This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 95%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
I am unable to use EXO V2 (2.0.3) in "app-only" certificate connection to perform any kind of New, Set, or Remove on Unified Groups (I am only dealing with groups, so I don't know if there are any other issues). There is already a related question https://learn.microsoft.com/en-us/answers/questions/203561/powershell-connect-apponly-to-exo-anyone-able-to-u.html but I have poked around more and have some additional info, and I also desperately need this to work for a project, so I decided to post my own question.
In short, I have a Powershell script that is designed to first collect some data, then it updates various groups, creating, deleting, updating the groups, or adding members or owners to groups. It's completely automated, running hourly, and having a user run it manually and authenticate every time is not acceptable (all users have MFA, so we have to use certificate based). However, running the script manually (with user credentials and completing the MFA interrogation) does work. Running using certificate authentication also works to a point. Certificate Authentication itself works fine, and once authenticated, the script can Get anything, including groups and users. The script is registered in Azure App Registrations and has the "Exchange Service Administrator" role applied (I've also tried the Global/company admin), and access is admin approved. So there is nothing wrong with permissions that I can see. Again, I want to emphasize that I know the script works, as it works manually with normal user credentials.
Anyway, when running "app-only" certificate connection it fails with strange errors on any New-UnifiedGroup, Set-UnifiedGroup, or Remove-UnifiedGroup command.
A typical New-UnifiedGroup command looks like this:
New-UnifiedGroup `
-DisplayName $name `
-Notes $description `
-EmailAddresses $email `
-Members $owner `
-Owner $owner `
-AccessType Private `
-RequireSenderAuthenticationEnabled $False -Verbose
But I get this error:
The group can't be created
For Set-UnifiedGroup I get this error:
We failed to update the unified group. Please try again later.
For Remove-UnifiedGroup I get this error (strangest error of all):
Unable to remove group GROUP_1.
At C:\Users[my profile]\AppData\Local\Temp\tmp_c4pvjn40.0n1\tmp_c4pvjn40.0n1.psm1:59286 char:9
The Remove-UnifiedGroup actually gave me a line in some temp file script, although the others did not. It also halted execution, while the others did not. That temp script is called "Implicit remoting module by Import-PSSession cmdlet". And line 59286 appears to be in a section of code that looks like this:
Begin {
try {
$positionalArguments = & $script:NewObject collections.arraylist
foreach ($parameterName in $PSBoundParameters.BoundPositionally)
{
$null = $positionalArguments.Add( $PSBoundParameters[$parameterName] )
$null = $PSBoundParameters.Remove($parameterName)
}
$positionalArguments.AddRange($args)
$clientSideParameters = Get-PSImplicitRemotingClientSideParameters $PSBoundParameters $True
$scriptCmd = { & $script:InvokeCommand `
@clientSideParameters `
-HideComputerName `
-Session (Get-PSImplicitRemotingSession -CommandName 'Remove-UnifiedGroup') `
-Arg ('Remove-UnifiedGroup', $PSBoundParameters, $positionalArguments) `
-Script { param($name, $boundParams, $unboundParams) & $name @boundParams @unboundParams } `
}
$steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
$steppablePipeline.Begin($myInvocation.ExpectingInput, $ExecutionContext)
} catch {
throw
}
}
Process {
try {
$steppablePipeline.Process($_)
} catch {
throw
}
}
End {
try {
$steppablePipeline.End()
} catch {
throw
}
}
(That's not my code, but the code from the temp script). The error is thrown from the last try-catch-throw (that's line 59286), on $steppablePipeline.End().
Finally, I should note that the on other question I have referenced (https://learn.microsoft.com/en-us/answers/questions/203561/powershell-connect-apponly-to-exo-anyone-able-to-u.html ) two different people mentioned that there is an internal incident or ticket that might be open about this issue. However, no further details were provided. It is urgent that I get New-UnifiedGroup, Set-UnifiedGroup, and Remove-UnifiedGroup working for this script via app-only certificate based authentication, as it is our client's only avenue to do so, since all users in their Azure/Office365 are required to be MFA.
If this is a Microsoft problem, I need to show our client some evidence of this, and I also need to provide them with information about when the problem might get fixed. If I am, in fact, just doing something wrong, any assistance would be appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @Chase, Mark
Any update about this issue?
It's a known issue, the PG Is working on resolving it. Nothing you can do about it apart from waiting. Or stick to using the old connectivity method for the time being. Alternatively you can use the Graph API endpoints for some of the Group operations.
Thanks. But ironically, Graph API was originally the path they wanted to take. However, the Graph API also has a known issue, being unable to set the AllowExternalSenders, which they require. So this path was chosen instead, since it was believed EXO v2 powershell module would work. Then we hit this issue. It seems no matter which way we turn, it's a dead end.
The cmdlets will work just fine if you connect via username/password, so just use that. The issue is specific to using service principal/CBA based authentication, and we've had some other similar issues in the past... guess this one skipped through.
We can't use username/ password, as all users are MFA authenticated. Thus, we must connect via certificate. This is an unattended script that runs hourly.
Service account excluded from MFA would work temporarily :)
Any update on this? The last status is 10 months ago.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 61%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I am also curious about this. Was it fixed in 2.0.5 EXO V2?
Edit: Answered my own question -> Seems not: https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#release-notes
I think you would need to open a ticket if you want to have some sort of paper trail for your client.
I have opened a ticket. Thanks.
Hi @Chase, Mark
Waiting for your updates here if you have any progress about this issue!
@Joyce Shen - MSFT , I did get a reply. They confimed it is a back-end issue.
"At the moment, there is no estimated time for the issue to be fully resolved. However, we are actively following up with the backend team on any updates on the issue."
Oh well.
As far as I can tell, this is still not working with the latest/current version of the module. Silence from Microsoft is concerning. This is the only function left which is keeping us from switching our Exchange automation processes entirely to certificate authentication.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 40%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
any update on this? anyone able to find a workaround if the solution still doesn't exist?