One of the users in our tenant seemingly can't update the sharing permissions for their calendar. Both Outlook and OWA has some uninformative error message. I moved on to powershell...
In Powershell I ran
Add-MailboxFolderPermission -Identity a#domain.no:\Kalender -User b#domain.no -AccessRights Reviewer
, but got the error
Your request can't be completed. Du har ikke tillatelse til å dele denne kalenderen.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidRequestException
+ FullyQualifiedErrorId : [Server=AM7P191MB0932,RequestId=7ba70b47-f1f7-4cf2-9e2e-2a7dd115da24,TimeStamp=10.02.2021 09:55:50] [FailureCategory=Cmdlet-InvalidRequestException] B4D39019,M
icrosoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
+ PSComputerName : outlook.office365.com
I don't know why only part of the error is in Norwegian, but let me translate:
Your request can't be completed. You dont have permission to share this calendar.
Any ideas?
I managed to grant Reviewer permissions. I followed this reddit thread. A user had indeed added his own calendar to the 'Shared Calendars' section in Outlook. So I removed his calendar and I was able to set the permissions to Reviewer accordingly.
Ok, so I created a support ticket with MS.
They told me to run: outlook.exe /resetnavpane on the users computer.
After I ran it I was able to share the calendar as expected. I don't know why, but it worked.
Related
As part of a clean up task, I'm looking for a way to programmatically purge deleted AAD accounts from the User Profile Manager in Sharepoint Online.
I was using the Sharepoint Powershell module (Microsoft.Online.SharePoint.PowerShell) to manually do it, using the Remove-SPOUserProfile commandlet, which worked perfectly if I was using it in an interactive session. But as soon as I tried implementing my script into Azure Automation I found that particular module falls back to Basic Authentication when using a PSCredential object in the Connect-SPOService statement. And Basic Auth is blocked at my Organisation (I can't see them allowing it just for me!)
I found the PnP Module (PnP.PowerShell), which does allow authentication via stored credentials. But it doesn't have an equivalent User Profile Remove cmdlet.
Finally, I tried resorting to pure REST API, and while I can get an existing user profile, I can't get a profile for an account that has been deleted (marked as 'Profiles Missing from Import' in the SPO ProfMngr.aspx page). This is because the SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=#v) API needs to have an exact match (eg i:0#.f|membership|vardhaman#siteurl.onmicrosoft.com), and when an AAD account is deleted the profile username gets DELETED-<GUID> appended to it.
So my questions are:
Am I right or wrong about the sharepoint module and stored creds? (IE, so the module can be used from Azure Automation with a service principal or service account)
Am I right or wrong about the PnP module and it is missing the similar Remove-SPOUserProfile?
With the REST API, how do you search for profiles, especially profiles "missing from import"?
Is there some way to predict what the DELETED-<GUID> will be for a given user? Because I was able to get a user profile if I looked up the full deleted name and supply that to my REST call.
The official documentation on this is light - the old traditional sharepoint APIs aren't being developed any more, in favour of MS Graph, but the Graph Documentation doesn't seem to cover my particular use case.
Any pointers appreciated
Update 1
Thanks #Michael Han_MSFT.
I was using a pre-release/nightly build (0.3.32) but looking at Release documentation so didn't realise remove profile was in there.
I'm still getting problems though:
Connect-PnPOnline `
-url "https://<tenantname>.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
# $guest1 = Guest account's email address
$azureEmail = ($guest1 -replace "#", "_") + "#ext##<tenantname>.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile : The remote server returned an error: (401) Unauthorized.
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-PnPUserProfile], WebException
+ FullyQualifiedErrorId : System.Net.WebException,PnP.PowerShell.Commands.UserProfiles.RemoveUserProf
ile
So I tweaked the URL:
Connect-PnPOnline `
-url "https://<tenantname>-admin.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
$azureEmail = ($guest1 -replace "#", "_") + "#ext##azurediagovt.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile :
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Remove-PnPUserProfile], HttpRequestException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.RemoveUserProfile
So you can see if I go to <tenantname> I get a 401, but if I go to <tenantname>-name the response is simply blank.
