershelloffice-exchange-online-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered NancyAdmin-0608 commented

Hi there,
You need to add the service principal you created to an Azure Role.
In this case, Exchange Administrator

The application needs to have the appropriate RBAC roles assigned. Because the apps are provisioned in Azure AD, you can use any of the built-in roles. The following roles are supported:

Global administrator
Compliance administrator
Security reader
Security administrator
Helpdesk administrator
Exchange administrator
Global Reader

https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#set-up-app-only-authentication

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I've followed all of the steps from the documentation, including assigning the service principal to the Exchange Admin role. What's weird is that it works with some tenants but errors on some others.

0 Votes 0 ·
michev avatar image
0 Votes"
michev answered KaelYao-MSFT edited

You need to add the service principal to an admin role in Azure AD, such as the Global admin one. The Exchange.ManageAsApp permissions on their own don't give you admin permissions. Here's a short guide: https://office365itpros.com/2020/08/13/exo-certificate-based-authentication-powershell/

· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I've followed all of the steps from the documentation, including assigning the service principal to the Exchange Admin role. What's weird is that it works with some tenants but errors on some others.

0 Votes 0 ·

Um, each tenant will need to add your SP to the corresponding admin role, in case you are using a multi-tenant app. That's in addition to consenting. Here's short article I wrote on the topic a while back: https://www.michev.info/Blog/Post/3047/multi-tenant-scenarios-for-exo-powershell-certificate-based-authentication

0 Votes 0 ·

Thanks for your response @michev! I should have clarified that earlier - the tenant in question has added the SP to the Exchange Admin role on their tenant. But we're only seeing the 401 on certain EXO cmdlets for this tenant.

0 Votes 0 ·
Show more comments