2

I've been trying to create a new azure function (powershell) which uses managed identity to connect to our exchange online environment.

So as far as I can make out from the documentation I need to use the EXO v3, which I'm doing, and use the following command to setup the connection

Connect-ExchangeOnline -ManagedIdentity -Organization < tenantname >

If I execute my function, it throws an exception

   Exception             : 
Type       : System.UnauthorizedAccessException
TargetSite : 
Name          : CheckResponseHeadersAndGetNewTokenIfNeeded
DeclaringType : Microsoft.Exchange.Management.ExoPowershellSnapin.NewEXOModule
MemberType    : Method
Module        : Microsoft.Exchange.Management.ExoPowershellGalleryModule.dll
Message    : UnAuthorized
Source     : Microsoft.Exchange.Management.ExoPowershellGalleryModule
HResult    : -2147024891
StackTrace : 
at Microsoft.Exchange.Management.ExoPowershellSnapin.NewEXOModule.CheckResponseHeadersAndGetNewTokenIfNeeded(ITokenProvider tokenProvider, HttpResponseHeaders responseHeaders, String errorMessage, String cmdletId, TokenInformation& authHeader, Boolean& isRetryHappening)
at Microsoft.Exchange.Management.ExoPowershellSnapin.NewEXOModule.ProcessRecord()
at System.Management.Automation.Cmdlet.DoProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()

So I'm guessing the system assigned identity doesn't have the right permissions to access exchange. But I don't seem to be able to figure out how to add these permissions.

Strwase
  • 95
  • 4
  • Did you check to assign the app role as described in [these docs](https://learn.microsoft.com/en-us/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps#step-4-grant-the-exchangemanageasapp-api-permission-for-the-managed-identity-to-call-exchange-online)? – Roderick Bant Jan 19 '23 at 12:50
  • yes, I've added the the managed identity to the Exchange.ManageAsApp API and exchange administrator role by execution the powershell scripts `New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI_ID -PrincipalId $MI_ID -AppRoleId $AppRoleID -ResourceId $ResourceID` and `New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $MI_ID -RoleDefinitionId $RoleID -DirectoryScopeId "/"` as mentioned – Strwase Jan 19 '23 at 21:36

2 Answers2

0

The system assigned identity doesn't have the right permissions to access exchange. But I don't seem to be able to figure out how to add these permissions:

After adding the role assignments, you must provide directory permissions from Microsoft Graph by visiting path in Portal:

Azure Active Directory -> App Registrations -> API Permissions -> Microsoft Graph API -> Application Permissions -> Add a Permission

enter image description here

Set Azure AD roles and a function app to the managed identity:

Navigate to Azure Active Directory -> Roles and Administrators -> Browse for "Exchange Administrator", and then Add a permission for the appropriate user/service principal. You must assign the exchange admin role as described in order to connect to the exchange online PowerShell module from Azure resources.

enter image description here

Note:

  1. Make sure that the Function App -> Function (PowerShell core) has system assigned managed identity enabled.
  2. Add the EXOv3 in requirements.psd1 under Function App -> Functions -> App Files with the installed version. 'exchangeonline' = '3.*'

Check the latest version releases in Powershell gallery.

Reference: Exchange online Powershell, MSDoc

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
0

I could finally get rid of this issue by using EXO-PSModule v3.1.0 instead of v3.2.0...

Oliver Hauck
  • 21
  • 4