Share via

New-ManagementScope

Glenn Maxwell 11,416 Reputation points
2024-10-06T03:19:00.3433333+00:00

Hi All

i am using hybrid environment. My customattributes are synced from onprem Active Directory to Azure Active Directory. I am getting error in line2 at "extensionattribute01 -eq 'mbx.a1'" . if i use some other attribute like country, department i am not getting any error. please guide me with syntax.

Create a new Service Principal using below command
New-ServicePrincipal -AppId "1111111111" -ObjectId "6666666666666666666" -DisplayName MyTest1
 
Create a new management scope to use an existing one
New-ManagementScope -Name "CRS1" -RecipientRestrictionFilter "extensionattribute01 -eq 'mbx.a1'"
 
Create a new managemtrole for app using above management scope.
New-ManagementRoleAssignment -App  "1111111111" -Role " Application EWS.AccessAsApp" -CustomResourceScope "CRS1"
Microsoft Exchange Online
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,559 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,536 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,106 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,823 questions
Accepted answer
  1. Sergei Kozlov 300 Reputation points
    2024-10-06T11:09:29.84+00:00

    It looks like you’re encountering an issue with the syntax for the RecipientRestrictionFilter in your PowerShell command. The error might be due to how the extensionattribute01 is being referenced. Here are a few things to check and try:

    Ensure the attribute exists and is populated: Verify that extensionattribute01 is indeed synced and contains the value ‘mbx.a1’ for the objects you’re targeting.

    1. Correct syntax: The syntax you used seems correct, but sometimes PowerShell can be picky about quotes and spaces. Try using double quotes for the entire filter and single quotes inside, like this:
      New-ManagementScope`` ``-Name`` ``"CRS1"`` ``-RecipientRestrictionFilter`` ``"extensionattribute01 -eq 'mbx.a1'"``

    Check for hidden characters: Sometimes, hidden characters or extra spaces can cause issues. Ensure there are no hidden characters in your script.

    1. Use -like instead of -eq: If the attribute value might have leading or trailing spaces, using -like with wildcards can sometimes help:
      New-ManagementScope`` ``-Name`` ``"CRS1"`` ``-RecipientRestrictionFilter`` ``"extensionattribute01 -like '*mbx.a1*'"``
    2. Test the filter separately: Before using it in the New-ManagementScope command, test the filter with Get-Recipient to ensure it returns the expected results:
      Get-Recipient`` ``-Filter`` ``"extensionattribute01 -eq 'mbx.a1'"``

    If these steps don’t resolve the issue, please provide more details about the error message you’re receiving, and I can troubleshoot further.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 106.3K Reputation points MVP
    2024-10-06T14:01:56.65+00:00

    It's CustomAttribute1, not extensionattribute01.

    New-ManagementScope -Name "CRS1" -RecipientRestrictionFilter "customattribute01 -eq 'mbx.a1'"
    0 comments
  2. Jake Zhang-MSFT 5,835 Reputation points Microsoft Vendor
    2024-10-07T02:40:55.2466667+00:00

    Hi @Glenn Maxwell ,

    Welcome to the Microsoft Q&A platform!

    Based on your description, you are experiencing an issue with the syntax of the RecipientRestrictionFilter in the New-ManagementScope command. The error may be due to the way you reference extensionAttribute01 or its value.

    Here are some things to check and try:

    1. Make sure extensionAttribute01 is correctly synchronized from your local Active Directory to Azure Active Directory. You can check this in the Azure AD portal or by using PowerShell.
    2. Make sure the syntax is correct and there are no hidden characters or spaces. The correct syntax should be: 
    New-ManagementScope -Name "CRS1" -RecipientRestrictionFilter "extensionAttribute1 -eq 'mbx.a1'"
    1. Double-check the attribute name. Sometimes, attributes may be case-sensitive or have slightly different naming conventions.
    2. Make sure the logic in the filter is correct and that extensionAttribute1 actually contains the value "mbx.a1" for the object you are targeting.

    Here is the corrected script taking the above into account:

    # Create a new Service Principal
New-ServicePrincipal -AppId "1111111111" -ObjectId "6666666666666666666" -DisplayName MyTest1

# Create a new management scope
New-ManagementScope -Name "CRS1" -RecipientRestrictionFilter "extensionAttribute1 -eq 'mbx.a1'"

# Create a new management role assignment
New-ManagementRoleAssignment -App "1111111111" -Role "Application EWS.AccessAsApp" -CustomResourceScope "CRS1"

    Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

    Best,

    Jake Zhang

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.