Comments on: Using Exchange Online PowerShell with Azure Automation Managed Identities

By: Tony Redmond

Tony Redmond — Thu, 13 Apr 2023 21:34:06 +0000

In reply to Martin.

The compliance cmdlets don’t support authentication using a managed identity. You’ll have to use a certificate instead: https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

By: Martin

Martin — Thu, 13 Apr 2023 21:07:37 +0000

In reply to Tony Redmond. Is there any article on authenticating via managed identity for "Connect-IPPSSession" command in ExchangeOnlineManagement? I've tried -ManagedIdentity and -Identity but it doesn't recognize either.

By: Tony Redmond

Tony Redmond — Thu, 16 Mar 2023 09:27:03 +0000

In reply to Kevin.

First, let me say that articles on a blog age quite rapidly because of the pace of change in the service. If you want something that’s kept updated on an ongoing basis, buy a book like Office 365 for IT Pros. https://gum.co/O365IT/

As it happens, we have a later article about connecting to Teams https://practical365.com/managed-identity-powershell/ which shows how to use a managed identity to connect in Azure Automation. To connect to Exchange Online V3.0 only, run:

Connect-ExchangeOnline -ManagedIdentity -Organization $TenantName

By: Kevin

Kevin — Thu, 16 Mar 2023 01:40:58 +0000

This is now out of date with V3 being the only supported module.
We are moving from run as accounts to managed identities and having connection/permission errors with Teams and EXO
Using the example above, I get the error “The requested identity has not been assigned to this resource.”
Using a secret, I get the following error “UnAuthorized”
Using your method above for V2, I get the following error: “The user is not recognized as a managed user, or a federated user.Azure AD was not able to identify the IdP that needs to process the user U/P: Wrong username”

Clearly, I’m missing something. The permissions haven’t changed, and automation is still managing mailboxes using run as connections without issue.

By: Tony Redmond

Tony Redmond — Wed, 02 Nov 2022 16:09:31 +0000

In reply to Artur.

What value are you feeding to the ServicePrincipalId value? PowerShell is complaining that it’s empty. Check the variable that you’re passing and how it is populated.

PS. I go into the mechanics of this a little deeper at https://office365itpros.com/2022/10/13/exchange-online-powershell-app/

By: Artur

Artur — Wed, 02 Nov 2022 11:20:58 +0000

Hello,

I’m trying to grant Manage Exchange As Application permission for the Manage Identity of my Azure Automation

I get an error:
New-MgServicePrincipalAppRoleAssignment: Cannot bind argument to parameter ‘ServicePrincipalId’ because it is an empty string.

what am I doing wrong?
“AppId eq” I’m inserting the Manage Identity Object (principal) ID of my Azure Autoamation

By: Tony Redmond

Tony Redmond — Mon, 17 Oct 2022 12:01:57 +0000

In reply to Matt. Did you use Get-MgServicePrincipal to populate the variable with the properties of the service principal you want to assign the permission to?

By: Matt

Matt — Fri, 14 Oct 2022 20:50:51 +0000

Hey Tony, I’m trying to add the new-mgserviceprincipalapproleassignment but $ManagedIdentityApp.ID variable is never populated. What does it need to have in it?

By: Tony Redmond

Tony Redmond — Thu, 22 Sep 2022 10:41:17 +0000

In reply to Jan.

You do when you run with managed identities… See https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp

By: Jan

Jan — Thu, 22 Sep 2022 06:04:02 +0000

Hello Toni; maybe a stupid question but what is in $env:IDENTITY_ENDPOINT?
I don’t have that environment varable.