Getting Error during Full account aggregation while setup ExchangeOnlineManagement

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Developers

I want to add ExchangeOnlineManagement feature in Azure source IdentityNow.
I am using certification based authentication through thumbprint. Test connection is working fine but during full account aggregation i am getting error.

I am using same IQService server, Same certificate, Same service account in sandbox so everything is working in Sandbox, not getting any error.
but In prod I am getting error in full account aggregation.

==========================================

Powershell Command

Connect-ExchangeOnline -CertificateThumbPrint “012THISISADEMOTHUMBPRINT” -AppID “36ee4c6c-0812-40a2-b820-b22ebd02bce3” -Organization “contoso.onmicrosoft.com

I am running above powershell command for Sailpoint sandbox azure app so it is working fine.

but for Sailpoint Prod azure app it is not working, and getting error like Domain not found.

==============================

Please guide me what should i do to fix this issue or if you need any further information please do let me know

I would really appreciated your help.

Regards
Vatan

2

You might try using the Get-AcceptedDomain command to verify that you are specifying the domain correctly.

If you have access to the IQService host, you could just open a PowerShell session and run the command.

If not, you could add this command to your After rule and log the output.

3

Hi @agutschow

Thank you so much for your response.

when i ran the command, I got my domain name but default value was false.

I am getting below error:
Please check online documentation for assigning a correct directory roles to Azure ad application for EXO app only Authentication.

when i am running below powershell command

Connect-ExchangeOnline -CertificateThumbPrint “012THISISADEMOTHUMBPRINT” -AppID “36ee4c6c-0812-40a2-b820-b22ebd02bce3” -Organization

Looks like i am missing some permission but i have given permission as sandbox because it is working in Sandbox.

Can you suggest something to me ?

Regards
Vatan

4

@Vatanjain11 -

When using certificate-based (app-only) authentication with Connect-ExchangeOnline, you must ensure two main things are in place for your Production Azure AD app, especially if it differs from what you used in the Sandbox:

  1. Your Production Azure AD application has the required permissions and roles
  2. Exchange Online recognizes the domain (i.e., it is an Accepted Domain, and if needed, set as default or properly referenced).

Below are the common causes and how to fix them:

1. Verify that the correct permissions and roles are assigned

For certificate-based (app-only) Exchange Online authentication, your Azure AD application must have either:

  • The Exchange Administrator role in Azure AD or
  • The appropriate app permissions granted (e.g., Exchange.ManageAsApp) with admin consent.

Steps to check/assign roles to your Production application

  1. In the Azure portal, navigate to Azure Active DirectoryEnterprise ApplicationsAll Applications and select your Production app (the one with the App ID that’s failing).
  2. Go to Permissions or API permissions for that app.
  3. Ensure you have the Exchange.ManageAsApp (or a similar Exchange permission) under Application permissions.
  4. Click Grant admin consent to confirm that the permission is fully granted across the tenant.
  5. Go to Azure ADRoles and administrators → look for Exchange Administrator (or Global Administrator) and confirm that your service principal (Production app) is assigned the necessary role.

Note: In many cases, simply adding the Application permission isn’t enough—you must also grant admin consent at the tenant level, and/or ensure that the application is assigned the Exchange Administrator role if your org’s policies require it.

2. Confirm the domain is recognized in Production (Accepted Domain)

When you see messages about the domain not being found or references to “default value = false,” it often indicates a domain mismatch or that the domain is not “Default” within Exchange Online. Some points to verify:

  1. Run:

    Get-AcceptedDomain

    to ensure your Production domain is indeed listed.

  2. Check the Default column to see which domain is set as default in Production. If your Organization parameter in Connect-ExchangeOnline points to a domain that is not recognized or not set to default, you can:

    • Make the correct domain default by running:
      Set-AcceptedDomain -Identity "yourdomain.com" -MakeDefault $true
    • Or remove -Organization <domain> from your Connect-ExchangeOnline command if you don’t actually need to specify it.

  3. Make sure that the Production tenant’s domain references match exactly (e.g., mycompany.onmicrosoft.com vs. mycompany.com). A small typo or a mismatch in your Production domain vs. the Sandbox domain can cause errors.

3. Confirm the same certificate and thumbprint usage

You mentioned you’re using the same IQService server and same certificate (thumbprint). A couple of reminders:

  • Ensure that the certificate is imported into the Local MachinePersonal store (where the private key is accessible) on the server where IQService runs.
  • Double-check that you are using the correct thumbprint (no hidden spaces or character differences) for the Production environment’s app registration.

4. Validate the connection from the Production environment

It’s always good to test the Connect-ExchangeOnline call directly on the IQService host (or wherever the PowerShell is running) using the Production app details. For instance:

Connect-ExchangeOnline -CertificateThumbPrint "YOUR-PROD-THUMBPRINT" `
                       -AppId "YOUR-PROD-APP-ID" `
                       -Organization "contoso.onmicrosoft.com"
  • If you still see “Domain not found” or “Please check the documentation for assigning the correct directory roles…”, that’s a clear indicator that the Production app has not been assigned the right role/permission or that the domain reference is incorrect.

