question

HansHedman-1604 avatar image
2 Votes"
HansHedman-1604 asked AnfinsenPeteM-1447 commented

Set-UserPhoto doesn't work with CBA flow in EXO V2 module

We have an Exchange hybrid organisation where all users are migrated to Exchange online. I have been using a script to update user photos in the local AD but because of the limitations with Azure AD Connect, I'd like to script the upload of photos to Exchange Online.

Since basic authentication isn't going to be supported for much longer I'd like to use modern authentication using the Exchange Online PowerShell V2 module that supports MFA and app-only authentication.

I have followed the guide on Docs on how to register an App in Azure AD and to be sure that there isn't a rights issue I have given the App the role of Global Administrator.

But I get an error message when trying to set the user photo.
These are the commands I use (sensitive data replaced with xxx):

 Connect-ExchangeOnline -CertificateThumbPrint “xxxxxx” -AppID “xxx-xxx-xxx-xxx-xxxx” -Organization “myorg.onmicrosoft.com” -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS
 Set-UserPhoto -Identity hanstest -PictureData ([System.IO.File]::ReadAllBytes("C:\Install\be2.jpg")) -Confirm:$false

Which results in the following response:

 Error on proxy command 'Set-UserPhoto -Identity:'hanstest' -PictureData:'255','216' ... ,'217' -Confirm:$False' to server AM6PR05MB5523.eurprd05.prod.outlook.com: Server version 15.20.337
 0.0000, Proxy method RPS:
 Connecting to remote server am6pr05mb5523.eurprd05.prod.outlook.com failed with the following error message : ば鸣˅ For more information, see the about
 _Remote_Troubleshooting Help topic. [Server=DB8PR05MB6745,RequestId=311495a1-a0c5-4e8e-ba54-b8e539667afb,TimeStamp=2020-09-17 10:08:53] .
     + CategoryInfo          : NotSpecified: (:) [Set-UserPhoto], CmdletProxyException
     + FullyQualifiedErrorId : [Server=DB8PR05MB6745,RequestId=311495a1-a0c5-4e8e-ba54-b8e539667afb,TimeStamp=2020-09-17 10:08:53] [FailureCategory=C
    mdlet-CmdletProxyException] B833102,Microsoft.Exchange.Management.RecipientTasks.SetUserPhoto
     + PSComputerName        : outlook.office365.com


To confirm that there's nothing wrong with the actual photo and command syntax I have tried with basic authentication and that works. Here are the commands I use for that:

 $Credential = Get-Credential
 $ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $Credential -Authentication Basic -AllowRedirection
 Import-PSSession $ExSession
 Set-UserPhoto -Identity hanstest -PictureData ([System.IO.File]::ReadAllBytes("C:\Install\be2.jpg")) -Confirm:$false

Assistance on how to make it work with the EXO V2 module would be most welcome. Thanks.

office-exchange-online-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Try it without the ConnectionUri switch. You actually dont need to set that its the default

0 Votes 0 ·

I have tried without but the result is the same.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Ok, I can reproduce this. Looks like a bug.

I would enable logging:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#report-bugs-and-issues-for-the-exo-v2-module

 Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath <Path to store log file> -LogLevel All

Then submit a bug report to:

 exocmdletpreview@service.microsoft.com

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I submitted exactly the same issue on 9/17 14:30 CDT! Great timing!

0 Votes 0 ·

Awesome. If you could, please close this up and mark any answer as accepted etc.... Thanks!

0 Votes 0 ·

@HansHedman-1604
Does above suggestion help? If above suggestion help, please be free to mark it as an answer for helping more people.

0 Votes 0 ·
Show more comments
NavinGupta-7605 avatar image
0 Votes"
NavinGupta-7605 answered NatePope-7996 commented

Hi

Set-UserPhoto cmdlet uses a unique authentication method internally during server to server calls. This method is currently not supported in Certificate Based Authentication flows. Only Set-UserPhoto is one such cmdlet not supported in CBA ( https://aka.ms/exov2-cba )

Can we update the title to "Set-UserPhoto doesn't work with CBA flow in EXO V2 module".

We believe Setting user photo may not be a high frequency automation scenario. Can you explain more about the use-case and why you need to do it un-attended scripting on a regular basis ?
That will help us prioritize.

