Share via

Help Connecting Azure Automation to Exchange Online - Failed UnAuthorized (UnAuthorized)

Tyler Johnson 80 Reputation points
2026-02-23T20:13:22.4366667+00:00

Hello,

I'm new to Azure Automation and using Exchange. I have tried over the past week to set and connect this automation up, but have failed and I'm getting quite frustrated. I have tried different scripts by using Google Search, and it always seems to get a different error message.

In my latest version, I get this error: Failed UnAuthorized (UnAuthorized).

I guess I'm missing something in my setup...

Here is the code I'm using. 


# 1. Connect to Exchange Online (Use Managed Identity for Azure Automation)
Connect-ExchangeOnline -ManagedIdentity -Organization "email.org"

# 2. Define target Distribution Group identity
$groupName = "JohnsonTest2"

# 3. Import members from a CSV file
$memberList = "Import-Csv C:\Test\JohnsonTest.csv"

# 4. Loop through the list and add members
foreach ($row in $memberList) {
    try {
        Add-DistributionGroupMember -Identity $groupName -Member $row.UserEmail -ErrorAction Stop
        Write-Output "Successfully added $($row.UserEmail)"
    } catch {
        Write-Warning "Failed to add $($row.UserEmail): $($_.Exception.Message)"
    }
}
Azure Automation
Azure Automation

An Azure service that is used to automate, configure, and install updates across hybrid environments.

Answer accepted by question author
  1. Bharath Y P 5,620 Reputation points Microsoft External Staff Moderator
    2026-02-23T21:01:16.8533333+00:00

    Hello Tyler Johnson, you are running an Azure Automation PowerShell runbook and The runbook uses Exchange Online PowerShell command Connect-ExchangeOnline -ManagedIdentity.

    The goal is to add users to a Distribution Group using a CSV file, The runbook fails with: Failed UnAuthorized (UnAuthorized / 401).

    Managed Identity authentication works differently from user login. When you use Connect-ExchangeOnline -ManagedIdentity, you are NOT authenticating as your admin user, Global admin or Exchange admin. But You are authenticating as The Azure Automation Account's Managed Identity (Service Principal). Exchange Online does not automatically trust this identity. You must explicitly grant it Exchange permissions. Because of this you are facing error Unauthorized.

    The recommendation is to user PowerShell version 7.1 or onwards Azure Automation Runbook Types | Microsoft Learn

    To resolve this please follow the below steps. thanks

    Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn

    Step 1: Enable Managed Identity for the Automation Account

    • Go to Azure Portal > Automation Account > Identity
    • Turn System Assigned > Set to “ON”> Click Save
    • Copy the Object (Principal) ID

    Step 2: Assign Azure AD Role:

    • Go to Azure Portal > Microsoft Entra ID > Roles and Administrators
    • Assign one of Exchange Administrator (Recommended) OR Global Administrator (for testing only)
    • Add the Automation Account Managed Identity.

    Assign Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn

    Step 3: Assign Exchange RBAC Role:

    Now connect to Exchange Online manually from your admin machine:

    Connect-ExchangeOnline

    Find the Managed Identity service principal:

    Get-ServicePrincipal | Where-Object {$_.DisplayName -like "*YourAutomationAccountName*"}

    Then assign role:

    For adding distribution group members, Recipient Management is sufficient:

    Add-RoleGroupMember -Identity "Recipient Management" -Member "<ManagedIdentityDisplayName>"

    Manage role groups in Exchange Online | Microsoft Learn

    Step 4: Grant the Exchange.ManageAsApp API permission for the managed identity to call Exchange Online:

    Follow the this document to grant the access Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn

    Step 5: Assign Microsoft Entra roles to the managed identity:

    Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn

    Step 6: Assign Azure AD Role or API Permission

    • Go Azure portal > Select Microsoft Entra ID (Azure Active Directory).
    • Click Enterprise Applications (not App Registrations).
    • At the top, change Application Type filter to All Applications.
    • Search for the name of your Automation Account > click on your automation account
    • Select Permissions on left side panel
    • Click Add API Permission > Office 365 Exchange Online > Application Permissions > select Exchange.ManageAsApp
    • Click Grant Admin Consent
    • This ensures the Managed Identity is authorized to connect to Exchange Online.

    Step 7: when you are connecting you Exchange model please validate your primary domain

    • Go Azure portal > Select Microsoft Entra ID (Azure Active Directory).
    • Overview > check primary domain
    • This primary domain you have to user when you are connecting to Exchange online using managed identity.
    Connect-ExchangeOnline -ManagedIdentity -Organization "<Your primary domain>"

    For adding distribution group members, Fix Your Script instead $memberList = "Import-Csv C:\Test\JohnsonTest.csv" you can update this to correct version $memberList = Import-Csv "C:\Test\JohnsonTest.csv"

    Note: On your local machine, C:\Test\JohnsonTest.csv exists, so Import-Csv works normally, But in the Azure Automation cloud sandbox, you cannot use local file paths like C:\Test\JohnsonTest.csv. You need a cloud-friendly alternative.

    Hope this helps. and please feel free to reach out if you have any further questions. Thanks

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-23T20:14:04.19+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message "Failed UnAuthorized (UnAuthorized)" typically indicates that the managed identity you are using does not have the necessary permissions to perform the actions in Exchange Online. Here are some steps you can take to troubleshoot and resolve this issue:

    1. Verify Managed Identity Permissions: Ensure that the managed identity assigned to your Azure Automation account has the necessary roles assigned in Microsoft Entra ID. You can assign roles such as Exchange Administrator to the managed identity to grant it the required permissions to manage distribution groups.
    2. Check API Permissions: Make sure that the Office 365 Exchange Online > Exchange.ManageAsApp API permission is assigned to the managed identity. You can verify this by running the command: 
         Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'"
      If it returns no results, you may need to register an application in Microsoft Entra ID and assign the necessary permissions as described in the documentation.
    3. Assign Microsoft Entra Roles: If you haven't already, you can assign the required roles to the managed identity using the following command: 
         $RoleID = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Exchange Administrator'").Id
   New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $MI_ID -RoleDefinitionId $RoleID -DirectoryScopeId "/"
      Replace $MI_ID with the ID of your managed identity.
    4. Test Connection: After ensuring the permissions are correctly set, try running your script again to see if the issue persists.

    By following these steps, you should be able to resolve the unauthorized error and successfully connect your Azure Automation to Exchange Online.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.