Closed lsborroto closed 5 months ago
Just went ahead and ran a bulk test and do not have a repro on this version. Does it reproduce from other machines?
From: lsborroto @.> Sent: Tuesday, December 19, 2023 5:54 PM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
I connected using: Connect-MgGraph -TenantId "a9" -AppId "14" -CertificateThumbprint "96" for the app I assigned the following provilegies: image.png (view on web)https://github.com/timmcmic/DLConversionV2/assets/59449977/f38027cf-1176-49ca-a97f-c465d17246b0
Then run: Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE ALthough I get an error during the migration: BEGIN NEW-msGraphADPowershellSession [12/19/2023 11:45:54 AM] - **** [12/19/2023 11:45:54 AM] - Making MS Graph connection using interactive credentials. [12/19/2023 11:45:54 AM] - Unable to make ms graph connection using interactive authentication. [12/19/2023 11:45:54 AM] - https://timmcmic.wordpress.com/2023/04/11/office-365-distribution-list-migrations-version-2-0-part-33/ connect-mgGraph : Key not valid for use in specified state.
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\new-msGraphPowershellSession.ps1:88 char:17
It works for singlemigrations.
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6ISJ3QOD4PDJHZBNRDYKILJVAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2DSNJVHE3DMMI. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>
Sorry I uploaded the wrong log, The error that I am getting is BEGIN GET-AZUREADDLCONFIGURATION [12/19/2023 4:27:46 PM] - **** get-mgGroup : Insufficient privileges to complete the operation.
Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-12-19T22:27:47
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 12063aa0-ea23-4c68-af3a-eeec3688e8bd client-request-id : 1d6c325a-e8c2-4411-bbbc-f7c8402ed3bc x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"DS1PEPF0000D102"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Tue, 19 Dec 2023 22:27:46 GMT
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\get-msGraphDLConfiguration.ps1:46 char:13
+ CategoryInfo : InvalidOperation: ({ GroupId = 12f...ndProperty = }:<>f__AnonymousType41`3) [Get-MgGroup_Get], Exception
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgGroup_Get
[12/19/2023 4:27:47 PM] - Unable to obtain group configuration from Azure Active Directory
[12/19/2023 4:27:47 PM] - END GET-AzureADDlConfiguration
[12/19/2023 4:27:47 PM] - ********************************************************************************
[12/19/2023 4:27:47 PM] - Recording Graph DL membership.
[12/19/2023 4:27:47 PM] - Unable to obtain Azure AD DL Membership.
Get-msGraphMembership : Cannot bind argument to parameter 'groupObjectID' because it is an empty string.
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\DLConversionV2.psm1:1623 char:73
+ CategoryInfo : InvalidData: (:) [Get-msGraphMembership], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Get-msGraphMembership
When you make the graph connection - can you execute get-mgGroup and get-MGGroupMembership
Tim
From: lsborroto @.> Sent: Wednesday, December 20, 2023 1:13 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
Sorry I uploaded the wrong log, The error that I am getting is BEGIN GET-AZUREADDLCONFIGURATION [12/19/2023 4:27:46 PM] - **** get-mgGroup : Insufficient privileges to complete the operation.
Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-12-19T22:27:47
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 12063aa0-ea23-4c68-af3a-eeec3688e8bd client-request-id : 1d6c325a-e8c2-4411-bbbc-f7c8402ed3bc x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"DS1PEPF0000D102"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Tue, 19 Dec 2023 22:27:46 GMT
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\get-msGraphDLConfiguration.ps1:46 char:13
$functionDLConfiguration = get-mgGroup -groupID $office36 ...
*
Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1864919625, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6PGMJMIJUWKCLYQ7JTYKMTCBAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRUHEYTSNRSGU. You are receiving this because you commented.Message ID: @.**@.>>
nop I got the same error: Get-MgGroup : Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-12-20T18:22:36 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 56830ec8-214c-4ef6-98f5-9b9698fe33d6 client-request-id : 80219716-01dd-4a54-8787-ec59be476a17 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"DS1PEPF0000D102"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Wed, 20 Dec 2023 18:22:36 GMT At line:1 char:1
+ CategoryInfo : InvalidOperation: ({ ConsistencyLe...ndProperty = }:<>f__AnonymousType84`9) [Get-MgGroup_List], Exception
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgGroup_List
How do you perform the authentication with Microsoft Graph
Then something is wrong with the permissions applications.
