Azure Functions Powershell Permissions Error

Christopher Travis 0 Reputation points
2024-07-16T16:28:56.6966667+00:00

Hello, I am recieving the following Error when trying to use remove-distributiongroupmember cmdlet in Azure Functions using Managed Identity. I am able to use the same MI to do other Exchange Online module cmdlets such as "set-mailbox" and I recieve no errors. But this issue has persisted for several days and I am not sure what the issue could be. I do have the Exchange Administrator access added to this MI and everything has been set up as MS showed in their douments. If anyone could help, that would be wonderful. Thank you.

2024-07-16T16:24:08.584 [Error] ERROR: |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Exception             :Type    : System.ExceptionMessage : |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Data    : System.Collections.ListDictionaryInternalHResult : -2146233088CategoryInfo          : NotSpecified: (:) [Remove-DistributionGroupMember], ExceptionFullyQualifiedErrorId : [],Write-ErrorMessageInvocationInfo        :MyCommand        : Write-ErrorMessageScriptLineNumber : 1204OffsetInLine     : 13HistoryId        : 1ScriptName       : C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1Line             : Write-ErrorMessage $ErrorObjectStatement        : Write-ErrorMessage $ErrorObjectPositionMessage  : At C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1:1204 char:13+             Write-ErrorMessage $ErrorObject+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot     : C:\local\Temp\tmpEXO_jxhi1j0x.wgcPSCommandPath    : C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1InvocationName   : Write-ErrorMessageCommandOrigin    : InternalScriptStackTrace      : at Write-ErrorMessage<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 550at CheckRetryAndHandleWaitTime<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 1204at Execute-Command<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 1558at script:Remove-DistributionGroupMember<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 33916at <ScriptBlock>, C:\home\site\wwwroot\ExchangePowershellTrigger\run.ps1: line 22PipelineIterationInfo :01Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException : Result: ERROR: |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Exception             :Type    : System.ExceptionMessage : |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Data    : System.Collections.ListDictionaryInternalHResult : -2146233088CategoryInfo          : NotSpecified: (:) [Remove-DistributionGroupMember], ExceptionFullyQualifiedErrorId : [],Write-ErrorMessageInvocationInfo        :MyCommand        : Write-ErrorMessageScriptLineNumber : 1204OffsetInLine     : 13HistoryId        : 1ScriptName       : C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1Line             : Write-ErrorMessage $ErrorObjectStatement        : Write-ErrorMessage $ErrorObjectPositionMessage  : At C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1:1204 char:13+             Write-ErrorMessage $ErrorObject+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot     : C:\local\Temp\tmpEXO_jxhi1j0x.wgcPSCommandPath    : C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1InvocationName   : Write-ErrorMessageCommandOrigin    : InternalScriptStackTrace      : at Write-ErrorMessage<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 550at CheckRetryAndHandleWaitTime<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 1204at Execute-Command<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 1558at script:Remove-DistributionGroupMember<Process>, C:\local\Temp\tmpEXO_jxhi1j0x.wgc\tmpEXO_jxhi1j0x.wgc.psm1: line 33916at <ScriptBlock>, C:\home\site\wwwroot\ExchangePowershellTrigger\run.ps1: line 22PipelineIterationInfo :01Exception: |Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:SN6PR11MB3359.namprd11.prod.outlook.com doesn't have write permission to target DC:. Usually it indicates that target forest isn't an account partition of source forest. The user has insufficient access rights.Stack:
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,890 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,176 questions
Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
135 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 3,905 Reputation points Microsoft Employee
    2024-07-17T10:10:02.7266667+00:00

    Hello @Christopher Travis

    The error message indicates that the source server doesn't have write permission to the target DC, which usually indicates that the target forest isn't an account partition of the source forest, and the user has insufficient access rights.

    Based on the error message, it seems like the MI you are using doesn't have the necessary permissions to perform the remove-distributiongroupmember cmdlet.

    You mentioned that you have Exchange Administrator access added to this MI, but it's possible that the MI doesn't have the necessary permissions to perform this specific cmdlet.

    I would recommend checking the permissions of the MI and ensuring that it has the necessary permissions to perform the remove-distributiongroupmember cmdlet.

    You may also want to check the Exchange Online module documentation to see if there are any specific permissions required for this cmdlet.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.