I'm looking to change my current PowerShell user on-boarding script into an Azure Automation runbook. I need to add users to mail-enabled security groups, but since Mail-Enabled Security Groups aren't supported by MS Graph, I have to use Exchange. However, when I run my script, the user is created, but I get an error saying, "You don't have sufficient permissions. This operation can only be performed by a manager of the group." I've created a System-assigned managed identity and followed the instructions to connect to Exchange, which works for simple commands like `Get-AcceptedDomain`. But when I try to add the managed identity as an owner of the group in the Exchange console, it doesn't show up. Using PowerShell with the identity's application ID or object ID also leads to an error saying the object can't be found. What's the right way to have my Azure Automation runbook add users into a mail-enabled security group?
4 Answers
You should head to the Azure RBAC in the portal and assign the service principal the necessary Exchange permissions. You might also need to give it the 'exchange manage as application' permissions. I ran into the same issue recently, and following the steps in this [KB article](https://learn.microsoft.com/en-us/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps#step-4-grant-the-exchangemanageasapp-api-permission-for-the-managed-identity-to-call-exchange-online) helped me out!
You're totally right! Plus, make sure that your Mail-Enabled Security Groups were created in Azure/Entra AD. If they were made in On-Prem AD, you'll need to manage them from there.
If you want to stick strictly with a managed identity, consider switching to Entra ID security groups, which can be managed via Graph, and then mail-enable them via a distribution group if that would work for your needs. Managed identity won't cut it for legacy mail-enabled security groups.
You might want to try using the `-BypassSecurityGroupManagerCheck` parameter with `Add-DistributionGroupMember` after assigning your managed identity the necessary roles like 'Security Group Creation and Membership'. This worked for me!
Good point! Although, you really just need the `Exchange.ManageAsApp` role along with the Exchange admin role to handle this.
That error is pretty common. Managed identities can authenticate with Exchange Online, but they can't be assigned as owners of mail-enabled security groups. It's usually better to create a dedicated cloud-only service account in Entra ID and assign it ownership of the groups you want to manage.
Yeah, you might also want to grant it the Exchange Admin role since permissions can be a bit tricky with the `Connect-ExchangeOnline` session. We utilize this setup for some tasks like unblocking mailbox access for certain users.