Forum Discussion

colonel_claypoo's avatar
colonel_claypoo
Iron Contributor
Aug 16, 2024

Connect-ExchangeOnline - Unauthorized

I've been searching for a solution for this error message for a couple of days now - to no avail. Connect-ExchangeOnline through certificate always throws 'Unauthorized'. UnAuthorized At C:\Pro...
exchange online
VasilMichev's avatar
VasilMichev
MVP
Aug 19, 2024
The API is still there, you're using the wrong search query. Follow the instructions in the article above.
colonel_claypoo's avatar
colonel_claypoo
Iron Contributor
Aug 20, 2024

VasilMichev 

 

Oh yeah, that's right. Now one step further. I'm getting this error upon connecting:

 

 

 

Connect-ExchangeOnline -CertificateThumbprint $thumbprint -AppId
$appId -ShowBanner:$false -Organization $tenant -Verbose


VERBOSE: Returning precomputed version info: 3.4.0
VERBOSE: ModuleVersion: 3.4.0
VERBOSE: [ThreadID: #] Trying to get a new token from AAD
VERBOSE: [ThreadID: #] Trying to acquire token based on UI flow
VERBOSE: [ThreadID: #] Successfully acquired new token for Cert based flow.
VERBOSE: [ThreadID: #] Successfully got a token from AAD
VERBOSE: ConnectionContext Removed


OperationStopped: The role assigned to application 6eb9890f-dbeb-4e6d-b2fb-2e4c698fa7c0 isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD Application for EXO App-Only Authentication.

 

If the cert was wrong i.e. not match between Windows and Azure cert stores the error would read:

 



Do you have an idea? Thank you.

  • VasilMichev's avatar
    VasilMichev
    MVP
    Aug 20, 2024
    You need to assign a role such as Exchange Admin or Exchange Recipient admin.., the next step in the documentation...
    • colonel_claypoo's avatar
      colonel_claypoo
      Iron Contributor
      Aug 22, 2024

      VasilMichev Couldn't find the role in Entra. Only way to assign the role was through this PowerShell and not what is in the documentation. Here're for future use in case anyone stumbles over it here:

      # Connect to Azure AD if not already connected
      Connect-AzureAD

      # Get the service principal for Exchange Online
      $exchangeServicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'"

      # Find the Exchange.ManageAsApp role
      $appRole = $exchangeServicePrincipal.AppRoles | Where-Object {$_.Value -eq "Exchange.ManageAsApp"}

      # Get your application's service principal
      $servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq ''"

      # Assign the role to your application
      New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $exchangeServicePrincipal.ObjectId -Id $appRole.Id

       

      Thanks for your help.

Resources