Microsoft.Xrm.Data.PowerShell icon indicating copy to clipboard operation
Microsoft.Xrm.Data.PowerShell copied to clipboard
Published 1 year ago verified publisher icon seanmcne

Mail Activation doesn't work on Azure AD privileged account

Open sanjeev40084 opened this issue 4 years ago • 4 comments

My company is moving towards using Azure AD privileged account (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) and I found out the mailbox activation command doesn't work successfully if we use privileged account. The script (Set-CrmUserMailbox) works successfully if non-privileged account with (Exchange Admin or Global Admin) is used.

sanjeev40084 avatar Jan 21 '22 15:01 sanjeev40084

@sanjeev40084 does this similar issue cover your scenario/situation? #454

seanmcne avatar Feb 03 '22 15:02 seanmcne

@seanmcne in that issue, i used service principal but the issue i am having is while using the actual account (privilege account with exchange admin role). Unfortunately for the work i am doing, i won't be able to use service principal and have to use my actual account.

sanjeev40084 avatar Feb 03 '22 15:02 sanjeev40084

Just to make sure I understand, you have an account w/ PIM enabled and once you JIT up to a privileged admin role to approve mailboxes your permission isn't recognized as you would expect? Are you able to approve in the web/interactively once your role is activated via PIM?

seanmcne avatar Feb 07 '22 14:02 seanmcne

Yes, that is correct. I was able to activate mailbox by logging into mailbox page through UI. Not sure if it makes difference, but my new account is cloud only account ([email protected]), meaning it doesn't sync from on-prem AD to cloud AD. I didn't had this issue when i used my other account with admin rights which sync from on-prem to azure ad and didn't had PIM setup.

sanjeev40084 avatar Feb 08 '22 16:02 sanjeev40084