This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 42%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWB%3C/text%3E%3C/svg%3E)
I wrote a script to synchronize distribution group members with a database. I think I set up my Azure AD application properly; it has API permission Exchange.ManageAsApp and role Exchange Administrator.
I'm connecting like Connect-ExchangeOnline -AppId '{}' -CertificateFilePath '{}' -CertificatePassword $cert_pw -Organization '{}'; (with values of course).
Read commands like Get-DistributionGroupMember work fine, but Add-DistributionGroupMember has only a roughly 20% change of succeeding. Usually, it returns errors like:
Source server:DM6PR19MB3113.namprd19.prod.outlook.com doesn't have write permission to target DC:BN6PR04A05DC004.NAMPR04A005.PROD.OUTLOOK.COM. Usually it indicates that target forest isn't an account partition of source forest. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-0315145A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (:) [Add-DistributionGroupMember], InsufficientPermissionsException
+ FullyQualifiedErrorId : [Server=DM6PR19MB3113,RequestId=3b2369e5-b050-46e9-abf4-bd3699bb7340,TimeStamp=1/12/2022 11:54:00 PM] [FailureCategory=Cmdlet-InsufficientPermissionsException] 5FC5086C,Microsoft.Exchange.Management.RecipientTasks.AddDistributionGroupMember
+ PSComputerName : outlook.office365.com
What does this mean? If I connect using Connect-ExchangeOnline and my own credentials, it works fine. Is this a misconfiguration within Azure AD itself? Anything I can do to work around it?
The Graph API can't modify distribution groups or mail-enabled security groups, and we're not supposed to connect to EXO V2 with service accounts using Basic auth anymore. Am I up a creek without a paddle?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 93%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Did you ever find a solution for this? I'm experiencing the same issue.
Not a solution, per se, but I found that the commands were succeeding even though they returned errors.
Today I realized that despite this error (and similar errors with Remove-DistributionGroupMember), the actions are actually being committed. I guess I'll just ignore it.
Also worth noting that the error is appearing less frequently. It's more likely to occur near the start of a batch of changes.