Make sure you're connecting with -scopes User.Read.All and Group.Read.All
Tim
From: lsborroto @.> Sent: Wednesday, December 20, 2023 1:24 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
nop I got the same error: Get-MgGroup : Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-12-20T18:22:36 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 56830ec8-214c-4ef6-98f5-9b9698fe33d6 client-request-id : 80219716-01dd-4a54-8787-ec59be476a17 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"DS1PEPF0000D102"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Wed, 20 Dec 2023 18:22:36 GMT At line:1 char:1
*
How do you perform the authentication with Microsoft Graph
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1864934780, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6PQ7YPMNRLBIGOIJJDYKMUMZAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRUHEZTINZYGA. You are receiving this because you commented.Message ID: @.**@.>>
How can you connect with the scopes? I added the command line used. Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE -msGraphTenantID "9" -msGraphCertificateThumbprint "6" -msGraphApplicationID "4"
Connect-MGGraph -scopes {User.Read.All,Group.Read.All} and then the rest of your certificate information.
See if you get prompted for authorization.
Tim
From: lsborroto @.> Sent: Wednesday, December 20, 2023 2:10 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
How can you connect with the scopes? I added the command line used. Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE -msGraphTenantID "9" -msGraphCertificateThumbprint "6" -msGraphApplicationID "4"
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1864999220, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6PG5JAYWE4RYKZF7PTYKMZYBAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRUHE4TSMRSGA. You are receiving this because you commented.Message ID: @.**@.>>
AS there is not way to link both steps on just one, I did: Connect-MgGraph -Scopes "Group.Read.All,AuditLog.Read.All,Group.ReadWrite.All,MailboxSettings.Read,Organization.Read.All,User.Read.All" (entered my global admin credentials) then I run: Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE -msGraphTenantID "9" -msGraphCertificateThumbprint "6" -msGraphApplicationID "4" I checked the get-mgcontect: ClientId : 14d82eec-204b-4c2f-b7e8-296a70dab67e Although the application that I registered is: msGraphApplicationID: 101a11a2-ac89-4f12-9f41-9cb9c2fb1e34 I am trying to get how does the script perform the authentication. I was able to run get-mggroup, but when I performed the migration the issue persists. Error: BEGIN GET-AZUREADDLCONFIGURATION [12/20/2023 12:36:44 PM] - **** get-mgGroup : Insufficient privileges to complete the operation.
Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-12-20T18:36:45
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 7732eb79-c811-4c84-b97e-c005419d13eb client-request-id : 0b094482-78bb-4330-a1dd-e2eb1c28e03a x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"2","ScaleUnit":"002","RoleInstance":"DS3PEPF0000273D"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Wed, 20 Dec 2023 18:36:44 GMT
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\get-msGraphDLConfiguration.ps1:46 char:13
+ CategoryInfo : InvalidOperation: ({ GroupId = 12f...ndProperty = }:<>f__AnonymousType41`3) [Get-MgGroup_Get], Exception
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgGroup_Get
[12/20/2023 12:36:45 PM] - Unable to obtain group configuration from Azure Active Directory
No - the first step is to ensure the scopes are valid that you need.
Connect-MgGraph -Scopes "Group.Read.All,AuditLog.Read.All,Group.ReadWrite.All,MailboxSettings.Read,Organization.Read.All,User.Read.All" (entered my global admin credentials)
You have to connect using the same method as you do in the script. Since you're using certificate auth - connect to graph using cert auth and specify the scopes. If you're prompted to consent to them - you're consent was not good and that's why you're getting a 403.