Regards
Navin
Exchange Online Team

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

set-userphoto is very much a high frequency automation scenario for us.
Either AD->AD Connect -> Azure AD-> EXO sync needs to support pictures >10KB - or this needs to work with modern auth

Not being able to automate employee picture uploads when legacy auth is disabled is a blocker for disabling legacy auth.

we need it to be able to keep up with newhires and new pictures taken. probably need to update a few 100 pictures every month

1 Vote 1 ·

I found another commandlet that doesn't support CBA (3 days of banging head)...
New-UnifiedGroup

The lack of CBA is prohibiting me from doing many things that I'm trying to automate.

CBA should be allowed across all the commandlets, and treated as a standard form of authenitcation.

0 Votes 0 ·

Hey @NatePope-7996

Thank you for sharing your issue. Can you share the complete script you are using to invoke New-UnifiedGroup in CBA ?

Exact parameters of New-UnifiedGroup as well as connection string will help.




0 Votes 0 ·

Connect-ExchangeOnline -CertificateThumbPrint "XXXXXXXX" -AppID "XXXXXXX" -Organization "ORG.onmicrosoft.com"

Params for new-unifiedgroup

$GroupParams = @{
AccessType = $AccessType;
Alias = $Name;
DisplayName = $Name;
EmailAddresses = "$EmailAddress";
Name = $Name;
Notes = $Description;
RequireSenderAuthenticationEnabled = $TRUE;
}

Splat parameters to cmdlet

$newGroup = New-UnifiedGroup @GroupParams


0 Votes 0 ·
AnfinsenPeteM-1447 avatar image
1 Vote"
AnfinsenPeteM-1447 answered

Our automation scenario involves setting a photo for employees and contractors. When staff begin working, a photo for their badge is taken. It is named using a convention, and a daily process executes to associate the new badge photo with their Azure AD account and mailbox. In a company with tens of thousands of staff, having hundreds of staff changes each week, automation keeps administrative costs down.

The workaround is to create a cloud-only account. However, this account needs Exchange.ManageAsApp, effectively making the account an Exchange administrator. Security dictates that this account utilize MFA, and rightly so. Thus, the workaround is not a good long-term solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HansHedman-1604 avatar image
1 Vote"
HansHedman-1604 answered

OK, title has been updated.
Our situation is the same as Pete's. The HR departments supply photos in a folder and a script updates each user. Since basic authentication is to be deprecated soon then it is essential that this works with certificate based authentication.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NatePope-7996 avatar image
0 Votes"
NatePope-7996 answered AnfinsenPeteM-1447 commented

I wish I would have found this much earlier... Spent too much time trying to automate this exact problem of HR updating photos and needing the new photos to be uploaded to Azure.
How do we get set-userphoto to support CBA? @NavinGupta-7605

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

At this time AFAIK, there is no answer. We worked around the deficiency by creating a cloud-only account with Exchange-ManageAsApp (not sure I have the name of that permission correct), giving it a 32 character complex password and paying off the security group. Works like a charm. My process is updating 25k photos, has been running for 16 days and is 70% done, and now has built-in support for more than a dozen transient and retryable errors. It has crashed, been improved and restarted over 25 times during that time. There is a LOT to account for in a production-ready process.

0 Votes 0 ·
NavinGupta-7605 avatar image
2 Votes"
NavinGupta-7605 answered

Hi everyone

Support for Set-UserPhoto in CBA is a big DCR which we are currently investigating.
At this point, we don't have a clear ETA on when this cmdlet will be supported in CBA.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VinLatus avatar image
2 Votes"
VinLatus answered

I have a similar scenario with Set-UserPhoto and would love to see it supported. Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MelloJohn-7335 avatar image
0 Votes"
MelloJohn-7335 answered

My company also relies on a daily automation to keep user photos in sync with our HR system. As we are migrating all our Exchange related PowerShell scripts to the new module and certificate based automation it was disappointing to discover that these cmdlets were not available.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EscamillaJeffe-2555 avatar image
0 Votes"
EscamillaJeffe-2555 answered

Add me to this list too. We are trying to updated our automated process which can process up to 10-15 pictures per day and now they're all broken. Microsoft, this is definitely a "high frequency automation scenario" and needs to be addressed.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnfinsenPeteM-1447 avatar image
0 Votes"
AnfinsenPeteM-1447 answered

Ours is an organization of about 30K users - we averaged about 23 a day over the last week. Our cloud-only account workaround is a life-saver.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.