Exchange-online run PS script Set-UnifiedGroup from application

Question

i need run script using powershel , witch modyfy domain for aad email group. Set-UnifiedGroup

I managed to achive it from the console after granting the Exchange Administrator role. But I need to use this script in the application, and MFA is required for the Exchange Administrator role. I was thinking about registering the application and logging in to PS using secret , but I don't really know what type of application permissions I need to give to be able to change the domain of the aad group email address. And is it feasible this way.

Regards.

Answer 1

Create an Azure AD application and grant API permission like below:

Upload the .cer certificate in Certificates and secrets blade:

Make sure the .pfx certificate is stored in the local machine where you are executing the script:

Now assign Exchange Administrator role to the Azure AD service principal:

Now connect to Exchange online using app only authentication:

$tenantID = 'xxx.onmicrosoft.com'
$appID = 'ClientID'
$CertificateFilePath = 'PFXpath'
$pfxPassword = 'Password'

## Connect to Exchange Online
Connect-ExchangeOnline -CertificateFilePath $CertificateFilePath `
-CertificatePassword (ConvertTo-SecureString -String $pfxPassword -AsPlainText -Force) `
-AppID $appID `
-Organization $tenantID

For sample, I set HiddenFromExchangeClientsEnabled as true without any prompt:

Get-UnifiedGroup -Identity testrukk

Set-UnifiedGroup -identity "ID" -HiddenFromExchangeClientsEnabled:$true

As I don't have any custom domain the command executed (with a warning) successfully without any MFA/prompt:

Set-UnifiedGroup -Identity "testrukk" -EmailAddresses @{Add ="[email protected]"}

Set-UnifiedGroup -Identity "testrukk" -PrimarySmtpAddress [email protected]

Reference:

App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell | Microsoft