This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 95%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
I am unable to use EXO V2 (2.0.3) in "app-only" certificate connection to perform any kind of New, Set, or Remove on Unified Groups (I am only dealing with groups, so I don't know if there are any other issues). There is already a related question https://learn.microsoft.com/en-us/answers/questions/203561/powershell-connect-apponly-to-exo-anyone-able-to-u.html but I have poked around more and have some additional info, and I also desperately need this to work for a project, so I decided to post my own question.
In short, I have a Powershell script that is designed to first collect some data, then it updates various groups, creating, deleting, updating the groups, or adding members or owners to groups. It's completely automated, running hourly, and having a user run it manually and authenticate every time is not acceptable (all users have MFA, so we have to use certificate based). However, running the script manually (with user credentials and completing the MFA interrogation) does work. Running using certificate authentication also works to a point. Certificate Authentication itself works fine, and once authenticated, the script can Get anything, including groups and users. The script is registered in Azure App Registrations and has the "Exchange Service Administrator" role applied (I've also tried the Global/company admin), and access is admin approved. So there is nothing wrong with permissions that I can see. Again, I want to emphasize that I know the script works, as it works manually with normal user credentials.
Anyway, when running "app-only" certificate connection it fails with strange errors on any New-UnifiedGroup, Set-UnifiedGroup, or Remove-UnifiedGroup command.
A typical New-UnifiedGroup command looks like this:
New-UnifiedGroup `
-DisplayName $name `
-Notes $description `
-EmailAddresses $email `
-Members $owner `
-Owner $owner `
-AccessType Private `
-RequireSenderAuthenticationEnabled $False -Verbose
But I get this error:
The group can't be created
For Set-UnifiedGroup I get this error:
We failed to update the unified group. Please try again later.
For Remove-UnifiedGroup I get this error (strangest error of all):
Unable to remove group GROUP_1.
At C:\Users[my profile]\AppData\Local\Temp\tmp_c4pvjn40.0n1\tmp_c4pvjn40.0n1.psm1:59286 char:9
The Remove-UnifiedGroup actually gave me a line in some temp file script, although the others did not. It also halted execution, while the others did not. That temp script is called "Implicit remoting module by Import-PSSession cmdlet". And line 59286 appears to be in a section of code that looks like this:
Begin {
try {
$positionalArguments = & $script:NewObject collections.arraylist
foreach ($parameterName in $PSBoundParameters.BoundPositionally)
{
$null = $positionalArguments.Add( $PSBoundParameters[$parameterName] )
$null = $PSBoundParameters.Remove($parameterName)
}
$positionalArguments.AddRange($args)
$clientSideParameters = Get-PSImplicitRemotingClientSideParameters $PSBoundParameters $True
$scriptCmd = { & $script:InvokeCommand `
@clientSideParameters `
-HideComputerName `
-Session (Get-PSImplicitRemotingSession -CommandName 'Remove-UnifiedGroup') `
-Arg ('Remove-UnifiedGroup', $PSBoundParameters, $positionalArguments) `
-Script { param($name, $boundParams, $unboundParams) & $name @boundParams @unboundParams } `
}
$steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
$steppablePipeline.Begin($myInvocation.ExpectingInput, $ExecutionContext)
} catch {
throw
}
}
Process {
try {
$steppablePipeline.Process($_)
} catch {
throw
}
}
End {
try {
$steppablePipeline.End()
} catch {
throw
}
}
(That's not my code, but the code from the temp script). The error is thrown from the last try-catch-throw (that's line 59286), on $steppablePipeline.End().
Finally, I should note that the on other question I have referenced (https://learn.microsoft.com/en-us/answers/questions/203561/powershell-connect-apponly-to-exo-anyone-able-to-u.html ) two different people mentioned that there is an internal incident or ticket that might be open about this issue. However, no further details were provided. It is urgent that I get New-UnifiedGroup, Set-UnifiedGroup, and Remove-UnifiedGroup working for this script via app-only certificate based authentication, as it is our client's only avenue to do so, since all users in their Azure/Office365 are required to be MFA.
If this is a Microsoft problem, I need to show our client some evidence of this, and I also need to provide them with information about when the problem might get fixed. If I am, in fact, just doing something wrong, any assistance would be appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @Chase, Mark
Any update about this issue?
It's a known issue, the PG Is working on resolving it. Nothing you can do about it apart from waiting. Or stick to using the old connectivity method for the time being. Alternatively you can use the Graph API endpoints for some of the Group operations.
Thanks. But ironically, Graph API was originally the path they wanted to take. However, the Graph API also has a known issue, being unable to set the AllowExternalSenders, which they require. So this path was chosen instead, since it was believed EXO v2 powershell module would work. Then we hit this issue. It seems no matter which way we turn, it's a dead end.
The cmdlets will work just fine if you connect via username/password, so just use that. The issue is specific to using service principal/CBA based authentication, and we've had some other similar issues in the past... guess this one skipped through.
We can't use username/ password, as all users are MFA authenticated. Thus, we must connect via certificate. This is an unattended script that runs hourly.
Service account excluded from MFA would work temporarily :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 84%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
At least as of 3/13/2023, Microsoft's documentation indicates the non-Get *-UnifiedGroup cmdlets do not work with app authentication.
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
For those of us who aren't developers, it is difficult to know what the Graph can and cannot do related to M365 Groups. The documentation for Graph is not written with Exchange administration or administrators in mind. I shouldn't have to construct a JSON hash to add or remove an owner from a group.
I do have the the Microsoft Graph PowerShell module installed, and I can see there are a large number of *-MgGroup cmdlets available. Get-Help doesn't do much more than list the parameters that can be used, and the "Related Links" gives a URL that is not valid. I haven't yet had time to test cmdlets like Remove-MgGroupAcceptedSender which I am guessing is one of the things I'll need to replace Set-UnifiedGroup. I don't look forward to rewriting the scripts that make use of cmdlets like that, requiring one straightforward command to be replaced by several arcane ones that have to be located by IEBIBALL.