1
votes

I have reviewed the documentation from microsoft and alot of examples but for some reason connecting to a tenant using our admin privs will not connect:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=xxxxx.onmicrosoft.com -Credential $UserCredential -Authentication Basic –AllowRedirection

I have also tried substituting the domain name to outlook.office365.com as well

The error returned is:

New-PSSession : [ps.outlook.com] Processing data from remote server ps.outlook.com failed with the following error message: [AuthZRequestId=477bd052-617e-4e8c-aee9-dxxxxxxxx][FailureCategory=AuthZ-CmdletAccessDeniedException] The operation couldn't be performed because 'xxxxx.onmicrosoft.com\[email protected]' couldn't be found. For more information, see the about_Remote_Troubleshooting Help topic.

I have ensured that the deligated admin account is:

  • Global administrator
  • Administrative access to companies you support: Yes / Full admin

I have also tried to google up that error, not alot of information. As well this site: https://gcits.com/knowledge-base/ has a tone of examples about this using those examples results in basically the same hang up.

I can however connect and issue the "$customers = Get-MsolPartnerContract -All" and view all the tenants.

Any ideas?

** UPDATE ** code is below as per request. Thanks again!

$credential = Get-Credential
Connect-MsolService -Credential $credential
$customers = Get-MsolPartnerContract -All
Write-Host "Found $($customers.Count) customers for $((Get-MsolCompanyInformation).displayname)."

foreach ($customer in $customers) {

    Write-Host "Connecting to: $($customer.name)" -ForegroundColor Yellow
    $InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial}


    $DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
    $EXODS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
    Import-PSSession $EXODS -CommandName Get-CASMailbox, Set-CasMailbox, Get-Casmailboxplan, set-casmailboxplan
     
1
this looks like an authentication issue, are you using the same credential object to log on to msol successfully? are you creating it manualy like in the technet example? If not please post the code of how you create the credential object. the username string looks a bit fishy to me tbhPaul
Hi Paul, I updated the post. Thx againPhil
Do you have MFA enabled on your account? I've had issues using delegated admin rights in combination with MFA (my workaround for this : use an app password instead of your regular password. Not sure if this still works but it used to work one year ago)bluuf
You could refer to this link:reddit.com/r/msp/comments/7rinyg/…Simon Li
Yes I have MFA enabled .. So I created another user with MFA disabled and got the same result (ensured it had all the same permissions). I will try disabling MFA on all accounts and see what the result it. I have read thur that link before as well, thus the creation of the account w/o MFAPhil

1 Answers

1
votes

I have discovered the solution

  • This does not work with MFA accounts
  • If you create a NEW account, you have to give it time before it works. I used the same delegated admin account a couple of days later and now its working. I would have to assume that "something" takes time before permissions take affect.

Thanks everyone for their assistance.