![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 61%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Exchange | Exchange Server | Development
The process of building custom applications and tools that interact with Microsoft Exchange Server
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 84%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHN%3C/text%3E%3C/svg%3E)
Based on my research and understanding that you are not doing anything wrong with your script or your certificate setup. The issue simply comes down to a very common misunderstanding around Microsoft's "v2" terminology.
When Microsoft advises using "V2" or newer versions for better security, I am referring to the ExchangeOnlineManagement PowerShell Module itself (which you are correctly using, version 3.9.2). Modern versions of the module are highly secure and operate entirely on modern REST APIs.
However, the specific API Application Permission required in Microsoft Entra ID (formerly Azure AD) to authorize this
If you look closely at your verbose logs, you will see this line: VERBOSE: [ThreadID: #] Successfully got a token from AAD - it means your Certificate-Based Authentication worked flawlessly. Entra ID validated your certificate and handed your script an access token.
However, the next step does not work: ParentContainsErrorRecordException: Module could not be correctly formed. When the Exchange Online server receives your token, it checks your permissions. Because your token contains Exchange.ManageAsAppv2 instead of the exact Exchange.ManageAsApp string it requires, the server refused the connection. Consequently, the PowerShell module was unable to build the cmdlets locally and terminated unexpectedly.
Please update your Entra ID App Registration permissions:
- Navigate to your App Registration in the Microsoft Entra admin center.
- Go to Permission classifications and remove
Exchange.ManageAsAppv2. - Click Add a permission > APIs my organization uses > search for Office 365 Exchange Online > Select Application permissions and check the box for
Exchange.ManageAsApp. - Click Grant admin consent for [Your Organization] and wait 5-10 minutes for the new token claims to replicate across Microsoft's backend and run your script again.
Security Reassurance & Documentation
Please be assured that you are not sacrificing any security by using Exchange.ManageAsApp. By utilizing Certificate-Based Authentication alongside a modern version of the ExchangeOnlineManagement module, you are strictly following Microsoft's current security best practices for unattended App-Only authentication.
For your reference, here is the official Microsoft documentation detailing the exact API permissions required for this setup:
I hope this information helps.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