I was certain I had given my App the right permissions (Is there some way to review what permissions have been assigned?)
In AppInv.aspx I think had this permissions code (I was following a couple of blogs):
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/Tenant" Right="FullControl"/>
<AppPermissionRequest Scope="http://sharepoint/social/Tenant" Right="FullControl"/>
</AppPermissionRequests>
As a further test, I tried the PnP version of what I was doing in REST (Get-PnpUserProfileProperty) and got
Get-PnPUserProfileProperty : Current user is not a tenant administrator.
At line:1 char:1
+ Get-PnPUserProfileProperty -Connection $pnpctx -Account "scottdu#data ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Get-PnPUserProfileProperty], ServerException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.GetUserProfileProperty
Which is strange, because REST would give me a results.d response.
At this stage, I could look at making the App Id a Sharepoint Service Admin (I already have approval to allow Azure Automation to have whatever rights it needs to solve this).
(Update 1a: Made no difference, unless there is a delay between assigning the role and the permissions taking affect).
AAD registered app can be used to connect PnpOnline and delete user profile. Please see my below steps:
(Main refer article: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread)
Step1:Registering an Azure AD application in the Azure Active Directory tenant that is linked to your Office 365 tenant and grant permission
Use admin account to access https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps. Click “New registration” and create a name of your app.
Go to “API permissions” and click on the "Add a permission" button and grant SharePoint API permission.
Select needed permissions.
Admin need to consent for those permissions, after that in status column will show green.
Step2: Create a self signed certificate and connect with app
Go to this link(https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#setting-up-an-azure-ad-app-for-app-only-access), copy the scripts and save as “Create-SelfSignedCertificate.ps1”.
Run below command with PowerShell. You will be asked to give a password to encrypt your private key, and both the .PFX file and .CER file will be exported to the current folder.
.\Create-SelfSignedCertificate.ps1 -CommonName "YourCompanyName"
-StartDate 2020-1-09 -EndDate 2022-10-01
Go to AAD app, click on "Certificates & secrets" in the left menu bar. Click on the "Upload certificate" button, select the .CER file you generated and upload it.
Step3: Connect pnp online and perform delete profile
$ Connect-PnPOnline -ClientId <$application client id as copied over
from the AAD app registration above> -CertificatePath '<$path to the
PFX file generated by the PowerShell script above>'
-CertificatePassword (ConvertTo-SecureString -AsPlainText "<$password assigned to the generated certificate pair above>" -Force) -Url
https://<$yourtenant>.sharepoint.com -Tenant
"<$tenantname>.onmicrosoft.com"
$Remove-PnPUserProfile -LoginName $UPN
For REST api way, I found this article noted REST for delete user profile is not implemented.
(https://learn.microsoft.com/en-us/sharepoint/dev/general-development/work-with-user-profiles-in-sharepoint)
You could try the command : Remove-PnPUserProfile
https://pnp.github.io/powershell/cmdlets/Remove-PnPUserProfile.html
You should install the prerelease version of PnP.PowerShell:
https://www.powershellgallery.com/packages/PnP.PowerShell/0.3.8-nightly
Update:
You could try to use tenant administrator account to connect the sharepoint admin site, then run the command Remove-PnPUserProfile. This works for me:
I've been trying to solve this problem for days and at least narrowed it down. I'm writing a script for my company with a user interface that allows my colleagues to easily create a new Active Directory user based on a template user, create a new mailbox and add Calendar permissions to their Manager.
Everything is working except for adding the Calendar permissions.