From: lsborroto @.> Sent: Wednesday, December 20, 2023 2:41 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
AS there is not way to link both steps on just one, I did: Connect-MgGraph -Scopes "Group.Read.All,AuditLog.Read.All,Group.ReadWrite.All,MailboxSettings.Read,Organization.Read.All,User.Read.All" (entered my global admin credentials) then I run: Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE -msGraphTenantID "9" -msGraphCertificateThumbprint "6" -msGraphApplicationID "4" I checked the get-mgcontect: ClientId : 14d82eec-204b-4c2f-b7e8-296a70dab67e Although the application that I registered is: msGraphApplicationID: 101a11a2-ac89-4f12-9f41-9cb9c2fb1e34 I am trying to get how does the script perform the authentication. I was able to run get-mggroup, but when I performed the migration the issue persists. Error: BEGIN GET-AZUREADDLCONFIGURATION [12/20/2023 12:36:44 PM] - **** get-mgGroup : Insufficient privileges to complete the operation.
Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-12-20T18:36:45
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 7732eb79-c811-4c84-b97e-c005419d13eb client-request-id : 0b094482-78bb-4330-a1dd-e2eb1c28e03a x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"2","ScaleUnit":"002","RoleInstance":"DS3PEPF0000273D"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Wed, 20 Dec 2023 18:36:44 GMT
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\get-msGraphDLConfiguration.ps1:46 char:13
$functionDLConfiguration = get-mgGroup -groupID $office36 ...
*
Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1865036070, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6J74PD73RA7D6TRC4DYKM5LTAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGAZTMMBXGA. You are receiving this because you commented.Message ID: @.**@.>>
how can you do that? "You have to connect using the same method as you do in the script. Since you're using certificate auth - connect to graph using cert auth and specify the scopes. If you're prompted to consent to them - you're consent was not good and that's why you're getting a 403." On my case do not allow me to combine Connect-MgGraph -TenantId "a572642d-a487-465d-b3b3-8528f6693f69" -AppId "101a11a2-ac89-4f12-9f41-9cb9c2fb1e34" -CertificateThumbprint "904BCD02E8C46BDDD149FCBD1AA118195330E806" and add the scopes. I can specify the scopes using the user name and password, or authenticate with the certificate without prompting for the scopes
Ok - when you run the this command:
Connect-MgGraph -TenantId "a572642d-a487-465d-b3b3-8528f6693f69" -AppId "101a11a2-ac89-4f12-9f41-9cb9c2fb1e34" -CertificateThumbprint "904BCD02E8C46BDDD149FCBD1AA118195330E806" -scopes "User.Read.All,Group.Read.All"
Tell me if this works and does not prompt for consent.
From: lsborroto @.> Sent: Wednesday, December 20, 2023 2:48 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
how can you do that? "You have to connect using the same method as you do in the script. Since you're using certificate auth - connect to graph using cert auth and specify the scopes. If you're prompted to consent to them - you're consent was not good and that's why you're getting a 403." On my case do not allow me to combine Connect-MgGraph -TenantId "a572642d-a487-465d-b3b3-8528f6693f69" -AppId "101a11a2-ac89-4f12-9f41-9cb9c2fb1e34" -CertificateThumbprint "904BCD02E8C46BDDD149FCBD1AA118195330E806" and add the scopes. I can specify the scopes using the user name and password, or authenticate with the certificate without prompting for the scopes
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1865043240, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6KN5VZI3PEF7AYXZXDYKM6FLAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGA2DGMRUGA. You are receiving this because you commented.Message ID: @.**@.>>
PS C:\Users\administrador.FTC365> Connect-MgGraph -TenantId "69" -AppId "4" -CertificateThumbprint "96" -scopes "User.Read.All,Group.Read.All" Connect-MgGraph : Parameter set cannot be resolved using the specified named parameters. At line:1 char:1
+ CategoryInfo : InvalidArgument: (:) [Connect-MgGraph], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
Connect-MgGraph doesn't allow to combine the app, certificate and tenant with the scopes.
It should because that's the structure of the command I use in the script.
Tim
From: lsborroto @.> Sent: Wednesday, December 20, 2023 2:52 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
Connect-MgGraph doesn't allow to combine the app, certificate and tenant with the scopes.
