Cannot run set-casmailbox in O365 with App Registration

Dan Chandler-Klein 41 Reputation points
2022-07-28T21:24:16.183+00:00

I am connecting to Exchange Online PowerShell module using App Registration with certificate authentication. I have given it the following permissions:
Exchange.ManageAsApp
full_access_as_app
MailboxSettings.ReadWrite

I am trying to run a script that will use set-casmailbox however I am getting the below error. Using this connection I am able to run set-mailbox and get-casmailbox without issue. The issue only occurs on set-casmailbox. Am I missing a permission?

Running command:

Set-CASMailbox -Identity saul.goodman@coldist.com -OWAEnabled $false  

Throws error:

Source server:DM6PR03MB5146.namprd03.prod.outlook.com doesn't have write permission to target   
DC:SN6PR15A01DC004.NAMPR15A001.PROD.OUTLOOK.COM. Usually it indicates that target forest isn't an account partition of   
source forest. Additional information: Insufficient access rights to perform the operation.  
Active directory response: 00002098: SecErr: DSID-03151469, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0  
    + CategoryInfo          : NotSpecified: (:) [Set-CASMailbox], InsufficientPermissionsException  
    + FullyQualifiedErrorId : [Server=DM6PR03MB5146,RequestId=b24f9f24-8209-4d04-bb77-fe7e07a8dc32,TimeStamp=7/28/2022 9:01   
   :20 PM] [FailureCategory=Cmdlet-InsufficientPermissionsException] ED78BADC,Microsoft.Exchange.Management.RecipientTasks    
  .SetCASMailbox  
    + PSComputerName        : outlook.office365.com  
Microsoft Exchange Online
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 147.5K Reputation points MVP
    2022-08-09T17:07:08.653+00:00

    for the org, make sure its the onmicrosoft.com domain, not a custom domain

    Example:

    Connect-ExchangeOnline -CertificateThumbPrint 'xxxxxx' -AppID 'xxxxxx' -Organization 'contoso.onmicrosoft.com  
    

    https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

    229673-image.png

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 147.5K Reputation points MVP
    2022-07-28T22:03:44.267+00:00

    What AD Roles did you assign the ap?
    https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application

    Note: Only Exchange.ManageAsApp is relevant for the ExO app api perms


  2. Andy David - MVP 147.5K Reputation points MVP
    2022-08-05T10:55:21.52+00:00

    Just tested and it works for me.
    Do you support multiple tenants?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.