We are running two Exchange Servers, let's call them Exchange1 and Exchange2. Enabling the mailbox based on the AD user works fine but when I get to the step of adding calendar permissions I get this error:
The mailbox /o=COMPANY/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE2/cn=Microsoft System
Attendant kann nicht geöffnet werden.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], MailboxUnavailableException
+ FullyQualifiedErrorId : [Server=EXCHANGE1,RequestId=4f818454-7ffc-4fd9-b57d-594bedd7fab6,TimeStamp=15.10.2020 14:11:32] [FailureCategory=Cmd
let-MailboxUnavailableException] 676ABDB0,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
+ PSComputerName : EXCHANGE1
The command I'm trying to run:
Enable-Mailbox -Identity $ADUser
$EmailCalendar = $Email + ":\Calendar"
Add-MailboxFolderPermission -Identity $EmailCalendar -User $Manager -AccessRights Editor
I'm really new to using Powershell administrating Exchange servers, so I'm kind of at my troubleshooting end. It doesn't matter if I connect to EXCHANGE1 or EXCHANGE2, the error message stays the same and I'm having trouble understand why the mailbox is unavailable.
Any help is appreciate:)
Here's the problem:
When I run my PowerShell script manually, everything works fine. But it doesn't work via task scheduling.
The reason is probably my stored credentials for Active Directory and Mobile Device Management.I stored them with "Export-Clixml" but the xml files cant be read when i open the script with task scheduler. Without it works perfect.
The task scheduler is executed with the same user who saved the credentials in the XML before.
I hope you understand what I mean.
Edit 1:
I've tried the Solution from "Bender the Greatest".
Unfortunately it still doesn't work. I exported my credentials with "Export-Clixml" and import them with "Import-Clixml".
It doesn't matter if I generate them manually via my admin account or via the system account (with psexec). If I then execute it via the corresponding account with which the credentials were generated, it still doesn't work.
But it seems to find the credentials (I saw that in the log). But The import doesn't seem to work.
If I manually include the credentials in the script it works fine, but I would have liked to store them encrypted.
[Lizenzauswertung] Überprüfe Zugangsdaten
[Lizenzauswertung] MDM Zugangsdaten gefunden - Credentials found
[Lizenzauswertung] MDM AccessToken gefunden - Credentials found
[Lizenzauswertung] AD Zugangsdaten gefunden - Credentials found
Here im trying to decrypt the Password from the XML File:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:171 Zeichen:1
+ $PSCPW = $CredsMDM.GetNetworkCredential().Password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
This is a replacement for the username to have the right spelling for a webrequest:
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
It is not possible to call a method for an expression that has NULL.(Translated)
In C:\Scripts\ADAuswertung\AD_Auswertung_GKZ.ps1:172 Zeichen:1
+ $RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Here you can see the errors that occur when importing the MDM credentials. The reason for the errors is described above. I edit the credentials after importing them before they are passed to the script.
The MDM Access Token is not encrypted and can be read.
The AD credentials are not processed beforehand, but passed directly to the AD commands. Therefore, no error is displayed here. Since it does not finish the AD report, which I saw in the log, these are not imported either.
Here is a little Codesnippet of the Import/Export. Just got the code here for the MDM credentials. The other queries are the same.
If (Test-Path $CredentialsMDM){
$CredsMDM = Import-Clixml -Path $CredentialsMDM
Write-Host "[Lizenzauswertung] MDM Zugangsdaten gefunden" -ForegroundColor Green
} else {
Write-Host "[Lizenzauswertung] MDM Zugangsdaten nicht gefunden" -ForegroundColor Yellow
Get-Credential -Message "Zugangsdaten für MDM / Airwatch" | export-clixml -path $CredentialsMDM
$CredsMDM = Import-Clixml -Path $CredentialsMDM
}
Write-Host "[Lizenzauswertung] Zugangsdaten überprüft" -ForegroundColor Green
$PSCUser = $CredsMDM.UserName
$PSCPW = $CredsMDM.GetNetworkCredential().Password
$RPSCUser = $PSCUser.Replace("INTRA","intra.lan")
$AccessToken = $CredsMDMAT.accesstoken
$Auth = $CredsAD
(I am sorry for the spaghetti code.)