5. Summary of Key Troubleshooting Steps

  1. Assign the Exchange Administrator role (or required permissions) to your Production Azure AD app. Grant admin consent for Exchange.ManageAsApp.
  2. Verify the Accepted Domain configuration in Production. Make sure the domain in -Organization matches one in Get-AcceptedDomain and is recognized.
  3. Confirm the certificate is installed correctly, and you’re using the correct thumbprint for Production.
  4. Test the Connect-ExchangeOnline command manually (outside of SailPoint) from the same server to isolate issues with domain or role misconfiguration.

By ensuring these points, your Production environment should match the Sandbox configuration and allow you to run full account aggregations successfully without the “Domain not found” or “Directory roles” error.

Hope this helps.

5

Hi @officialamitguptaa

I have ran this command “Set-AcceptedDomain -Identity “yourdomain.com” -MakeDefault $true”

but this command is not working for me and i am getting below error:

image
image1391×116 26.3 KB

And one more thing, my prod app have Exchange.ManageAsApp with admin consent but prod app do not have “Exchange Administrator” or Global Administrator role.

Can you guide me here ?

thank you for your support!

6

@Vatanjain11 -

When you see a “Command not found” (or “not recognized”) error in PowerShell for Set-AcceptedDomain, it typically means one of two things:

  1. You are not connected to Exchange Online in a way that exposes the Set-AcceptedDomain cmdlet.
  2. Your role/permissions do not allow you to run that command (often it won’t even appear).

Below are the main checks:

1. Confirm you are properly connected to Exchange Online

Set-AcceptedDomain is an Exchange Online cmdlet. You need to use the ExchangeOnlineManagement module and connect with sufficient privileges.

  1. Install/Update the ExchangeOnlineManagement module if you haven’t:

    Install-Module ExchangeOnlineManagement

    (Or update if it’s already installed: Update-Module ExchangeOnlineManagement)

  2. Connect with an account that’s Global Admin or Exchange Admin in your tenant:

    Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName [email protected]

    Make sure to authenticate with an account that has the correct privileges.

  3. Verify that the required cmdlets are available:

    Get-Command -Module ExchangeOnlineManagement | Where-Object {$_.Name -like "*AcceptedDomain*"}

    You should see Get-AcceptedDomain and Set-AcceptedDomain in the list if you’re correctly connected.

  4. Run your command:

    Set-AcceptedDomain -Identity "yourdomain.com" -MakeDefault $true

Note: If you still see “Command not found,” it almost certainly means you are either not fully connected to the Exchange Online session or do not have a role that exposes that cmdlet.

2. Check your role/permissions in Azure AD

Even if you are connected to Exchange Online, the cmdlet might not show up if your account or service principal doesn’t have the required Exchange admin privileges. The Set-AcceptedDomain cmdlet requires at least one of these roles:

  • Global Administrator
  • Exchange Administrator (sometimes known as “Exchange Service Administrator”)

If your account does not have one of these roles, you will see a “Command not recognized” error or an access error.

To check:

  1. In the Azure portal, go to Azure Active DirectoryRoles and administrators.
  2. Look for Global Administrator or Exchange Administrator and confirm the user you’re authenticating with is assigned.

3. Use the Exchange Admin Center (EAC) as a workaround

If you have the admin privileges but are having trouble with PowerShell, you can also change the default accepted domain via the Exchange Admin Center in Microsoft 365:

  1. Go to admin.microsoft.comExchange (under Admin centers).
  2. In the Exchange Admin Center, expand Mail flowAccepted domains.
  3. Select the domain → click the (…) menu or the Edit button, and set it as Default.

Summary

  1. Ensure you have the ExchangeOnlineManagement module and are using Connect-ExchangeOnline (not just Azure AD PowerShell).
  2. Use a user account with Global Admin or Exchange Admin roles.
  3. Verify that you can see Set-AcceptedDomain when you run Get-Command.
  4. Alternatively, set the default domain from the Exchange Admin Center (web UI).

Once you’re correctly connected with the right privileges, Set-AcceptedDomain -MakeDefault $true should work without the “Command not found” error.

Thank you!

7

Hi @officialamitguptaa

Even i am not able to to perform below command:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName [email protected]

looks like it’s permission issue but please share your opinion on this.

Regards
Vatan

8

Could you use the below workaround mentioned for the time being and let me know the outcome.

9

Hi Amit
Currently my default domain is “mycomplany.onmicrosoft.com” not “mycompany.com”.
So should i set default domain as “mycompany.com”.

and is this action can impact other things ?
if yes so where i need to make changes as well.

regards
Vatan