OK, so apparently this is a known issue, MS is looking into a fix.
Powershell Connect AppOnly to EXO - Anyone able to use command set-unifiedgroup
We want to use App-Only authentication in a script to change M365-Unified Group PrimarySMTPAddress and Alias
i can connect with App-Only Auth as described here App-only authentication | Microsoft Learn and use Get-Unifiedgroup or even use set-mailbox to change EMailAddresses. But if i try to use set-unifiedgroup command it will always fail with following error:
We failed to update the unified group. Please try again later.
+ CategoryInfo : NotSpecified: (:) [Set-UnifiedGroup], TaskException
+ FullyQualifiedErrorId : [Server=GV0P278MB0001,RequestId=00e66d64-0be9-49c3-92a1-44147c1d08fd,TimeStamp=17/12/2020 08:36:05] [FailureCategory=Cmdlet-TaskException] 74BF6179,Microsoft.Exchange.Management.RecipientTasks.SetUnifiedGroup
+ PSComputerName : outlook.office365.com
as support suggested, i have even added the App to the Global Admin Role and wait 24hours - still same error.
When i connect as User same Command works perfectly fine - so it can't be the command which would be for example:
Get-UnifiedGroup testgrpid|set-unifiedgroup -Alias myNewAlias
So my simple question - does it work for anyone out there?
I have a ticket with ms got kind of stuck - so any help welcome.
I'm using Powershell Module ExchangeOnlineManagement v 2.0.3 but have tryed 2.0.4 Preview as well -same behavior.
4 additional answers
Sort by: Most helpful
-
Vasil Michev 112K Reputation points MVP
2020-12-18T10:20:46.373+00:00 Seems to be broken here as well, let me ping few folks.
-
Chase, Mark 21 Reputation points
2020-12-18T21:15:30.49+00:00 I am also having this issue. I have to "explain to the boss" so to speak, so if there is an official MS ticket for this, I can definitely use that. Do you have a ticket/case number?
And I also get an error creating a group:
The group can't be created
- CategoryInfo : NotSpecified: (:) [New-UnifiedGroup], TaskException
- FullyQualifiedErrorId : [Server=BN8PR19MB2657,RequestId=de05ce51-1cea-474b-b1d8-473705752be5,TimeStamp=12/18/2020 9:16:43 PM] [FailureCategory=Cmdlet-TaskException] A6A07FF9,Microsoft.Exchange.Management.RecipientTask
s.NewUnifiedGroup - PSComputerName : outlook.office365.com
I suspect it is related. I can list groups just fine. Just can't create or update.
-
Steve Johnson 11 Reputation points
2021-01-10T17:04:53.597+00:00 I'm glad I eventually stumbled into this thread, since I've been fighting with this one this afternoon. I'm getting the same error message We failed to update the group. Please try later as the OP.
I'm running an automation script that updates the welcome message and the primary email address. Sadly, whilst the welcome message command works, the primary smtp address change fails using CBA. Works fine with a service account with the required role assignment though.
Connect to Exchange Online
Connect-ExchangeOnline -Certificate $appCert -AppID $appId -Organization "$org.onmicrosoft.com" -ShowBanner:$false
Write-Output("Connecting to Exchange Online")
Start-Sleep -Seconds 1.5Disable the Welcome email
Set-UnifiedGroup -Identity $Group.GroupId -UnifiedGroupWelcomeMessageEnabled:$false
Write-Output("Welcome email disabled")
Start-Sleep -Seconds 1.5Change the group email address
Set-UnifiedGroup -Identity $Group.GroupId -PrimarySmtpAddress $newMailAlias
Write-Output("Group email address changed to $newMailAlias")
Start-Sleep -Seconds 1.5Disconnect from Exchange Online
Disconnect-ExchangeOnline -Confirm:$false
Write-Output("Disconnecting from Exchange Online")
Start-Sleep -Seconds 1.5 -
christian zuellig 21 Reputation points
2021-01-12T15:39:34.01+00:00 Hi, as it's confirmed to be by design which usualy means it's not beeing changed in near future and i'm not sure when Ms will provide full Exchange API in Ms Graph i share my workaround.
Goal: - user without EXO-Admin permission can change primary smtp
Solution Architecture:
Use Azure "Automation Account - Runbook" to:
-host a powershell script with the set-unifiedgroup command
-have credentails for "service account" stored which i use to run the Runbook above
-create a WebHook for your Runbook so you can call the Webhook and start this way the Runbook
https://learn.microsoft.com/en-us/azure/automation/automation-webhooksWhat we get:
This way, the script dooing the change on primary smtp can run with user login and you can even use Conditional Access to lockdown the Account used by the Runbook.
The Person running the PS-Script calling the WebHook of the Run-Book needs no priviledge for Exchange Admin