You need to provide the error you're getting but I'm going to take a shot in the dark here. I'm guessing you're either exporting secretAD.xml as one user and running your script as another user from Task Scheduler, or exporting secretAD.xml on another computer/server. By default, credentials are able to be decrypted only by the user that built it on that specific server. This is how Windows' Data Protection API (DPAPI) works.
The easy way to fix this is to generate secretAD.xml as the user you intend to run the script as. You can specify your own key for decryption, which can be used by any user on any box, but you will need to figure out a method of secure delivery of the decryption key to the runtime. If you want/need to run the script as NT Authority\SYSTEM, I recommend using psexec to open an interactive SYSTEM Powershell session, generate the credential, and then use Export-CliXml to serialize the credential to secretAD.xml.
Note that the default DPAPI key gets changed when an account password is rotated, so you'll need to remember to rebuild the credential when that happens.
I've found the solution to my problem.
The reason was that the path to the credentials was ".\secretMDM.xml".
The task scheduler executes the script at a different location.
Therefore I had to specify the whole path of the file.
Thanks for the help anyway.
Edit:
Out of interest I created the "Credential" - XML files with the Task Scheduler. Have a look where it stores the files ;)
I want to set an user mailbox to a shared mailbox with the command below:
Set-Mailbox user#domain.com -Type shared
I'm getting this error message back (Sorry for bad format):
The operation couldn't be performed because object 'user#domain.com' couldn't be found on
'server-vm-02.domain.com'.
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=SERVER-VM-37,RequestId=1f445bc7-6d4c-4443-a0b3-8a0617d8e83a,TimeStamp=22.05.201
12:11:51] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 96F1E1EA,Microsoft.Exchange.Management.Recip
ientTasks.SetMailbox
+ PSComputerName : server-vm-37.domain.com
I've tried it when the user is enabled and disabled in AD.
In the Portal Admin Center the Account is blocked, but in my oppinion it doesn't matter.
And yes I typed the address correctly, I typed instead of the address the name as well as the username, nothing worked.
Before doing a Set-Mailbox try a Get-Mailbox. Are you sure there is a mailbox under this UPN ? Are you on the Exchange Server or on your computer when you run this cmdlet ?
I'm using PowerShell commandlets to extract MailboxFolderPermissions.
I'm using Get-MailboxfolderStatistics to get list of folders for particular mailbox and then Get-MailboxfolderPermission to get permissions for all available folders.
All is working fine for mailboxes hosted locally on Exchange server I'm connected to.
But in the same domain there is another Exchange server and mailboxes hosted on it are also listed when invoking Get-Mailbox on the first one.
When I try to run Get-MailboxfolderStatistics or Get-MailboxfolderPermission for such "remote" mailbox I'm getting en error:
For Get-MailboxFolderStatistics cmdlet:
Unable to retrieve mailbox folder statistics for mailbox xxxxxxx#xxxxxx.local. Failure: Error code -2146233088 occurred with message Cannot open mailbox /o=xxxxxxxx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH2013/cn=Microsoft System Attendant..
+ CategoryInfo: ReadError: (:) [Get-MailboxFolderStatistics],MailboxFolderStatisticsException
+ FullyQualifiedErrorId : BE037E6,Microsoft.Exchange.Management.Tasks.GetMailboxFolderStatistics
+ PSComputerName: xxxxxxxxxxx
For Get-MailboxFolderPermission cmdlet:
Cannot open mailbox /o=xxxxxxxx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH2013/cn=Microsoft System Attendant.
+ CategoryInfo: NotSpecified: (0:Int32) [Get-MailboxFolderPermission], ConnectionFailedTransientException
+ FullyQualifiedErrorId : A44BD817,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission
+ PSComputerName: xxxxxxxxxxx
Does anyone know what could the cause of above errors?
Is it possible to list permissions for remote mailbox folders?
Any help is really appreciated.
connect remote exchange server via ps session https://technet.microsoft.com/en-us/library/dd335083(v=exchg.160).aspx