Incorrect permissions
I've created a runbook in Azure Automation that runs a few commands including the following:
Add-MailboxPermission -Identity $shared_mailbox -User $mailbox_user -AccessRights FullAccess -Confirm:$false
Write-Output "Granting full access permission..."
Add-RecipientPermission -Identity $shared_mailbox -Trustee $mailbox_user -AccessRights SendAs -Confirm:$false
Write-Output "Granting full send permission..."
However when running the Add-RecipientPermission Cmdlet it throws the following error.
|Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:xxxx.prod.exchangelabs.com doesn't have write permission to target DC:xxxx.PROD.OUTLOOK.COM. Usually it indicates that target forest isn't an account partition of source forest. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152E13, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I've given it Exchange Admin permissions to the service account which is why add-mailbox permission works, but unsure why the second command does not work
Answer (updated 28th May 2025)
Thank you @Rukmini, your answer did help but I think I had to do something slightly differently. It has been almost one year now.
These are the API permissions I gave - Image for API permissions for azure/entra app
Then I used a certificate for authentication to be used in the azure runbook. Certificate image
Then I uploaded the certificate to the azure runbook and imported it like this
# Import the ExchangeOnlineManagement module
Import-Module ExchangeOnlineManagement
# Retrieve the certificate from Azure Automation
$automationCertificate = Get-AutomationCertificate -Name 'Portal-Automation'
# Connect to Exchange Online using the certificate and Tenant ID
Connect-ExchangeOnline -CertificateThumbprint 'cert-thumbprint' -AppId "app-id" -Organization "yourorg.onmicrosoft.com"
At this point I was able to get it to work, I think I've missed some steps. Basically the use case was calling this runbook from a power automate workflow to automate exchange admin tasks.
I created an Azure AD Application and granted API permissions like below:
Now I created the Service Principal using below commands:
Connect-AzureAD
Connect-ExchangeOnline
$app = Get-AzureADApplication -SearchString 'TestExchangeApp'
$sp = Get-AzureADServicePrincipal -SearchString $app.DisplayName
$sp1 = New-ServicePrincipal -AppId $app.AppId -ServiceId $sp.ObjectId -DisplayName "Exchange Service Principal for $($app.DisplayName)"
Now, Add-MailboxPermission and Add-RecipientPermission commands worked successfully like below:
Add-MailboxPermission -Identity "user1@xxxx.onmicrosoft.com" -User $sp1.ServiceId -AccessRights FullAccess
Add-RecipientPermission -Identity "user1@xxx.onmicrosoft.com" -Trustee "user@xxx.onmicrosoft.com" -AccessRights SendAs
If you want to assign permission to the Service Account, check the below:
You can check what Exchange Command needs which permissions:
Get-ManagementRole -Cmdlet Add-RecipientPermission
Get-ManagementRoleAssignment -Role "Mail Recipients" -Delegating $false | Format-Table -Auto Role,RoleAssigneeType,RoleAssigneeName
Hence to resolve the error, assign Recipient Management/Organization Management role to the user like below:
Reference:
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules