Forum Discussion

Ihor_Piontkovskyi's avatar
Ihor_Piontkovskyi
Copper Contributor
May 28, 2024

Cant call 'Get-SecOpsOverridePolicy' after successfully authentication to Exchange online

I have the following issue after my code has been working without issues for a long time in production. Nothing new has been installed lately.

After successfully connecting to Exchange Online using PowerShell and trying to get the SecOpsOverridePolicy.

Get-SecOpsOverridePolicy -Identity "SecOpsOverridePolicy"

I get the following error.

Get-SecOpsOverridePolicy: The term 'Get-SecOpsOverridePolicy' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I connect to the system using (as admin) as follows

$connData = @{
            ConnectionUri = "https://ps.compliance.protection.outlook.com/PowerShell-LiveId"
            AzureADAuthorizationEndpointUri = "https://login.microsoftonline.com/organizations"
            AccessToken = "SECRET123"
            Organization = "myorg.onmicrosoft.com"
        }

Connect-ExchangeOnline @connData 

What puzzles me is that I can see that ExchangeOnlineManagement (tried both version 3.4.0 and 3.5.0) doesn't include the cmdlet above

 Get-Command -Module ExchangeOnlineManagement      

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Connect-ExchangeOnline                             3.5.0      ExchangeOnlineManagement
Function        Connect-IPPSSession                                3.5.0      ExchangeOnlineManagement
Function        Disconnect-ExchangeOnline                          3.5.0      ExchangeOnlineManagement
Function        Get-WrappedCommand                                 3.5.0      ExchangeOnlineManagement
Function        IsCloudShellEnvironment                            3.5.0      ExchangeOnlineManagement
Function        UpdateImplicitRemotingHandler                      3.5.0      ExchangeOnlineManagement
Cmdlet          Add-VivaModuleFeaturePolicy                        3.5.0      ExchangeOnlineManagement
Cmdlet          Get-ConnectionInformation                          3.5.0      ExchangeOnlineManagement
Cmdlet          Get-DefaultTenantBriefingConfig                    3.5.0      ExchangeOnlineManagement
Cmdlet          Get-DefaultTenantMyAnalyticsFeatureConfig          3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOCasMailbox                                  3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOMailbox                                     3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOMailboxFolderPermission                     3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOMailboxFolderStatistics                     3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOMailboxPermission                           3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOMailboxStatistics                           3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXOMobileDeviceStatistics                      3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXORecipient                                   3.5.0      ExchangeOnlineManagement
Cmdlet          Get-EXORecipientPermission                         3.5.0      ExchangeOnlineManagement
Cmdlet          Get-MyAnalyticsFeatureConfig                       3.5.0      ExchangeOnlineManagement
Cmdlet          Get-UserBriefingConfig                             3.5.0      ExchangeOnlineManagement
Cmdlet          Get-VivaFeatureCategory                            3.5.0      ExchangeOnlineManagement
Cmdlet          Get-VivaInsightsSettings                           3.5.0      ExchangeOnlineManagement
Cmdlet          Get-VivaModuleFeature                              3.5.0      ExchangeOnlineManagement
Cmdlet          Get-VivaModuleFeatureEnablement                    3.5.0      ExchangeOnlineManagement
Cmdlet          Get-VivaModuleFeaturePolicy                        3.5.0      ExchangeOnlineManagement
Cmdlet          Remove-VivaModuleFeaturePolicy                     3.5.0      ExchangeOnlineManagement
Cmdlet          Set-DefaultTenantBriefingConfig                    3.5.0      ExchangeOnlineManagement
Cmdlet          Set-DefaultTenantMyAnalyticsFeatureConfig          3.5.0      ExchangeOnlineManagement
Cmdlet          Set-MyAnalyticsFeatureConfig                       3.5.0      ExchangeOnlineManagement
Cmdlet          Set-UserBriefingConfig                             3.5.0      ExchangeOnlineManagement
Cmdlet          Set-VivaInsightsSettings                           3.5.0      ExchangeOnlineManagement
Cmdlet          Update-VivaModuleFeaturePolicy                     3.5.0      ExchangeOnlineManagement

Environment info:

PSVersion: [7.4.1]
PSEdition: [Core]
OS: [Amazon Linux 2023.3.20240304]
Platform: [Unix]
PSRemotingProtocolVersion: [2.3]
SerializationVersion: [1.1.0.1]
ExchangeOnlineManagement: [3.4.0]

I made sure that application against which token has been issued has Security Administrator & Exchange Administrator assignments as well as Exchange.ManageAsApp permission.
I also double-checked that ExchangePowerShell module is installed.

Install-Module -Name ExchangePowerShell -Scope CurrentUser -Force

Get-Module -ListAvailable                                

    Directory: /Users/hraman/.local/share/powershell/Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
...
Script     3.5.0                 ExchangeOnlineManagement            Desk      {Add-VivaModuleFeaturePolicy, Get-ConnectionInformation, Get-DefaultTenantBriefingConfig, Get-DefaultTenantMyAnalyti…
Script     3.4.0                 ExchangeOnlineManagement            Desk      {Add-VivaModuleFeaturePolicy, Get-ConnectionInformation, Get-DefaultTenantBriefingConfig, Get-DefaultTenantMyAnalyti…
Script     0.11.0                ExchangePowerShell                  Desk      {Clear-EPAutoMapping, Clear-EPExchangeLogs, Convert-EPIMCEAEXtoX500, Get-EPMaintenanceMode…}

Get-Command -Module ExchangePowerShell
  • Ihor_Piontkovskyi 

    You can use Get-ManagementRole to view the required roles for a certain cmdlet. Here's my output:

     

    C:\Users\HarmVeenstra> Get-ManagementRole -Cmdlet Get-SecOpsOverridePolicy
    
    Name                       RoleType
    ----                       --------
    Organization Configuration OrganizationConfiguration
    Security Admin             SecurityAdmin
    Security Reader            SecurityReader
    View-Only Configuration    ViewOnlyConfiguration
    • Ihor_Piontkovskyi's avatar
      Ihor_Piontkovskyi
      Copper Contributor

      Harm_Veenstra 

      Thank you for your response.

      As I mentioned in the question I ensured that the application for which the token has been issued possesses both Security Administrator and Exchange Administrator assignments, along with Exchange.ManageAsApp permission.
      In this scenario, Exchange Administrator is encompassed within the Organization Management role group. Thus, technically, my application holds sufficient permissions to execute that cmdlet.

      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        I created a new App Registration and assigned Exchange.ManageAsApp, together with the Exchange Administrator and Security Admin Role. I connected using certificate-based authentication and was able to use Get-SecOpsOverridePolicy.

        Just to be sure, did you do Grant Admin Consent for your tenant in the API permissions blade?

Resources