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1865047568, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6IBIBPOKDGYKGFAOSDYKM6UVAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGA2DONJWHA. You are receiving this because you commented.Message ID: @.**@.>>
I am trying to get it done, should i run on this way: Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE Connect-MgGraph -TenantId "69" -AppId "4" -CertificateThumbprint "96" -scopes "User.Read.All,Group.Read.All"
No!
The connect-MGGraph command is just a test. It has nothing to do with the start-* command of the module.
The 403 means the permissions necessary have not been authorized. So you use connect-MGGraph with scopes and cert auth to ensure that the permission are granted. I'm not sure why it's failing beyond that.
Tim
From: lsborroto @.> Sent: Wednesday, December 20, 2023 3:01 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
I am trying to get it done, should i run on this way: Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE Connect-MgGraph -TenantId "69" -AppId "4" -CertificateThumbprint "96" -scopes "User.Read.All,Group.Read.All"
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1865057811, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6JGOZJTA4OYXZTB5BTYKM7YBAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGA2TOOBRGE. You are receiving this because you commented.Message ID: @.**@.>>
Do you have those permissions ? "The 403 means the permissions necessary have not been authorized. " You are right I am trying to understand how does the tool call the permissions
The tool does not call the permissions. The permissions are granted to the enterprise app by first connecting to graph and consenting.
Once the consent is done - then the script uses the same information (cert / tenant / etc) to handle it.
Tim
From: lsborroto @.> Sent: Wednesday, December 20, 2023 3:04 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
Do you have those permissions ? "The 403 means the permissions necessary have not been authorized. " You are right I am trying to understand how does the tool call the permissions
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1865061519, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6PXMAGAQVWNSU2ZXV3YKNAENAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGA3DCNJRHE. You are receiving this because you commented.Message ID: @.**@.>>
In addition of the permission assigned through the App directly, you must add the application on one of the administrative roles.
It was the step missing.
Imdo not recommend the global admin role, but it worked on my case.
I’ve not had to add any administrative roles for graph.
Tim
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: lsborroto @.> Sent: Wednesday, December 20, 2023 5:43 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Unable to migrate Multiple DL (Issue #155)
In addition of the permission assigned through the App directly, you must add the application on one of the administrative roles. image.png (view on web)https://github.com/timmcmic/DLConversionV2/assets/59449977/8ddb5332-1afa-4af9-9359-ab0059eca512
It was the step missing.
— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/155#issuecomment-1865240212, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6IBBTKCSVF7ZFILWMDYKNS2DAVCNFSM6AAAAABA35ACSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGI2DAMRRGI. You are receiving this because you commented.Message ID: @.***>
I connected using: Connect-MgGraph -TenantId "a9" -AppId "14" -CertificateThumbprint "96" for the app I assigned the following provilegies:
Then run: Start-MultipleDistributionListMigration -globalCatalogServer dc.ftc365.local -activeDirectoryCredential $onpremcred -groupSMTPAddresses $groups -aadConnectServer DC.ftc365.local -aadConnectCredential $onpremcred -logFolderPath c:\multiple -exchangeOnlineCredential $cloudCredc -exchangeServer exc2016.ftc365.local -exchangeCredential $onpremcred -exchangeAuthenticationMethod Kerberos -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=NoSync,DC=ftc365,DC=local" -overrideCentralizedMailTransportEnabled:$TRUE ALthough I get an error during the migration: BEGIN NEW-msGraphADPowershellSession [12/19/2023 11:45:54 AM] - **** [12/19/2023 11:45:54 AM] - Making MS Graph connection using interactive credentials. [12/19/2023 11:45:54 AM] - Unable to make ms graph connection using interactive authentication. [12/19/2023 11:45:54 AM] - https://timmcmic.wordpress.com/2023/04/11/office-365-distribution-list-migrations-version-2-0-part-33/ connect-mgGraph : Key not valid for use in specified state.
At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.9.8.20\new-msGraphPowershellSession.ps1:88 char:17
It works for singlemigrations.