Closed write2tsm closed 11 months ago
If I’m reading the command correctly you’re specifying exchange online credentials array. You need to not use exchange online credentials but rather use the exchange cert auth settings. I did not see those in your command. Will be the apple, tenant id, and thumbprint.
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: write2tsm @.> Sent: Thursday, July 20, 2023 1:07 AM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] DL Conversion Failed - (Issue #144)
Hi Tim
I'm using the below command:
Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -exchangeOnlineCredential $credentials -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU "
and experiencing this error:
[20/07/2023 2:30:27 PM] - ExchangeOnlineCredentialsUserName = [20/07/2023 2:30:27 PM] - Is certificate auth = False [20/07/2023 2:30:27 PM] - ExchangeOnlineCommandPrefix = O365 [20/07/2023 2:30:27 PM] - Creating the exchange online powershell session. AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'. Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000 Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23 Timestamp: 2023-07-20 04:30:32Z At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21
*
throw $_.Exception.InnerException;
*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* CategoryInfo : OperationStopped: (:) [], MsalUiRequiredException
* FullyQualifiedErrorId : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.
Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000 Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23
This is a bulk migration test, so I'm using certificate based auth for both MS Graph (Azure AD) and Exchange Online. Have followed the guidance in following articles:
and the connections establish successfully:
Connect-MgGraph -TenantId "<AzureADTenantID" -AppId "AzureAD App Registration App ID>" -CertificateThumbprint "xzsadsdfd"
Connect-ExchangeOnline -CertificateThumbPrint "xzsadsdfd" -AppID "AzureAD App Registration App ID>" -Organization "myorg.onmicrosoft.com"
The error seems to suggest some MFA issue, but what I'm not sure why it is using the credentials from array to connect to Exchange Online when I've already used Cert-based Authentication. Moreover, if I remove the "-exchangeOnlineCredential $credentials" from the Start-MultipleMachineDistributionListMigration command, it fails saying this:
[20/07/2023 1:56:43 PM] - BEGIN start-parameterValidation [20/07/2023 1:56:43 PM] - **** [20/07/2023 1:56:43 PM] - The parameter set name for validation: ExchangeOnlineMulti [20/07/2023 1:56:43 PM] - ERROR: One permissions method to connect to Exchange Online must be specified. [20/07/2023 1:56:43 PM] - ****
Do you see anything wrong with the Start-MultipleMachineDistributionListMigration switches / parameters?
Thanks
— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/144, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6NUWVXACUOZI6C6FL3XRC4I3ANCNFSM6AAAAAA2Q3M6ZA. You are receiving this because you are subscribed to this thread.Message ID: @.***>
Ok, that makes sense.
Can you also clarify, what command / switches to run if we only want to pre-collect the DL configuration (without actually triggering the DL migration process).
Thanks
For auditing permissions
Start-collect*
For testing pre-migration viability
test-*
Tim
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: write2tsm @.> Sent: Thursday, July 20, 2023 6:22 AM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] DL Conversion Failed - You must use multi-factor authentication (Issue #144)
Ok, that makes sense.
Can you also clarify, what command / switches to run if we only want to pre-collect the DL configuration (without actually triggering the DL migration process).
Thanks
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/144#issuecomment-1643663439, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6IELBZ5O4262SKGIK3XREBFLANCNFSM6AAAAAA2Q3M6ZA. You are receiving this because you commented.Message ID: @.**@.>>
Ok thanks.
I just ran the following command:
Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer
It reported that the migration failed:
[20/07/2023 8:51:31 PM] - END Get-OULocation
[20/07/2023 8:51:31 PM] - ****
[20/07/2023 8:51:31 PM] - Function OU =
However, the DLs have been moved to cloud and the on-prem DL is renamed with an suffix '!' sign and these remain in their original AD DS OU. This seems like the migration failed and left the DLs in interim state. The target DLs created are not editable in cloud.
Any suggestions please?
