1️⃣ Access Token Requirements
Your access token must:
- Be for resource:
https://outlook.office365.com/.default - Include scope:
Exchange.ManageAsAppDELEGATED token (not supported)-Exchange Online rejects delegated user tokensExact Click Path (Step by Step)
- Azure Portal → Entra ID
- App registrations
- Select your app
- API permissions
- Add a permission
- Click APIs my organization uses
- ✅ Select Office 365 Exchange Online
- Select Application permissions
- Exchange.ManageAsApp
- Click Add permissions
- Click ✅ Grant admin consent
Assign the Correct Directory Role
🔹 Azure Portal (Recommended)
- Go to Entra ID
- Roles and administrators
- Search for:Exchange Administrator
- Open it → Add assignments
- Select:✅ Your application (722a0d98‑ab03‑459b‑b167‑a27717d721b1)
- Click Add
✅ Done
⏳ Role propagation can take 2–5 minutes
<PowerShell>
$AppId = "<AppId>"$Role = Get-MgDirectoryRole | Where-Object DisplayName -eq "Exchange Administrator"$Sp = Get-MgServicePrincipal -Filter "appId eq '$AppId'"New-MgDirectoryRoleMemberByRef `-DirectoryRoleId $Role.Id `-BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($Sp.Id)"
}
2️⃣ Connect to EXO Using an Existing Access Token
✅ Basic Syntax
Connect-ExchangeOnline `
-AccessToken $AccessToken `
-Organization "<tenant.onmicrosoft.com>"
3️⃣ Example: Acquire Token Using MSAL (Client ID + Secret)
If you don’t already have the token, here’s a full working example.
Get Access TokenInstall-Module MSAL.PS -Force
$TenantId = "<TENANT-ID>"$ClientId = "<APP-ID>"$ClientSecret = "<CLIENT-SECRET>" | ConvertTo-SecureString -AsPlainText -Force
$Token = Get-MsalToken ` -ClientId $ClientId ` -TenantId $TenantId ` -ClientSecret $ClientSecret ` -Scopes "https://outlook.office365.com/.default"
$AccessToken = $Token.AccessToken
Connect-ExchangeOnline ` -AccessToken $AccessToken ` -Organization "$TenantId"
If you don’t already have the token, here’s a full working example.
Get Access Token
Install-Module MSAL.PS -Force
$TenantId = "<TENANT-ID>"
$ClientId = "<APP-ID>"
$ClientSecret = "<CLIENT-SECRET>" | ConvertTo-SecureString -AsPlainText -Force
$Token = Get-MsalToken `
-ClientId $ClientId `
-TenantId $TenantId `
-ClientSecret $ClientSecret `
-Scopes "https://outlook.office365.com/.default"
$AccessToken = $Token.AccessToken
Connect-ExchangeOnline `
-AccessToken $AccessToken `
-Organization "$TenantId"
1️⃣ Wrong access‑token audience (MOST COMMON)
Exchange Online does NOT accept Graph tokens.
Exchange Online does NOT accept Graph tokens.
✅ Token MUST be issued for:
https://outlook.office365.com/.default
❌ This will fail:https://graph.microsoft.com/.default
https://outlook.office365.com/.default
❌ This will fail:https://graph.microsoft.com/.default
When to Use AccessToken Auth
✅ Best for:
- Azure Automation
- CI/CD pipelines
- Managed Identity
- Custom auth flows
✅ Best for:
- Azure Automation
- CI/CD pipelines
- Managed Identity
- Custom auth flows
No comments:
Post a Comment