Updated: Exchange Connector permissions changed in Configuration Manager Current Branch (1511 and higher)

Note! Updated with additional permissions (Get-Mailbox) 04/28/2016

During a Configuration Manager Current Branch (1511) implementation I bumped into an issue configuring the Exchange Connector. After configuring the Exchange Connector, devices which are connected by Exchange were not successfully discovered and therefore not appearing in the admin console.

Exchange Connector log

In the Exchange Connector log file (EasDisc.log) I found the following error, which lead us to the root cause:

ERROR: [MANAGED] Invoking cmdlet Get-User failed. Exception: System.Management.Automation.RemoteException: The term ‘Get-User’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.~~   at System.Management.Automation.PowerShell.CoreInvokeRemoteHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at Microsoft.ConfigurationManager.ExchangeConnector.Connector.Invoke(PSCommand cmd)                SMS_EXCHANGE_CONNECTOR 

ERROR: [MANAGED] Exception: The term ‘Get-User’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.    SMS_EXCHANGE_CONNECTOR 

ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501                SMS_EXCHANGE_CONNECTOR

Permissions changed

The error indicates the service account used for the Exchange Connector has no permissions to execute Get-User Exchange Server cmdlet. But hey…the Get-User cmdlet wasn’t required before!? That’s correct, Microsoft confirmed there was a change in Configuration Manager Current Branch (1511 and higher) binaries which added the Get-User cmdlet to the discovery flow of the Exchange Connector.

The service account can be the computer account of the site server or a Windows user account. Then, configure this account to run the following Exchange Server cmdlets:

• Clear-ActiveSyncDevice

• Get-ActiveSyncDevice

• Get-ActiveSyncDeviceAccessRule

• Get-ActiveSyncDeviceStatistics

• Get-ActiveSyncMailboxPolicy

• Get-ActiveSyncOrganizationSettings

• Get-ExchangeServer

• Get-Mailbox

• Get-Recipient

• Get-User

• Set-ADServerSettings

• Set-ActiveSyncDeviceAccessRule

• Set-ActiveSyncMailboxPolicy

• Set-CASMailbox

• New-ActiveSyncDeviceAccessRule

• New-ActiveSyncMailboxPolicy

• Remove-ActiveSyncDevice

Microsoft Intune Exchange Connector 

At time of writing this change applies currently only to Configuration Manager Current Branch and not to the Microsoft Intune Exchange Connector. Take into account when you’re upgrading you current Configuration Manager 2012 R2 set up or installing Current Branch Exchange Connector, you’ve to change the permissions of the used service account.

On the Microsoft Office 365 TechCenter two PowerShell scripts by Stephan Schwarz are available which can be used to configure the required permissions easily.

Configure Exchange cmdlet permissions for ConfigMgr 2012 Exchange Connector

Configure Exchange cmdlet permissions for Microsoft Intune Exchange Connector

Sources

https://technet.microsoft.com/en-us/library/mt627895.aspx