question

ox1ygen avatar image
0 Votes"
ox1ygen asked ·

The usage of Set-Mailbox cmdlet for Exchange Online via new preview module and certificate

Hello,

I have some troubles with getting Set-Mailbox cmdlet to work via new certificate workflow (application + app permissions + roles + certificate + new exchange online preview module).
https://www.powershellgallery.com/packages/ExchangeOnlineManagement/2.0.3-Preview

Is it even possible in this version? If so, what the requirements are?

Thanks in advance!

office-exchange-server-administration
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid1608 avatar image
1 Vote"
AndyDavid1608 answered ·

and you can see that switch if you logon interactively with PS as an Exchange Admin ?

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavidMVP Well, thanks to you I was able to get the difference between my tenants. The difference lies in Role Groups. My "old tenant" Organization Management role group had fewer management roles assigned than its twin in the other tenant. Corrected that, and voila!

0 Votes 0 ·
ManuPhilip avatar image
0 Votes"
ManuPhilip answered ·

Hello,
The high level steps involved are as follows
1. Fresh install of the ExO PowerShell module v2 using the prerelease
2. Update
3. generate a self signed certificate using the script available at **Create-SelfSignedCertificate.ps1** and record the thumbprint
4. Connect to your Azure portal and and register a new application
5. Assign permissions to the newly created application
6. Capture the Application (client) ID of the registered application
7. Grant the admin consent to the application
8. Upload the self-signed certificate you have generate in portal
9. Grant one of the administration roles needed to run set-mailbox permission from the Azure AD\Roles and administrators
10. You are now ready to include the new modern authentication in your script. Install the self-signed certificate in the Computer\Personal certificate store.
11. Connect via: Connect-ExchangeOnline -CertificateThumbPrint “<certificate thumbprint>” -AppID “<Azure AD application ID>” -Organization “<your Office 365 tenant – mytenant.onmicrosoft.com
12. Try your commands

Let me know if you are facing any challenges in any of the above steps


Please mark as "Accept the answer" if the answer helps you. Your suggestion will help others also !

Regards,
Manu

· 4 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ManuPhilip I have already done that (all available app permissions and supported roles). The other cmdlets work just fine except for Set-mailbox cmdlet. Any thoughts?

0 Votes 0 ·

Please send the error message so that we will get an idea on what's wrong.

0 Votes 0 ·

@ManuPhilip Thanks, now it works. There is another problem though. Set-Mailbox with AuditEnabled parameter doesn't work. I think that is a permission problem.
,
PS C:\Users\administrator> Set-Mailbox azuremailbox -MailTip "asdasd" (Just an example. Works fine.)
PS C:\Users\administrator> Set-Mailbox azuremailbox -AuditEnabled $true A parameter cannot be found that matches parameter name 'AuditEnabled'.
+ CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-Mailbox
+ PSComputerName : outlook.office365.com

If I use any user account with Audit Logs exchange management role, Set-mailbox myMailbox -AuditEnabled $true ($false) works fine.

0 Votes 0 ·

Here are the short steps to try out EXO V2 PowerShell cmdlets. You may check these steps and see if you are able to run Set-Mailbox cmdlet
Install-Module -Name ExchangeOnlineManagement -Scope AllUsers -Verbose -Force
Import-Module -Name ExchangeOnlineManagement -Verbose
Get-Module ExchangeOnlineManagement
$creds = Get-Credential
Connect-ExchangeOnline -Credential $creds

0 Votes 0 ·
AndyDavid1608 avatar image
0 Votes"
AndyDavid1608 answered ·

I haven't seen that. I assume the app has been assigned the Exchange role.
What happens when you use set-mailbox? I just tested and it works fine for me.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavidMVP Thanks for your reply. Yeah, Set-Mailbox now works (I believe I had to wait a bit). But Set-Mailbox with AuditEnabled parameter doesn't work. I think that is a permission problem.

PS C:\Users\administrator> Set-Mailbox azuremailbox -MailTip "asdasd" (Just an example. Works fine.)
PS C:\Users\administrator> Set-Mailbox azuremailbox -AuditEnabled $true A parameter cannot be found that matches parameter name 'AuditEnabled'.
+ CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-Mailbox
+ PSComputerName : outlook.office365.com

If I use any user account with Audit Logs exchange management role, Set-mailbox myMailbox -AuditEnabled $true ($false) works fine

0 Votes 0 ·
AndyDavid1608 avatar image
0 Votes"
AndyDavid1608 answered ·

@ox1ygen , What directory role did you give the app in Azure? The Exchange role should allow that. I just double-checked and I have access to that parameter connecting through the Azure app.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavidMVP The assigned role is Exchange Administrator. If you go to the Roles and administrators menu and select Exchange Administrator role, you can see your app in the list. However, if you go to the Roles and administrators menu through you app registration page, the role won't be listed there as an assigned one.
Here is the list of assigned Exchange permissions.

13034-permissions.png


The role:

13022-exchangerole.png

What I am talking about when I have said the role is not shown as assigned:

12920-rolesandadmins.png


0 Votes 0 ·
permissions.png (47.0 KiB)
exchangerole.png (41.3 KiB)
rolesandadmins.png (80.7 KiB)
AndyDavid1608 avatar image
1 Vote"
AndyDavid1608 answered ·

The only only API Permissions you should see are:
13062-image.png




The "Roles and Adminstrators" menu you have in that last image arent the roles assigned to the app, its the roles that can manage it, so the Exchange Admin wouldnt be listed there by default.


image.png (11.6 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavidMVP Wow! I repeated the needed steps on my clean tenant and somehow it really worked out. Then, I repeated the steps again for the previous one and, unfortunately, there was no success. Perhaps you have any ideas? Anyway, thank you very much for your help!

0 Votes 0 ·
AndyDavid1608 avatar image
0 Votes"
AndyDavid1608 answered ·

Sounds like something maybe just got messed up on that app? Can you delete and recreate it or was that done already ?

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavidMVP already performed that. Repeated all the steps with a new app, still the same result (no set-mailbox with AuditEnabled). I even got the token via client_credentials flow using my certificate, put it into PsCredential and created a New-PsSession with it. I thought may be there were some cmdlets that had not been not imported. I entered the session and no, there was no Set-mailbox with AuditEnabled parameter in this session. I am out of thoughts actually.

0 Votes 0 ·