search

microsoft / MSCloudLoginAssistant

PowerShell Module Handling Authentication to Cloud Services
https://www.powershellgallery.com/packages/MSCloudLoginAssistant/
MIT License
72 stars 47 forks source link

`Connect-ExchangeOnline` does not give write access due to wrong organization name #172

Closed raandree closed 1 week ago

raandree commented 3 months ago

I want to control EXO settings with Microsoft365DSC. Reading data from EXO works but writing does not.

When passing the organization's short name to Connect-ExchangeOnline, not even creating a DL is possible, when using the FQDN things work. Unfortunately, the function Get-MSCloudLoginOrganizationName returns the short name. Why are we not returning the FQDN instead?

Connect-ExchangeOnline -ManagedIdentity -ShowBanner:$false -Organization MngEnvMCAP576786

New-DistributionGroup -Name t1

Disconnect-ExchangeOnline -Confirm:$false

Connect-ExchangeOnline -ManagedIdentity -ShowBanner:$false -Organization MngEnvMCAP576786.onmicrosoft.com

New-DistributionGroup -Name t1

Disconnect-ExchangeOnline -Confirm:$false

The first attempt returns an error, the second works as expected:

Write-ErrorMessage : |Microsoft.Exchange.Data.Directory.ADTransientException|Object 'CN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},OU=MngEnvMCAP576786.onmicrosoft.com,OU=Microsoft Exchange Hosted 
Organizations,DC=NAMPR05A009,DC=PROD,DC=OUTLOOK,DC=COM' does not belong to partition 'GBRP265.PROD.OUTLOOK.COM' that current AD session is bound to.
At C:\Users\Install\AppData\Local\Temp\2\tmpEXO_slfy54m0.dej\tmpEXO_slfy54m0.dej.psm1:1191 char:13
+             Write-ErrorMessage $ErrorObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-DistributionGroup], ADTransientException
    + FullyQualifiedErrorId : [Server=LO6P265MB7049,RequestId=380184f3-bbd4-0239-f8c3-479397ca0f3a,TimeStamp=Mon, 01 Apr 2024 21:32:49 GMT],Write-ErrorMessage

Name DisplayName GroupType PrimarySmtpAddress                 
---- ----------- --------- ------------------                 
t1   t1          Universal t1@MngEnvMCAP576786.onmicrosoft.com

Am I doing anything wrong?

raandree commented 1 month ago

Can someone please have a look at this? Currently we are using this ugly workaround: https://github.com/raandree/Microsoft365DscWorkshop/blob/2002015163fb5a3d28783eeda655e47dbb4327c7/.build/CleanupAfterBuild.ps1#L7.

ykuijs commented 1 week ago

Was implementing another fix in this module and thought to fix this issue at the same time. When checking the code, I noticed that the mentioned function Get-MSCloudLoginOrganizationName is actually returning the FQDN.

However the function Get-MSCloudLoginTenantDomain is returning just the tenant name, without the '.onmicrosoft.com' suffix. Naming looks a bit backwards, but that is what it is now.

Reviewed the code where the OrganizationName is used. This is only used in the Connect-ExchangeOnline cmdlet, but it is populated via the above two methods. That is not consistent. Updated the code to always use the Get-MSCloudLoginOrganizationName function, so always the FQDN is used.