ExO PowerShell v3 Module with GDAP and App Consent doesn't work with "Set" cmdlets

[eriksrocha]

Legacy Exchange Online public client ID (app ID a0c73c16-a7e3-4564-9a95-2bdf47383716), also known as the ExO PowerShell public client, will be retired soon. As an alternative, Microsoft recommends using the procedure mentioned in this documentation: https://learn.microsoft.com/powershell/partnercenter/exchange-online-gdap-app?view=partnercenterps-3.0

I followed all the steps and it meets all the requirements. I can connect to my client's ExO, BUT I can only run "Get" Cmdlets, like "Get-Mailbox" for example. Any "Set" command returns the error below.

Write-ErrorMessage : |Microsoft.Exchange.Configuration.DualWrite.LocStrings.UnableToWriteToAadException|An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph) RequestId: ca80bc15-bf83-4a30-bff7-fe729bbe0d87 The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information. At C:\Users\SVC\AppData\Local\Temp\tmpEXO_xtmfzlng.eue\tmpEXO_xtmfzlng.eue.psm1:1111 char:13

• Write-ErrorMessage $ErrorObject

• 
  + CategoryInfo          : NotSpecified: (:) [Set-Mailbox], UnableToWriteToAadException
  + FullyQualifiedErrorId : [Server=SJ0PR15MB4648,RequestId=f0f3ab55-4ca7-7893-6332-1d78cb204e88,TimeStamp=Thu, 27 Apr 2023 11:46:58 GMT],Write-ErrorMessage

Another problem I noticed is that the return of the "Get" commands has a very long delay compared to a "normal" connection in ExO via PowerShell.

[mpiederiet]

Hi @eriksrocha. I was wondering, in the example from your screenshot, what was in the $TenantId variable? I have seen various issue in our environment when this value was not the Initial Domain (e.g. ".onmicrosoft.com"). When setting this to a tenant ID (GUID), we also got a variety of error message.

[switch72]

I can confirm I just ran into this issue and changing from using the tenant GUID to using the tenant domain in my Connect-ExchangeOnline -DelegatedOrginization parameter fixed the issue.

[eriksrocha]

Hi @eriksrocha. I was wondering, in the example from your screenshot, what was in the $TenantId variable? I have seen various issue in our environment when this value was not the Initial Domain (e.g. ".onmicrosoft.com"). When setting this to a tenant ID (GUID), we also got a variety of error message.

I tried it and it worked for me. Thank you @mpiederiet and @switch72 . But I still think this is a joke from Microsoft because on the documentation they use the TenantID...