Updated: Exchange Connector permissions changed in Configuration Manager Current Branch (1511 and higher)
Note! Updated with additional permissions (Get-Mailbox) 04/28/2016
During a Configuration Manager Current Branch (1511) implementation I bumped into an issue configuring the Exchange Connector. After configuring the Exchange Connector, devices which are connected by Exchange were not successfully discovered and therefore not appearing in the admin console.
Exchange Connector log
In the Exchange Connector log file (EasDisc.log) I found the following error, which lead us to the root cause:
ERROR: [MANAGED] Invoking cmdlet Get-User failed. Exception: System.Management.Automation.RemoteException: The term ‘Get-User’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.~~ at System.Management.Automation.PowerShell.CoreInvokeRemoteHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)~~ at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)~~ at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)~~ at Microsoft.ConfigurationManager.ExchangeConnector.Connector.Invoke(PSCommand cmd) SMS_EXCHANGE_CONNECTOR
ERROR: [MANAGED] Exception: The term ‘Get-User’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. SMS_EXCHANGE_CONNECTOR
ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501 SMS_EXCHANGE_CONNECTOR
The error indicates the service account used for the Exchange Connector has no permissions to execute Get-User Exchange Server cmdlet. But hey…the Get-User cmdlet wasn’t required before!? That’s correct, Microsoft confirmed there was a change in Configuration Manager Current Branch (1511 and higher) binaries which added the Get-User cmdlet to the discovery flow of the Exchange Connector.
The service account can be the computer account of the site server or a Windows user account. Then, configure this account to run the following Exchange Server cmdlets:
Microsoft Intune Exchange Connector
At time of writing this change applies currently only to Configuration Manager Current Branch and not to the Microsoft Intune Exchange Connector. Take into account when you’re upgrading you current Configuration Manager 2012 R2 set up or installing Current Branch Exchange Connector, you’ve to change the permissions of the used service account.
On the Microsoft Office 365 TechCenter two PowerShell scripts by Stephan Schwarz are available which can be used to configure the required permissions easily.
Configure Exchange cmdlet permissions for ConfigMgr 2012 Exchange Connector
Configure Exchange cmdlet permissions for Microsoft Intune Exchange Connector
I’ve configured ConfigMgr Current Branch 1602 recently with Exchange Connector and used this script to setup account right for Exchange Connector. In the log file i’ve discovered entry complaining about Get-Mailbox cmdlet. After modifying the script to also include Get-Mailbox everything whet smooth.
surprisingly enough there is no statement on TechNet that Get-Mailbox is also required :(
Thanks for your comment Michael. I’ll check it myself next week.
Hi Michael, thanks for letting know. I can confirm it has changed as well and will pass it through the Microsoft Product Team.