I'm working on updating our PowerShell scripts to use more secure connection methods. When I try, I get an error that says "UnAuthorized"

PS X:> Connect-ExchangeOnline -AppId $clientId -CertificateThumbprint $thumbPrint -Organization $organization UnAuthorized At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.0.0\netFramework\ExchangeOnlineManagement.psm1:730 char:21

• throw $_.Exception;
• CategoryInfo : OperationStopped: (:) [], UnauthorizedAccessException
  • FullyQualifiedErrorId : UnAuthorized

Is what I highlighted in the following screenshot what I'm supposed to use for the organization parameter? [snip]

How do I fix the UnAuthorized error?

Thanks

CodePudding user response：

I agree with @scottwtang, you will get unauthorized error if your application don't have required roles and permissions.

I tried to reproduce the same in my environment and got below results:

I used below script from your previous question to generate certificate:

$CN = "GraphApp" 
$cert=New-SelfSignedCertificate -Subject "CN=$CN" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -NotAfter (Get-Date).AddYears(5)
$Thumbprint = $Cert.Thumbprint
Get-ChildItem Cert:\CurrentUser\my\$Thumbprint | Export-Certificate -FilePath $env:USERPROFILE\Downloads\GraphApp.cer
Write-Output "$Thumbprint <- Copy/paste this (save it)"

Output:

Now I uploaded this certificate to Azure AD application like below:

For $organization parameter, you need to pass your domain name. You can find that here:

Go to Azure Portal -> Azure Active Directory -> Overview -> Primary domain

When I ran the below script to connect Exchange Online, I got Access denied error like this:

$clientId="47xxxd8-8x2x-4xxx-bxx7-30cxxxxx8"
$thumbPrint="E4A0F6C6B85EBFxxxxxCD91B5803F88E5"
$organization="xxxxxxxx.onmicrosoft.com"

Connect-ExchangeOnline -AppId $clientId -CertificateThumbprint $thumbPrint -Organization $organization

Output:

To resolve the error, you need to add API permission and Directory role to your application:

Make sure to grant admin consent for the added permission as below:

Now I added Exchange Administrator role to my application like below:

Go to Azure Portal -> Azure Active Directory -> Roles and administrators -> Exchange administrator -> Add assignment

It may take few minutes to assign role successfully as below:

Now I connected to Exchange Online by running script again and ran sample command Get-EXOMailbox -PropertySets Archive to verify it and got response successfully like below:

$clientId="47xxxd8-8x2x-4xxx-bxx7-30cxxxxx8"
$thumbPrint="E4A0F6C6B85EBFxxxxxCD91B5803F88E5"
$organization="xxxxxxxx.onmicrosoft.com"

Connect-ExchangeOnline -AppId $clientId -CertificateThumbprint $thumbPrint -Organization $organization

Output:

So, make sure to assign required roles and permissions for your application to fix the error.