How can the OOB Azure provisioning transaction status be changed related to using a script to manage distribution lists and mail enabled security groups

The OOB Azure connector using MS GraphAPI now has the known issue that it’s not possible to manage distribution lists and mail enabled security groups. As a work around adjusting the Azure application definition to use a PowerShell script works. This allows adding a member to the groups noted; however, the provisioning transaction still shows the status of failed relating to the error.

The initial script I used was from this IIQ Blog speaking about the topic Azure Active Directory: O365 Mail Enabled Sec. Groups & DL impacts - Compass (

My question is, how can the provisioning transition be updated to reflect a success instead of fail when using the native script to add the group? The contributor of the script had the same question about the provisioning result.

I have the same issue. I am on IIQ 8.2p4.

I can now request the Azure AD mail-enabled security groups and distribution lists from Manage User Page. I tried this on IIQ 8.2p4 using certificate-based authentication.

I followed the connector guide to generate the certificate in the IQService host, add the certificate to the registered application in Azure AD, and grant Exchange Administrator role in Azure AD.

Then on the IIQ side, I enabled the “Manage Exchange Online” checkbox, selected the authentication method as “Certificate Based Authentication”, and entered the certificate thumbprint from the certificate used in Azure AD.

This does not require the need of any native scripts. IQService for 8.2p4 executes the PowerShell scripts internally to process the request to provision to exchange online.

Shouldn’t be required to give the Exchange Administrator role in Azure. There is a more granular approach in allowing to manage exchange objects within azure and the exchange side. The granular permission to assign would be “Security Group Creation and Membership”.