403 error sending email in Exchange online using Graph API
I am implementing an Azure Function App to notify logged in users before their Azure virtual machine is shut down. (Github repository is here GitHub - fortytwoservices/AVD-Shutdown: A script for use with the shutdown webhook, running in a functionApp.) I have the function app partially working up to the point of sending the e-mail. It gets the list of host pools and logged in users in the host pool. It obtains the Graph API access token as well. When the ttps://graph.microsoft.com/v1.0/users/$([mailsender])/sendMail executes it returns a 403 (Forbidden). I am using the application id security and not delegated security. Here are the setup specifics: The app has User.ReadBasic.All The service principal is set up in Exchange I set up a management scope to restrict sending to this one mailbox And assigned the role to the service principal I am obviously missing something here. Any pointers would be appreciated. Eric
iPhone Unable to Add 365 Account After Password Change – Hybrid Exchange
Hi all, We have an Exchange Hybrid setup. All mailboxes are hosted in Exchange Online, and our on-prem Exchange server is only used for SMTP relay (e.g., for MFPs). One of our users is currently unable to add their account to their iPhone. It was working fine until a few days ago. The issue started right after the user changed their password. Since then, the Outlook app or Office apps on the iPhone doesn't accept the user's credentials. However, everything works perfectly fine on their PC and even on another test iPhone using the same credentials. It validate the credentials but then throws a generic error after entering credentials. What we’ve tried so far: Resetting the user’s MFA settings Resetting the password again Excluding the user from MFA temporarily Factory resetting the iPhone Despite all that, the issue persists. Since the account works on a different iPhone, and even a full reset didn’t resolve it on the affected device, I’m at a bit of a loss. Has anyone encountered this or have any ideas? Any suggestions would be much appreciated. Thanks in advance!
Can't connect with GDAP using ExchangeOnlineManagement 3.7.0/3.8.0, but 3.6.0 works
Since upgrading to ExchangeOnlineManagement version 3.7.0, I've been unable to connect to any of my clients using GDAP. I thought I'd try upgrading to 3.8.0, but I still get the same error: PS C:\Users\username> connect-exchangeonline -userprincipalname email address removed for privacy reasons -DelegatedOrganization contoso.com ---------------------------------------------------------------------------------------- This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure. Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets. V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently. REST backed EOP and SCC cmdlets are also available in the V3 module. Similar to EXO, the cmdlets can be run without WinRM basic auth enabled. For more information check https://aka.ms/exov3-module Starting with EXO V3.7, use the LoadCmdletHelp parameter alongside Connect-ExchangeOnline to access the Get-Help cmdlet, as it will not be loaded by default ---------------------------------------------------------------------------------------- The role assigned to user email address removed for privacy reasons isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to User. At C:\Users\username\OneDrive - MSP\Documents\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.7.2\netFramework\ ExchangeOnlineManagement.psm1:758 char:21 + throw $_.Exception; + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [], SystemException + FullyQualifiedErrorId : The role assigned to user email address removed for privacy reasons isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to User. You'd think there'd be something wrong with my GDAP permissions, but there doesn't appear to be. I can do anything via the Microsoft 365 Admin Center. Plus, most notably, if I manually load ExchangeOnlineManagement 3.6.0, everything works perfectly. I'm running Windows 11, and this behavior is reproducible on Windows PowerShell 5.1 as well as my preferred PowerShell 7.5.2. How can I troubleshoot this?
Exchange Online Best Practices
From an EMM / MDM perspective and on premise Exchange we would have a Secure Email Gateway (SEG) as a protection layer for email from devices. With O365 migrations is there an equivalent SEG to protect email access only from managed devices for example? And secondly, are gateways as relevant nowadays and should we instead look at 2fa, Purview and Conditional Access signal related stuff? Any best practices and complete answers I am very grateful for. TIA.
