Share via

Can't connect to ExchangeOnline using system-assigned managed identity (move from Run As account)

thomas masquelier 0 Reputation points
2023-06-09T11:53:53.54+00:00

Hello,

We are trying to move from previously working Run As account runbooks to system-assigned identity but we are facing an issue to connect to ExchangeOnline, as describe in the documentation.

Let's keep our runbook super simple :

Connect-ExchangeOnline -ManagedIdentity -Organization "MyCompany.onmicrosoft.com"

Where "My company" has been changed.
The result of run is as follow :

The role assigned to application xxxxxxx-56c4-4866-921d-0916b98b8976 isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD Application for EXO App-Only Authentication.

We have been setting the right permission on the App registration using powershell command :
User's image

We added Microsoft Graph API permission for an other runbook in the same automation account. This works fine, we are able to retrieve Application from our runbooks, so we are sure that our runbooks are using the right system account.

On top of these permission we also assigned the Exchange Administrator Role in the Azure AD Role, we even tried to add the global admin role to this application, but still the same issue.

Run as Account will stop working in September but the managed identity way of doing this is definetly not fully developed yet...

Any help would be appreciated here.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,368 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator
    2023-06-13T21:07:07.9533333+00:00

    Hi @thomas masquelier ,

    Thanks for posting your ask on Microsoft Q&A!!

    am not able to reproduce this issue when connecting to Exchange Online using Azure Automation account. I have followed the steps mentioned in the documentation over here for using Managed Identity. However, I have given one additional permission of "Global Reader" (other than an Exchange Administrator) to the Managed Identity of the Automation account.

    User's image

    I have not given any more Graph permissions than the required one - Exchange.ManageAsApp.User's image

    Here is the code which I have tested through the Automation account - 

    Connect-ExchangeOnline -ManagedIdentity -Organization <organization>.onmicrosoft.com
Get-AcceptedDomain | Format-Table Name

    Here is the output for your reference-

    User's image

    Can you please try providing the Global Reader permission to the application?

    Additionally, if this doesn't work, then please try to remove any additional permissions like Microsoft Graph permissions.

    Please let me know how it goes. Thanks.

    1 person found this answer helpful.
    0 comments
  2. thomas masquelier 0 Reputation points
    2023-06-19T11:31:49.1133333+00:00

    This is indeed solved, I don't know what was happening exactly.

    Also I had to follow these steps to be able to connect to exchange online :
    https://technut.se/update-modulemanifest-is-not-recognized-as-the-name-of-a-cmdlet-error-in-azure-automation/

    By searching for the cmdlet in the module gallery within Azure Automation I found that the cmdlet is a part of the module PowerShellGet that I did not have installed. This module has a dependency to the module PackageManagement.

    I can safely remove the Global reader as this is not necessary

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.