Hello,
we are trying to use a pssession with an azure app and with the modern auth to connect to exchange online.
Connecting is not a problem.
this is how we do it :
$tenantID = "xxxxx-xxxxxxxxxx-xxxxx" #your tenantID or tenant root domain
$appID = "xxxxx-xxxxxxxxxx-xxxxx" #the GUID of your app
$client_secret = "someverylongsecret" #client secret for the app
$body = @{
client_id = $AppId
scope = "https://outlook.office365.com/.default"
client_secret = $client_secret
grant_type = "client_credentials"
}
$authenticationResult = Invoke-WebRequest -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -ErrorAction Stop
$token = ($authenticationResult.Content | ConvertFrom-Json).access_token
$Authorization = "Bearer {0}" -f $Token
$Password = ConvertTo-SecureString -AsPlainText $Authorization -Force
$Ctoken = New-Object System.Management.Automation.PSCredential -ArgumentList "OAuthUser@$tenantId",$Password #replace your tenantGUID here
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true" -Credential $Ctoken -Authentication Basic -AllowRedirection -Verbose
Connecting does work, and i can enter the pssession without problem.
Get-* cmdlets work without issues.
Set-* cmdlets do not work.
I get this kind of message :
System.Management.Automation.RemoteException: Serveur source:PR0P264MB0730.FRAP264.PROD.OUTLOOK.COM n’a pas l’autorisation
d’écrire sur DC cible:VI1P189A003DC03.EURP189A003.PROD.OUTLOOK.COM. Cela signifie généralement que la forêt cible n’est pas une
partition de la forêt source. Informations supplémentaires : Insufficient access rights to perform the operation.
Réponse d'Active Directory : 00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The thing is if i use the new exchangeonlinemanagement module, with the same APP ID, i dont have this kind of problems... so it's not a right problems per say.. !
this does work on another subscription.. so i'm a bit lost here !