HTTP 401 on Exchange Online cmdlets when running in app-only mode

Nancy Admin 26 Reputation points
2021-06-21T20:22:45.967+00:00

Receiving a 401 error on some EXO cmdlets when running in app-only mode.
The app that was authorized into the tenant consented to the Exchange.ManageAsApp scope. Are there additional scopes that are required?

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.4 -Force
Connect-ExchangeOnline -CertificateFilePath '<path_to_cert>' -CertificatePassword (ConvertTo-SecureString -String '<password>' -AsPlainText -Force) -AppID <app_id> -Organization 'tenant.onmicrosoft.com'

Get-EXOMailbox -ResultSize unlimited
Get-EXOMailbox: Error while querying REST service. HttpStatusCode=401 ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed to call Get-Mailbox","innererror":{"message":"User is not allowed to call Get-Mailbox","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}

Get-Mailbox -ResultSize Unlimited
Get-Mailbox: The term 'Get-Mailbox' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,153 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,345 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 140.8K Reputation points MVP
    2021-06-21T20:27:07.063+00:00

    Hi there,
    You need to add the service principal you created to an Azure Role.
    In this case, Exchange Administrator

    The application needs to have the appropriate RBAC roles assigned. Because the apps are provisioned in Azure AD, you can use any of the built-in roles. The following roles are supported:

    Global administrator
    Compliance administrator
    Security reader
    Security administrator
    Helpdesk administrator
    Exchange administrator
    Global Reader

    https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#set-up-app-only-authentication


  2. Vasil Michev 94,366 Reputation points MVP
    2021-06-21T20:30:21.107+00:00

    You need to add the service principal to an admin role in Azure AD, such as the Global admin one. The Exchange.ManageAsApp permissions on their own don't give you admin permissions. Here's a short guide: https://office365itpros.com/2020/08/13/exo-certificate-based-authentication-powershell/