I have a custom command, copied from the buit-in deprovisioning script, that revokes all licenses and blocks sign in; however, I get an insufficient permissions error on the revoke all licenses. The app is a Global Administrator and has the following permissions: I've tried using two methods setting this command up. First, just like the built-in script: And secondly like an example I found on the web: The only time I get a success on the command is when I uncheck the Revoke Licenses checkbox, but of course, no licenses are revoked. This is the error I get:
I'm kind of at a loss as to why this might be happening. I can assign licenses with no issues. Any help would be appreciated.
Hello Michael,
Most probably, the Azure application used for Microsoft 365 tenant in Adaxes does not have required roles assigned. Make sure that the application is assigned either the Global administrator or both the Exchange administrator and User administrator roles in Azure. For details, have a look at section Assign roles to the app of the following help article: https://www.adaxes.com/help/RegisterAdaxesAsAppMicrosoftAzure/#assign-roles-to-the-app.
Thanks for the reply, but as I said, the app is a Global Administrator. Do you know of anything else that might be blocking the app from revoking licenses? As I said, it can assign a license with no problems. I'm going to turn on verbose logging again to see if I can narrow it down a bit.
Here is the error from the event viewer on the Adaxes server.
Do we understand correctly that the issue occurs for all users?
For troubleshooting purposes, please, enable tracing of requests sent to Microsoft 365, reproduce the issue and send us (support@adaxes.com) the log file. For information on how to enable the tracing, have a look at the following help article: https://www.adaxes.com/help/Microsoft365RequestLogging.
I found the problem. It looks like the revoke license uses a powershell that is run as the Adaxes service account on the Adaxes server and not through the Azure App. As soon as I gave the Adaxes service account Global Administrator permissions, everything worked. Don't really like having the Adaxes service account as an admin, but it is what it is.
That is not possible. The Adaxes service account (specified during the software installation) is not used to process Microsoft 365 requests as well as PowerShell is not used for the requests at all. Are you sure that your Microsoft 365 tenant is registered in Adaxes using the credentials of an Azure app? If it is a user account, then you were just probably looking at the wrong settings. Additionally, it is recommended to switch to application credentials as Microsoft started disallowing user accounts for such connections.
It is certainly strange because the Adaxes service account only had the Application Administrator Azure Role prior to this and it was able to add licenses and do anything else with Microsoft 365 that I've tried so far. I'll dig into it a bit more. Thanks.
As we mentioned in the previous reply, the Adaxes service account is never used for Microsoft 365 requests. It is impossible just because the account is from on-premises AD. Make sure to register your Microsfot 365 tenant in Adaxes using an Azure app and grnat the app require permissions. The following articles will be helpful:
I removed the Microsoft 365 tenant registration and recreated it and the issue seems to be resolved. I do know that it was registered with the App credentials but it is possible that those credentials changed on the app at some point when we were setting everything up. Hard one to find because creating and licensing a user worked just fine and even blocking a 365 sign in worked. We only had an issue revoking a license. Thanks for your help.
Is there a way to add Microsoft Defender for Office 365 Plan 2 licenses from Adaxes? Currently it is not showing in the list of available licenses to modify. The endpoint ... the E3 license is showing up no problem, just not the standalone one for O365.
Hi I'm trying to add your report from here but whenever I run it, I get 2 errors for each user which seem to correspond to the following 2 lines in the ... "user" $Context.DirectorySearcher.AddCriteria($criteria) But I still get the same error's. Thanks Matt
When attempting to assign licenses during the "after creating a user" rule we're reciving the following error. Failed to create a remote mailbox for the user. The address ' ... mail attribute to the proper format that isn't the onmicrosoft.com domain as well.
Hi, We have a scenario in which our E3, windows 10/11 licenses, Exchange Online, etc are assigned by various security groups. We do however assign certain licenses, Power ... changed so that we can pick which licenses not to attempt to revoke? Thanks, Gareth
As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.