This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 34%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
I am connecting to Exchange Online PowerShell module using App Registration with certificate authentication. I have given it the following permissions:
Exchange.ManageAsApp
full_access_as_app
MailboxSettings.ReadWrite
I am trying to run a script that will use set-casmailbox however I am getting the below error. Using this connection I am able to run set-mailbox and get-casmailbox without issue. The issue only occurs on set-casmailbox. Am I missing a permission?
Running command:
Set-CASMailbox -Identity saul.goodman@coldist.com -OWAEnabled $false
Throws error:
Source server:DM6PR03MB5146.namprd03.prod.outlook.com doesn't have write permission to target
DC:SN6PR15A01DC004.NAMPR15A001.PROD.OUTLOOK.COM. Usually it indicates that target forest isn't an account partition of
source forest. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03151469, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (:) [Set-CASMailbox], InsufficientPermissionsException
+ FullyQualifiedErrorId : [Server=DM6PR03MB5146,RequestId=b24f9f24-8209-4d04-bb77-fe7e07a8dc32,TimeStamp=7/28/2022 9:01
:20 PM] [FailureCategory=Cmdlet-InsufficientPermissionsException] ED78BADC,Microsoft.Exchange.Management.RecipientTasks
.SetCASMailbox
+ PSComputerName : outlook.office365.com
for the org, make sure its the onmicrosoft.com domain, not a custom domain
Example:
Connect-ExchangeOnline -CertificateThumbPrint 'xxxxxx' -AppID 'xxxxxx' -Organization 'contoso.onmicrosoft.com
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
That was it! Once I changed the -organization flag from "contoso.com" to "contoso.onmicrosoft.com" it worked flawlessly. Thank you for your help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 79%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Had the same issue but with the New-TransportRule command. I was signing in using the customer tenant GUID for -DelegatedOrganization. Swapping to *.onmicrosoft.com solved the issue.
What AD Roles did you assign the ap?
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application
Note: Only Exchange.ManageAsApp is relevant for the ExO app api perms
It is an Exchange Administrator
Dumb question: Does the command actually work despite the error?
Unfortunately not, OWA is still enabled for the user.
let me test this out
I appreciate your assistance on this! Were you able to find anything?
Just tested and it works for me.
Do you support multiple tenants?
Hmmm, weird. No, we do not support multiple tenants. Maybe I'm missing something in my connection command? I'm using this:
Connect-ExchangeOnline -CertificateThumbPrint 'xxxxxx' -AppID 'xxxxxx' -Organization 'ourorgdomain.com'