This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We want to use App-Only authentication in a script to change M365-Unified Group PrimarySMTPAddress and Alias
i can connect with App-Only Auth as described here App-only authentication | Microsoft Learn and use Get-Unifiedgroup or even use set-mailbox to change EMailAddresses. But if i try to use set-unifiedgroup command it will always fail with following error:
We failed to update the unified group. Please try again later.
+ CategoryInfo : NotSpecified: (:) [Set-UnifiedGroup], TaskException
+ FullyQualifiedErrorId : [Server=GV0P278MB0001,RequestId=00e66d64-0be9-49c3-92a1-44147c1d08fd,TimeStamp=17/12/2020 08:36:05] [FailureCategory=Cmdlet-TaskException] 74BF6179,Microsoft.Exchange.Management.RecipientTasks.SetUnifiedGroup
+ PSComputerName : outlook.office365.com
as support suggested, i have even added the App to the Global Admin Role and wait 24hours - still same error.
When i connect as User same Command works perfectly fine - so it can't be the command which would be for example:
Get-UnifiedGroup testgrpid|set-unifiedgroup -Alias myNewAlias
So my simple question - does it work for anyone out there?
I have a ticket with ms got kind of stuck - so any help welcome.
I'm using Powershell Module ExchangeOnlineManagement v 2.0.3 but have tryed 2.0.4 Preview as well -same behavior.
Is there any updated for the issue
I have the same error, so I cannot change proxyAddresses of a Microsoft 365 group neither via Exchange cmdlet nor via Graph API, which means that I cannot change proxyAddresses at all. The provided workaround unfortunately is not an option for me.
OK, so apparently this is a known issue, MS is looking into a fix.
Thanks for Reply - is there anything you could share with me which i could add to my ticket in order to point ms support in the right direction?
It's a known issue, already being worked on - no point raising a ticket.
I would totally agree if i would not have a ticket already open with Ms-Support since aprx. a week. As the Issue seems not known to the engineers handling my case, my intension was more like helping them - anyway i did let them know.
Seems to be broken here as well, let me ping few folks.
I am also having this issue. I have to "explain to the boss" so to speak, so if there is an official MS ticket for this, I can definitely use that. Do you have a ticket/case number?
And I also get an error creating a group:
The group can't be created
I suspect it is related. I can list groups just fine. Just can't create or update.
Hi @Chase, Mark ,
I tried to search around about this issue but so far haven't found an official article stating this. However, as regards to your concern about the error when running the New-UnifiedGroup cmdlet, I did notice a recent incident about the same error when searching using my internal resource. I'll keep an eye on it and post back here once I see any update.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you. Please let me know if you learn anything. We have an hourly PS script that needs to run and do something in ExchangeOnline, and this is the only method we have found for unattended scripts to run. But if the commands don't work, we can't use it, and haven no avenues left to pursue.
Hi @Chase, Mark ,
According to the update I've just received, this seems to be by design currently. ExchangeAppId is used while making changes to AAD, but ExchangeAppId doesn't have permission to create Group, so the error is thrown.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I'm glad I eventually stumbled into this thread, since I've been fighting with this one this afternoon. I'm getting the same error message We failed to update the group. Please try later as the OP.
I'm running an automation script that updates the welcome message and the primary email address. Sadly, whilst the welcome message command works, the primary smtp address change fails using CBA. Works fine with a service account with the required role assignment though.
Connect to Exchange Online
Connect-ExchangeOnline -Certificate $appCert -AppID $appId -Organization "$org.onmicrosoft.com" -ShowBanner:$false
Write-Output("Connecting to Exchange Online")
Start-Sleep -Seconds 1.5
Disable the Welcome email
Set-UnifiedGroup -Identity $Group.GroupId -UnifiedGroupWelcomeMessageEnabled:$false
Write-Output("Welcome email disabled")
Start-Sleep -Seconds 1.5
Change the group email address
Set-UnifiedGroup -Identity $Group.GroupId -PrimarySmtpAddress $newMailAlias
Write-Output("Group email address changed to $newMailAlias")
Start-Sleep -Seconds 1.5
Disconnect from Exchange Online
Disconnect-ExchangeOnline -Confirm:$false
Write-Output("Disconnecting from Exchange Online")
Start-Sleep -Seconds 1.5
Hi @Steve Johnson ,
Thanks for sharing your feedback. As mentioned in my latest reply under ChaseMark-3217's comment, this seems to be by design currently so you would have to looking for some alternatives.
Thank you YukiSun for the response. Are there any plans to allow the ExchangeAppId to update the group?
@Steve Johnson , I tried to search around, but so far haven't got a clue about it within my limited resources, sorry.
Hi, as it's confirmed to be by design which usualy means it's not beeing changed in near future and i'm not sure when Ms will provide full Exchange API in Ms Graph i share my workaround.
Goal: - user without EXO-Admin permission can change primary smtp
Solution Architecture:
Use Azure "Automation Account - Runbook" to:
-host a powershell script with the set-unifiedgroup command
-have credentails for "service account" stored which i use to run the Runbook above
-create a WebHook for your Runbook so you can call the Webhook and start this way the Runbook
https://learn.microsoft.com/en-us/azure/automation/automation-webhooks
What we get:
This way, the script dooing the change on primary smtp can run with user login and you can even use Conditional Access to lockdown the Account used by the Runbook.
The Person running the PS-Script calling the WebHook of the Run-Book needs no priviledge for Exchange Admin
Thanks for that Christian. I'm currently using a similar pattern myself, although our script runs every hour, so not using a webhook as such.
I really like the idea about the Conditional Access Policy though, may I ask how you've configured that?
Thanks
@Steve Johnson - it depends on the effort you are willing to take.
In any case - it did boil down to the question on how to get a static IP to use as Location Condition in the "Conditional Access Policy". If there is an other way to limit exposure of the priviledged account then i'm not aware of - so your welcome to make me more smart.
As for Limit exposure:
i have tryed with "New-ManagementRole" (copy Mail Recipients and remove all other PS-Commands) and "New-RoleGroup" to limit access to the 2 cmd-lets' Set-UnifiedGroup and Get-UnifiedGroup for the Service Account.
you can check after with Get-ManagementRole -Cmdlet Set-UnifiedGroup | ft Name,Roletype,IsEndUserRole if it worked.
While i was able to limit the service account to have just those 2 commands i was not able to change the PrimarySMTPAddress with this privileges.
Creating a Azure AD Role with New-AzureADMSRoleDefinition and RolePermission "microsoft.directory/groups.unified/basic/update" adding my service Account to that role did also not help to change the get more scoped permissions.
However i figured out that "Teams Service Administrator"-Role in Azure AD seems to give enough permission to change the PrimarySMTPAddress
Thanks for coming back to me on this Christian, that's been super helpful! Will start having a play