powershellazureexchangewebservicesazure-active-directory

Modify Users via Exchange Online REST Api

I'm trying to make a PowerShell script that can modify Exchange Online users via Exchange Online REST API. I need to set Title, City, Department and Manager fields via the API. According to exchange online documentation a contact object has all required fields that I'd like to set. However it looks like the API does not allow me to do changes on user lever. That's a bit confusing.

If I try to access Users endpoint I got error:

Invoke-RestMethod : {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}

However I set all permission for the application in Azure Active Directory.

Here is script that I use:

Add-Type -Path ".\Microsoft.IdentityModel.Clients.ActiveDirectory.dll";
 
$clientId = "<<Application Client ID>>";
$certFileFullName = "<<Path to certificate file>>";
$certFilePassword = "<<Password to certificate file>>";
$tenantId = "<<Tenant ID>>";
 
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("https://login.windows.net/$tenantId/oauth2/authorize", $false);
 
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 ($certFileFullName, $certFilePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet);
$clientAssertionCertificate = new-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate($clientId, $cert);
 
$authenticationResult = $authContext.AcquireToken("https://outlook.office365.com", $clientAssertionCertificate);
    
$token = $authenticationResult.AccessToken;
 
$headers = @{ 
    "Authorization" = ("Bearer {0}" -f $token);
    "User-Agent" = "SyncTool/0.1PowerShell";
    "client-request-id" = [System.Guid]::NewGuid().ToString();
    "Date" = Get-Date -Format r;
    "Accept" = "application/json";
}
 
Invoke-RestMethod -Method Get -Uri "https://outlook.office365.com/api/v1.0/Users" -Headers $headers;

Did someone do that via Exchange Online REST API? Is it even possible?

How should I develop a daemon application that uses App-Only AAD authentication to manager Exchange Online users?

-Dmitry

Solution

  • Here's the way to attack this problem the easy method, using the PowerShell module. Since you already have access to a great and fully featured PowerShell tool, there's really no reason to do this by hand with a REST API, in my experience.

    Using the MSONline Module

    We can do everything you need to do except set the manager by using this module

    Setting the manager attribute

    It turns out the manager attribute isn't accessible from this module. No idea why that's the case though. I'm working on a solution for this piece for you, and will update this answer when I've got it finished.

    When there's no road, make your own

    Integrating some wonderful tips found on this blog post http://goodworkaround.com/node/73 by Marius Solbakken Mellum, we had the basis to connect to Azure AD. Next, using the wonderful API provided in the Azure AD Graph DLL (you can get it using the nuget command of '.\nuget.exe install Microsoft.IdentityModel.Clients.ActiveDirectory' and the Azure AD Rest API Reference guide, this set of functions was built.

    This tool contains a number of worker functions, such as Get-MSOLGraphUser and Get-MsSOLGraphUserManager. They are primarily designed to be used by the Set-MSOLGraphUserManager cmdlet itself, but you can feel free to modify and use them to your hearts content.

    New versions of this project will live in GitHub at this url

    Example : 

    Set-MSOLGraphUserManager -targetUser Test -targetManager Stephen
>Successfully found user to modify PSTest
>Successfully looked up manager Stephen Owen
>Updating the manager
>Verifying manager now set for PSTest
>Getting user manager
>PSTest's manager is now Stephen Owen