Reputation: 47
Why am I getting an 'Unauthorized' error when using Connect-ExchangeOnline with Managed Identity in Azure Automation?
Problem Description
I am trying to use Connect-ExchangeOnline with a managed identity in an Azure Automation account to run unattended scripts. While the command works perfectly on my local machine, it fails in the Automation account with an Unauthorized error.
My Setup
- Azure Automation account with both a system-assigned managed identity, and a user-assigned managed identity
ExchangeOnlineManagementmodule installed (tried versions 3.7.1, 3.5, and 3.2)- Command used:
Connect-ExchangeOnline -ManagedIdentity -Organization "us.onmicrosoft.com" -ManagedIdentityAccountID "XYZ123" - Permissions assigned:
- The user-assigned managed identity has "Exchange Administrator" and "Exchange Reader" roles.
Error message:
UnAuthorized
At C:\usr\src\PSModules\ExchangeOnlineManagement\netFramework\ExchangeOnlineManagement.psm1:755 char:21
+ throw $_.Exception;
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], UnauthorizedAccessException
+ FullyQualifiedErrorId : UnAuthorized
What I have tried
Verified identity permissions:
- The user-assigned managed identity has been granted the necessary Exchange roles
- However, I am unable to find a way to assign permissions to the system-assigned managed identity in Entra
Tested different identities:
- When only using the system-assigned identity, the error persists.
- When I removed the system-assigned identity and kept the user-assigned identity, I got an error saying
System identity not found
Checked Microsoft documentation and forums:
- Most resources suggest adding permissions to the system-assigned identity, but I can't find it in Entra ID (Azure AD) to assign them
- Some posts mention using Exchange PowerShell permissions, but there’s no clear step-by-step guide
Any guidance or a working example would be greatly appreciated!
Upvotes: 0
Views: 44
Answers (1)
Reputation: 3448
By adding the Exchange.ManageAsApp permission to the managed identity, you should be able to resolve the Unauthorized error that you're seeing. Without this step, the managed identity won’t have the necessary permissions to manage Exchange Online resources, even though it might have the Exchange-related roles.
Search for your user-assigned managed identity in the Enterprise Applications section or directly search for the Azure Automation account if you're using the system-assigned identity.
Navigate to API permissions click Add a permission Select APIs my organization uses and search for Office 365 Exchange online.
Select it and then choose Application permissions. Search Exchange.ManageAsApp Click it.
After adding the permission, grant Admin consent for the permissions to take effect.
For managing M365 groups, switch to the Microsoft Graph API since the *-UnifiedGroup cmdlets have issues with managed identities.
use the Microsoft.Graph module to authenticate and interact with it using a managed identity:
Connect-MgGraph -ManagedIdentity
#to get all M365 Groups
Get-MgGroup
Upvotes: 1
Related Questions
- PowerShell - ExchangeOnlineManagement
- Azure Automation Runbook: Connect-AzAccount Error using Managed Identity
- Azure PowerShell Runbook to export Exchange Online configuration and store it in a Blob
- Connect to Azure SQL Server using User Assigned managed identity using SSMS fails
- Azure Automation Account - Connect-MGGraph - Insufficient priveleges
- Do I need to assign EntraID (AzureAD) Roles AND Graph API permissions to an Automation Account Managed Identity?
- List Managed Identities that have access to the ExchangeOnline.ManageAsApp API
- Errors using Azure Managed Identity to connect to Azure Automation from VS Code
- Azure Automation Account MAnaged Identity and New-MgServicePrincipalAppRoleAssignment
- Using System Managed Identity in Azure Automation Account with PowerShell module MicrosoftTeams