Thanks
Send the full log to dlconversionv2 at service dot Microsoft dot com
Tim
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: write2tsm @.> Sent: Thursday, July 20, 2023 7:17 AM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] DL Conversion Failed - You must use multi-factor authentication (Issue #144)
Ok thanks.
I just ran the following command:
Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer -activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -msGraphTenantID "<AzureADTenantID" -msGraphCertificateThumbprint "aefgh1f6973be30eae" -msGraphApplicationID "AppID" -exchangeOnlineCertificateThumbPrint "aefgh1f6973be30eae" -exchangeOnlineOrganizationName "mydomain.mail.onmicrosoft.com" -exchangeOnlineAppID "AppID" -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU “AD DS OU”
It reported that the migration as failed:
[20/07/2023 8:51:31 PM] - END Get-OULocation [20/07/2023 8:51:31 PM] - **** [20/07/2023 8:51:31 PM] - Function OU = [20/07/2023 8:51:31 PM] - Testing address for remote routing address = @.**@.> [20/07/2023 8:51:31 PM] - Error - the group to have hybrid mail flow enabled does not have an address @domain.mail.onmicrosoft.com or an address at the custom routing domain specified. [20/07/2023 8:51:31 PM] - Add an email address @domain.mail.onmicrosoft.com appropriate for your tenant in order to hybrid mail enable the list. [20/07/2023 8:51:31 PM] - Error enabling hybrid mail flow. [20/07/2023 8:51:31 PM] - ****
However, the DLs have been moved to cloud and the on-prem DL is renamed with an prefix '!' sign and these remain in their original AD DS OU. This seems like the migration failed and left the DLs in interim state. The target DLs created are not editable in cloud.
Any suggestions please?
Thanks
— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/144#issuecomment-1643737843, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6OGLBRXZHTVMM64VMTXREHS5ANCNFSM6AAAAAA2Q3M6ZA. You are receiving this because you commented.Message ID: @.***>
Sent the complete log file and some screenshots that might be helpful visualizing what happened as a result of test run.
Currently tracking an issue in the AU datacenters where commandlets are being referred to multiple domain controllers resulting in multiple dual write state changes. This causes operations to occur out of order. Pending review.
Actually closing this issue and will open a new one for dual write.
Hi Tim
I'm using the below command:
Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -exchangeOnlineCredential $credentials -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU "
and experiencing this error:
[20/07/2023 2:30:27 PM] - ExchangeOnlineCredentialsUserName =
[20/07/2023 2:30:27 PM] - Is certificate auth = False
[20/07/2023 2:30:27 PM] - ExchangeOnlineCommandPrefix = O365
[20/07/2023 2:30:27 PM] - Creating the exchange online powershell session.
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication
to access '00000002-0000-0ff1-ce00-000000000000'.
Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000
Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23
Timestamp: 2023-07-20 04:30:32Z
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21
This is a bulk migration test, so I'm using certificate based auth for both MS Graph (Azure AD) and Exchange Online. Have followed the guidance in following articles:
and the connections establish successfully:
Connect-MgGraph -TenantId "<AzureADTenantID" -AppId "AzureAD App Registration App ID>" -CertificateThumbprint "xzsadsdfd"
Connect-ExchangeOnline -CertificateThumbPrint "xzsadsdfd" -AppID "AzureAD App Registration App ID>" -Organization "myorg.onmicrosoft.com"
The error seems to suggest some MFA issue, but what I'm not sure why it is using the credentials from array to connect to Exchange Online when I've already used Cert-based Authentication. Moreover, if I remove the "-exchangeOnlineCredential $credentials" from the Start-MultipleMachineDistributionListMigration command, it fails saying this:
[20/07/2023 1:56:43 PM] - BEGIN start-parameterValidation [20/07/2023 1:56:43 PM] - **** [20/07/2023 1:56:43 PM] - The parameter set name for validation: ExchangeOnlineMulti [20/07/2023 1:56:43 PM] - ERROR: One permissions method to connect to Exchange Online must be specified. [20/07/2023 1:56:43 PM] - ****
Do you see anything wrong with the Start-MultipleMachineDistributionListMigration switches / parameters?
Thanks