This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 0%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
We are migrating our PowerShell scripts away from legacy auth and moving to use a Service principal and Certificate Based Authentication in our unattended PowerShell scripts.
We can successfully connect to Exchange Online and run all of our scripts as we could with legacy authentication. The problem comes when we connect to the Security & Compliance Center PowerShell module. We can connect fine (Connect-IPPSession -appID xxx -certificateThumbprint xxx) but the problem is assigning correct permissions to the Service Principal to enable us to perform Exchange Compliance Searches.
New-ComplianceSearch --> Command completes OK
Start-ComplianceSearch --> Error
New-ComplianceSearchAction --> Error
Unable to execute the task. Reason: Compliance search initialization for "Search Name" failed with exception: Object reference not set to an instance of an object.
I suspect the error is because the Service Principal is not a member of Organization Management, Discovery Manager or Compliance Management in the compliance center. However, unlike the Azure AD Admin roles we cannot add a service prinicpal to the compliance center admin roles.
I added the Service Principal as a Global Admin in Azure AD to test if that would fix but the error continued.
Is there a way to run Start-ComplianceSearch command as a Service Principal in an unattended PowerShell script? Is there an equivalent to this command in Microsoft Graph?
UPDATE: For anyone encountering this, adding Service Principals to custom roles in SCC is now supported via Power Shell. See: https://learn.microsoft.com/en-gb/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#assign-custom-role-groups-to-the-application-using-service-principals
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Have you verified can the command work successfully if using a specific account with right permission? Just like the steps list here: New-ComplianceSearch: how to use the newer version of Search-Mailbox
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
For anyone encountering this, adding Service Principals to custom roles in SCC is now supported via Power Shell. See: https://learn.microsoft.com/en-gb/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#assign-custom-role-groups-to-the-application-using-service-principals