Question
414 views

Exchange Online Remote Powershell: "Access Denied"

Luke Marlin asked on

Hi, it's been a few hours that I'm trying to sort this issue, I followed numerous posts and msdn articles to no avail.

Setup:

-We are a CSP partner

-1 CSP default global admin user

-1 CSP custom global admin user

-1 CSP Normal user

-All three users have a business essentials license now (After trying eveything else, I thought maybe it was required...)

-Trying to connect to a customer exchange via remote powershell with the following command:

$session = new-pssession -configurationname microsoft.exchange -connectionuri https://outlook.office365.com/powershell-liveid -credential $cred -authentication basic -allowredirection

And get the following result:

new-pssession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : [ClientAccessServer=HE1PR0701CA0018,BackEndServer=amxpr05mb151.eurprd05.prod.outlook.com,RequestId=8b44
f9d0-1ca1-4420-8e53-fca89d14f2b2,TimeStamp=9/9/2016 9:19:16 AM] Access Denied For more information, see the
about_Remote_Troubleshooting Help topic.

I do have the good execution policy and consoles are started with admin user:

PS C:\Windows\system32> Get-ExecutionPolicy
RemoteSigned

I especially followed this instructions (taken here http://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_manage/access-denied-when-using-powershell/f803249c-aaad-4cb8-a4f5-b908efb1a9e6)

1. the incorrect user name or password. since you could connect to it before, this factor can be excluded.

2. no permissions assigned or other admins having changed the permission. so i’d like to confirm if there are other admins in your office 365 organization. to determine if the issue is caused by this, could you please check if your admin accounts are still in the role group following the steps below?

a. login to eac (exchange admin center).

b. click permission->admin roles.

c. select organization management and tenantadmin_xxxxxx to see if your admin accounts are the members of them.

1. Never was able to connect, But I did password resets and copy-pasted it (and waited for it to apply everywhere) so I it'(s probably not this

2. I have the following:

  • Organization Management:
    • Normal User
    • TenantAdmins_xxxx
  • TenantAdmins_xxxx:
    • Default Global Admin User
    • Custom Global Admin User

By inheritance, The global admin is in OM group, so I'd expect all users to work, but none do.

if they aren't in the role group, please add them to it and then check if the issue persists. if they are still in the role group, i need some information below to further troubleshoot the issue:

1. is your account the original global administrator that subscribes to office 365 at the beginning or newly-created administrator? if it’s the global admin account, please try to create a new user and then assign the global administrator role to the user to check if the issue persists. remember to add the new user to the organization management role group.

2. since the same error occurs to your other admin accounts, please also check if the issue persists after re-granting the global admin role. below are the general steps:

a. use one global admin account (admin 1) to sign in to the office 365 portal.

b. click users->active users.

c. select another global admin account (admin 2) and then click edit user roles in the right panel.

d. tick on user (no administrator access), then click save.

e. wait a few minutes, and then re-grant the global admin role to the account (admin 2).

f. use the admin 2 account to connect to exchange online using powershell.

1. I have both the default and the custom one

2. Tried

I really don't know what's the matter. Is there anything else to try?

Also, if there is another solution than remote powershell to programmaticaly manage a customer's accepted domain like an API, please let me know

2 people had this question

Abuse history


The answered status icon Answer
Luke Marlin replied on

Ok in the end this was quite stupid, the reset password fonction flags the password as "to be set at the next connection" and remote powershell didn't appreciate.

After login to the portal and setting a new password, it works as expected.... Maybe a more detailed error that the plain 403 could spare hours of tries :(

Be the first person to mark this helpful

Abuse history


progress