Has anyone managed to get the ExchangeOnlineManagement module to work in PSU using an Azure managed identity?
I’ve got PSU hosted in an Azure web app that is its own managed identity. I can successfully connect to Azure and Graph, but Connect-ExchangeOnline -ManagedIdentity -Organization <myorg>.onmicrosoft.com is throwing this error:
[error] The role assigned to application isn’t supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD Application for EXO App-Only Authentication.
My managed identity has the “Exchange.ManageAsApp” permission, and I’ve gone into the “roles” part of the Azure portal and added my PSU app to the “Exchange Administrator” role. I don’t know what else to try.
Thanks!
Matt
Product: PowerShell Universal
Version: 3.7.13
Figured it out!
Turns out you need to create a service principal in Exchange Online to match your Azure service principal. We found a couple of obscure blog posts mentioning it but the official documentation does not mention it.
The command we used was:
$ServicePrincipalDetails = Get-AzureADServicePrincipal -SearchString 'wiot-psu'
New-ServicePrincipal -AppId $ServicePrincipalDetails.AppId -ServiceId $ServicePrincipalDetails.ObjectId -DisplayName "Service Principal $($ServicePrincipalDetails.Displayname)"
… and then we had to add the required management roles to the newly-created service principal.
Cheers,
Matt
And we very quickly learned that PSU can’t have the Graph module and the ExchangeOnlineManagement module loaded in the same script simultaneously. The EXO module is using System.Identity.Token.Jwt.dll and not isolating it properly, so it’s clashing with Graph’s usage of it.
Apparently Graph v2 fixes that, but that’s a journey all of its own. 
That bug has been bugging me for ages. MS wants us to use Graph more and more, but it doesn’t have feature parity, so you need both modules- “and hey they aren’t compatible”.
I did not have luck with using V2 of Graph, but it has been a while since I tried. any experience you have trying to solve this would be greatly appreciated.
1 Like