This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 94%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Receiving a 401 error on some EXO cmdlets when running in app-only mode.
The app that was authorized into the tenant consented to the Exchange.ManageAsApp scope. Are there additional scopes that are required?
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.4 -Force
Connect-ExchangeOnline -CertificateFilePath '<path_to_cert>' -CertificatePassword (ConvertTo-SecureString -String '<password>' -AsPlainText -Force) -AppID <app_id> -Organization 'tenant.onmicrosoft.com'Get-EXOMailbox -ResultSize unlimited
Get-EXOMailbox: Error while querying REST service. HttpStatusCode=401 ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed to call Get-Mailbox","innererror":{"message":"User is not allowed to call Get-Mailbox","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}Get-Mailbox -ResultSize Unlimited
Get-Mailbox: The term 'Get-Mailbox' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Hi there,
You need to add the service principal you created to an Azure Role.
In this case, Exchange Administrator
The application needs to have the appropriate RBAC roles assigned. Because the apps are provisioned in Azure AD, you can use any of the built-in roles. The following roles are supported:
Global administrator
Compliance administrator
Security reader
Security administrator
Helpdesk administrator
Exchange administrator
Global Reader
I've followed all of the steps from the documentation, including assigning the service principal to the Exchange Admin role. What's weird is that it works with some tenants but errors on some others.
You need to add the service principal to an admin role in Azure AD, such as the Global admin one. The Exchange.ManageAsApp permissions on their own don't give you admin permissions. Here's a short guide: https://office365itpros.com/2020/08/13/exo-certificate-based-authentication-powershell/
I've followed all of the steps from the documentation, including assigning the service principal to the Exchange Admin role. What's weird is that it works with some tenants but errors on some others.
Um, each tenant will need to add your SP to the corresponding admin role, in case you are using a multi-tenant app. That's in addition to consenting. Here's short article I wrote on the topic a while back: https://www.michev.info/Blog/Post/3047/multi-tenant-scenarios-for-exo-powershell-certificate-based-authentication
Thanks for your response @Vasil Michev ! I should have clarified that earlier - the tenant in question has added the SP to the Exchange Admin role on their tenant. But we're only seeing the 401 on certain EXO cmdlets for this tenant.
If it's only for certain cmdlets, you probably need to update the admin role. Also note that when running in app context, some cmdlets are known to fail - such as the Unified Group cmdlets or anything that changes data directly in Azure AD.
This appears to have been because the role that was assigned to the Service Principal was Security Administrator, which is a supported role per the official documentation https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application but errors with the following cmdlets:
Get-RemoteDomain, Get-Mailbox, Get-OrganizationConfig, Get-OwaMailboxPolicy, Get-AdminAuditLogConfig, Get-SharingPolicy
. 
Yea, that wont work with those commands :)
Ahh :( @Andy David - MVP is there a way to map commands to roles so I can figure out the appropriate role to require that covers the cmdlets I need to run?
You can view the role details and perms it has in the official documentation:
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
But there really isnt a single place to map the commands to the role
If you need to run Exchange type commands, then you would need to add the Exch Admin role of course :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @Nancy Admin
Glad to hear the question was answered!
Please feel free to mark the helpful replies as the answer to the question.
It may highlight the answer and be helpful to other community members.
Thanks for your understanding!
About how to accept an answer, please refer to this link: Accepted answers