PowerShell - ExchangeOnlineManagement

Question

I am struggling to get the Connect-ExchangeOnline command working in an Automation account. Any help would be appreciated.

It worked perfectly when run on my machine, but we want it to run unattended, so I was looking at running it in an automation account.

I have altered the command to use a managed identity since research found that it can no longer use automation credentials. However it fails to connect every time.

The command is currently:

Connect-ExchangeOnline -ManagedIdentity -Organization "us.onmicrosoft.com" -ManagedIdentityAccountID "XYZ123"

Currently the Automation Account has a system assigned managed identity and a manually assigned one (the ID is for the manual one).

The error displayed when the script runs is:

"UnAuthorized
At C:\usr\src\PSModules\ExchangeOnlineManagement\netFramework\ExchangeOnlineManagement.psm1:755 char:21
+                     throw $_.Exception;
+                     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], UnauthorizedAccessException
    + FullyQualifiedErrorId : UnAuthorized"

This is the same error as it was giving without the manual managed identity. When it just had the system managed identity, I worked on it not having Exchange access permissions - we were unable to find a way to assign permissions to the system managed identity, so I created the manual one, which we assigned the permissions to.

When assigned and I was getting the same error, I assumed it was still using the system managed identity, so I removed that, but then it kept throwing an error that the system identity was not found.

Everything that I have found online so far just talks about adding permissions to the system managed identity, but it is not showing up in Entra, and the identity page on the automation account only shows resource permissions, not Entra permissions.

The automation account has ExchangeOnlineManagement V3.7.1 installed, though I have also tried V3.5 and 3.2.

Does anyone know how to either assign Exchange reader permissions to the system managed identity, or how to get the connect command to use the manual identity?

Answer 1

Initially, I got the same error:

Connect-ExchangeOnline -ManagedIdentity -Organization YourDomain.onmicrosoft.com

The error "UnAuthorized" usually occurs if the managed identity does not have required permissions and role to connect to Exchange online.

To resolve the error, grant the Exchange.ManageAsApp API permission for the managed identity:

Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All

$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id

$MI_ID = (Get-MgServicePrincipal -Filter "DisplayName eq 'rukaa33'").Id

$AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440"

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI_ID -PrincipalId $MI_ID -AppRoleId $AppRoleID -ResourceId $ResourceID

Go to Azure Portal -> Enterprise applications -> Remove the filter -> Search the name of you Automation account -> Click -> Permissions

The Exchange.ManageAsApp API permission is successfully granted to the managed identity:

Also, make sure to assign Microsoft Entra roles to the managed identity based on your requirement refer this MsDoc

I assigned Exchange Administrator role:

Go to Microsoft Entra roles and administrators -> Search Exchange Administrator role -> Add assignments -> Search your managed identity name -> Select

Click on Next -> Select Active -> Permanently assigned -> Assign

The role is assigned to the managed identity successfully:

After assigning the role wait for few minutes and then try connecting to Exchange.

I am able to successfully connect to Exchange Online using system assigned managed identity:

Connect-ExchangeOnline -ManagedIdentity -Organization YourDomain.onmicrosoft.com

Get-EXOMailbox -PropertySets Archive