Azure Functions Powershell Permissions Error

Christopher Travis 5 Reputation points
2024-07-16T16:28:56.6966667+00:00

Hello, I am recieving the following Error when trying to use remove-distributiongroupmember cmdlet in Azure Functions using Managed Identity. I am able to use the same MI to do other Exchange Online module cmdlets such as "set-mailbox" and I recieve no errors. But this issue has persisted for several days and I am not sure what the issue could be. I do have the Exchange Administrator access added to this MI and everything has been set up as MS showed in their douments. If anyone could help, that would be wonderful. Thank you.

2024-07-16T16:24:08.584 [Error] ERROR: |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Exception             :Type    : System.ExceptionMessage : |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Data    : System.Collections.ListDictionaryInternalHResult : -2146233088CategoryInfo          : NotSpecified: (:) [Remove-DistributionGroupMember], ExceptionFullyQualifiedErrorId : [],Write-ErrorMessageInvocationInfo        :MyCommand        : Write-ErrorMessageScriptLineNumber : 1204OffsetInLine     : 13HistoryId        : 1ScriptName       : C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1Line             : Write-ErrorMessage $ErrorObjectStatement        : Write-ErrorMessage $ErrorObjectPositionMessage  : At C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1:1204 char:13+             Write-ErrorMessage $ErrorObject+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot     : C:\local\Temp\tmpEXO_jxhi1j0x.wgcPSCommandPath    : C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1InvocationName   : Write-ErrorMessageCommandOrigin    : InternalScriptStackTrace      : at Write-ErrorMessage
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,251 questions
Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
155 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Pinaki Ghatak 5,310 Reputation points Microsoft Employee
    2024-07-17T10:10:02.7266667+00:00

    Hello @Christopher Travis

    The error message indicates that the source server doesn't have write permission to the target DC, which usually indicates that the target forest isn't an account partition of the source forest, and the user has insufficient access rights.

    Based on the error message, it seems like the MI you are using doesn't have the necessary permissions to perform the remove-distributiongroupmember cmdlet.

    You mentioned that you have Exchange Administrator access added to this MI, but it's possible that the MI doesn't have the necessary permissions to perform this specific cmdlet.

    I would recommend checking the permissions of the MI and ensuring that it has the necessary permissions to perform the remove-distributiongroupmember cmdlet.

    You may also want to check the Exchange Online module documentation to see if there are any specific permissions required for this cmdlet.


  2. Trond Skille 0 Reputation points
    2024-09-18T09:28:20.27+00:00

    I have the same problem. Automated jobs running with a User Assigned Managed Identity.
    The issue occurs randomly. Sometimes the job runs successful without issues, and sometimes the job fails with the error message:

    Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:AS8PR04MB7589.eurprd04.prod.outlook.com doesn't have write permission to target DC:<null>:NAMPR15A900.PROD.OUTLOOK.COM. Usually it indicates that target forest isn't an account partition of source forest. 
    

    Note the <null> value in the exception. Something is happening on the server-side causing the issues.

    0 comments No comments

  3. Christopher Travis 5 Reputation points
    2024-12-18T13:37:10.35+00:00

    Hello everyone! The solution for this is extremely simple and I am mad at myself for not seeing it sooner. For anyone looking for a solution, I messed up the exchange organization that I used to log in with. For example, I used "company.onmicrosoft.com" when I should have used "company1.onmicrosoft.com".

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.