This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPT%3C/text%3E%3C/svg%3E)
Hello,
we are trying to use a pssession with an azure app and with the modern auth to connect to exchange online.
Connecting is not a problem.
this is how we do it :
$tenantID = "xxxxx-xxxxxxxxxx-xxxxx" #your tenantID or tenant root domain
$appID = "xxxxx-xxxxxxxxxx-xxxxx" #the GUID of your app
$client_secret = "someverylongsecret" #client secret for the app
$body = @{
client_id = $AppId
scope = "https://outlook.office365.com/.default"
client_secret = $client_secret
grant_type = "client_credentials"
}
$authenticationResult = Invoke-WebRequest -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -ErrorAction Stop
$token = ($authenticationResult.Content | ConvertFrom-Json).access_token
$Authorization = "Bearer {0}" -f $Token
$Password = ConvertTo-SecureString -AsPlainText $Authorization -Force
$Ctoken = New-Object System.Management.Automation.PSCredential -ArgumentList "OAuthUser@$tenantId",$Password #replace your tenantGUID here
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true" -Credential $Ctoken -Authentication Basic -AllowRedirection -Verbose
Connecting does work, and i can enter the pssession without problem.
Get-* cmdlets work without issues.
Set-* cmdlets do not work.
I get this kind of message :
System.Management.Automation.RemoteException: Serveur source:PR0P264MB0730.FRAP264.PROD.OUTLOOK.COM n’a pas l’autorisation
d’écrire sur DC cible:VI1P189A003DC03.EURP189A003.PROD.OUTLOOK.COM. Cela signifie généralement que la forêt cible n’est pas une
partition de la forêt source. Informations supplémentaires : Insufficient access rights to perform the operation.
Réponse d'Active Directory : 00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The thing is if i use the new exchangeonlinemanagement module, with the same APP ID, i dont have this kind of problems... so it's not a right problems per say.. !
this does work on another subscription.. so i'm a bit lost here !
Oh, I remembered one thing I forgot to add in the blog - make sure you pass the "anchor" when connecting. The module cmdlet does that for you, but when you create the session yourself, you need to add "&email=SystemMailbox%7bbb558c35-97f1-4cb9-8ff7-d53741dc928c%7d%40tenantname.onmicrosoft.com" to the connection string.
So the end result should be something like this:
"https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true&email=SystemMailbox%7bbb558c35-97f1-4cb9-8ff7-d53741dc928c%7d%40tenantname.onmicrosoft.com"
This will fix some of the issues, but not all, as some cmdlets are simply not designed to work in the context of an app.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 4%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
How did you get or create the anchor?
Decode the token and check whether it contains the proper list of AAD roles in the wids claim.
Fyi this works great :)
thank youuuuuu !
in our scenari we are using UniversalDashboard to work on exo, and with the exov2 module, the ud process memory kept growing and growing ... i saw some posts about a memory leak...
the only workaroung was to restart our process every 24H so it was pretty ugly!
but with this we dont depend on exov2 and this is awesome !!!
Can you elaborate on "some cmdlets are simply not designed to work in the context of an app" ??
And last question: will MS eventually make this impossible in the near future ?
Thank you very much @Vasil Michev !
They are working on them, but havent heard any ETAs.
Glad to know your issue has been resolved, and sincerely feel sorry that I am still research and did nothing on this case.
If you have other questions, please feel free to post!
Have a nice day to you and michev.
Cheers,
Lou
yes it does.
In fact, i compared the generated token and the one generated by the exov2 module (there is a gettoken method available on the pssession) and they are exactly the same. Wids, aud, etc..
( btw thanks for you blog :) i fist discovred this solution on you blog :) )
And what kind of cmdlets are you trying to run? Everything that needs access to Azure AD will fail, this is a known issue (for example creating a shared mailbox or Unified group). Things like adding permissions should work though - if they don't, check your roles.
haha :) i was wondering if maybe i add to complete the uri .. thought all that was after "BasicAuthToOAuthConversion=true" was just for telemetry !
ok i'll try that and test it ! and get back !