Share via

Request for Assistance with Permissions Issue in Exchange Online for Application-Based Management

Alex Melnik 0 Reputation points
2024-10-31T11:52:58.5766667+00:00

Dear Azure Support Team,

I am reaching out to request assistance with an ongoing permissions issue impacting my application’s ability to manage Exchange Online resources, specifically with executing Add-DistributionGroupMember and Remove-DistributionGroupMember commands. Despite configuring what appear to be the necessary permissions in Azure Active Directory and Exchange Online, the application continues to encounter insufficient permissions errors when attempting to perform these actions.

Current Configuration:

Application Permissions in Azure AD:

  • Exchange.ManageAsApp
    • full_access_as_app
      • Group.ReadWrite.All
        • Directory.ReadWrite.All
          • Other related permissions (detailed if needed)
          Connection Method: The application connects to Exchange Online using App-only authentication with Connect-ExchangeOnline, utilizing an App ID and certificate thumbprint.

Issue Description:

The application has been granted admin consent for the permissions above, yet it encounters errors indicating that it lacks sufficient permissions to modify members within distribution groups. All permissions were reviewed and granted at the tenant level, and the connection is made successfully. However, each attempt to add or remove members from distribution groups fails with a permissions error.

Request:

Could you please help us identify any additional steps, permissions, or configurations required to resolve this issue? If any specific tenant settings or Exchange Online policies need adjustment, kindly provide guidance on how to implement these changes.

Thank you for your support and guidance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,104 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 149.1K Reputation points MVP
    2024-10-31T12:49:10.17+00:00
    0 comments
  2. Xintao Qiao-MSFT 3,920 Reputation points Microsoft Vendor
    2024-11-01T02:54:07.4566667+00:00

    Hi, @Alex Melnik

    Just as a supplement to Andy.

    1. Make sure that the Identity is already an ExchangeAdministrator
    2. Check in the Azure portal as an administrator that the API permissions are properly assigned to the application. Sometimes permission assignments take time to work.
    3. Try adding the parameter - BypassSecurityGroupManagerCheck, which can help bypass some security checks that can lead to incorrect permissions. Check out the limitations below.

    User's image

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.