[GH-ISSUE #78] Issue reading group membership on local AD #22

New issue

Closed

opened 2026-02-27 20:30:51 +03:00 by kerem · 13 comments

kerem commented 2026-02-27 20:30:51 +03:00

Owner

Copy link

Originally created by @Brosian on GitHub (May 25, 2023).
Original GitHub issue: https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/issues/78

Originally assigned to: @Brosian on GitHub.

Hi again,

I'm having issues with retrieving group membership of the logged on user.

• Setup is on-prem AD with mail in 365 connected to Azure.
• The "main" domain I am working under is "bbb.domain.com"
• User is member of local AD security group "Signature Test"
• Same result with parameter IncludeMailboxForestDomainLocalGroups set to $true

"Get AD properties of each mailbox @2023-05-25T15:20:35+02:00@
Mailbox 'user.name'
Search for mailbox user object in domain/forest 'domain.com': Not found
Mailbox 'user.name'
Mailbox user object already searched before, using cached data"
...
Group: Mailbox is not member of any allowed group"

log.txt

Best regards,
Peter

Originally created by @Brosian on GitHub (May 25, 2023). Original GitHub issue: https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/issues/78 Originally assigned to: @Brosian on GitHub. Hi again, I'm having issues with retrieving group membership of the logged on user. - Setup is on-prem AD with mail in 365 connected to Azure. - The "main" domain I am working under is "bbb.domain.com" - User is member of local AD security group "Signature Test" - Same result with parameter IncludeMailboxForestDomainLocalGroups set to $true "Get AD properties of each mailbox @2023-05-25T15:20:35+02:00@ Mailbox 'user.name' Search for mailbox user object in domain/forest 'domain.com': Not found Mailbox 'user.name' Mailbox user object already searched before, using cached data" ... Group: Mailbox is not member of any allowed group" [log.txt](https://github.com/GruberMarkus/Set-OutlookSignatures/files/11565519/log.txt) Best regards, Peter

kerem 2026-02-27 20:30:51 +03:00

• closed this issue
• added the
  question
  label

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 25, 2023):

Hi Peter,

Do you still have an Exchange Server on-prem, or did you start your Exchange journey right in the cloud?

I will need the full unchanged log. Let me know your Github mail address and I will send you a secured upload link.

In the mean time, please test if it works when using the -GraphOnly true parameter. If it works, it is very likely that the root cause is the sync between Azure AD and local AD.

See chapter 14.1 Basic Configuration in Readme for the easy registration of the Set-OutlookSignatures App in your tenant.

<!-- gh-comment-id:1563008219 --> @GruberMarkus commented on GitHub (May 25, 2023): Hi Peter, Do you still have an Exchange Server on-prem, or did you start your Exchange journey right in the cloud? I will need the full unchanged log. Let me know your Github mail address and I will send you a secured upload link. In the mean time, please test if it works when using the `-GraphOnly true` parameter. If it works, it is very likely that the root cause is the sync between Azure AD and local AD. See chapter `14.1 Basic Configuration` in `Readme` for the easy registration of the Set-OutlookSignatures App in your tenant.

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@Brosian commented on GitHub (May 25, 2023):

Hi Markus,

We don't have Exchange Server on-prem anymore. I'm confident it started out as on-prem then migrated to 365 before my time at the company.

Parameter -GraphOnly $true takes me to page with message:
"needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."

I haven't used graph before and will need to look more into that later. Was hoping that I could retrieve the local security groups for the user from AD and deploy signatures based on that membership. Similar to: (New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf

You can send link to dummy@bruise.se

Best regards,
Peter

<!-- gh-comment-id:1563117327 --> @Brosian commented on GitHub (May 25, 2023): Hi Markus, We don't have Exchange Server on-prem anymore. I'm confident it started out as on-prem then migrated to 365 before my time at the company. Parameter -GraphOnly $true takes me to page with message: "needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it." I haven't used graph before and will need to look more into that later. Was hoping that I could retrieve the local security groups for the user from AD and deploy signatures based on that membership. Similar to: (New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf You can send link to dummy@bruise.se Best regards, Peter

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 25, 2023):

Set-OutlookSignatures absolutely can retrieve local security groups and assign templates/signatures based on group membership.

This is a very straight forward and typical usecase - but it requires a correct setup in hybrid environments.

You will receive a secure upload link in a few minutes.

Please make sure you read chapter 14.1 Basic Configuration in Readme - setting up Azure AD literally does not take more than a few minutes and a handful of clicks:

1. Log on to a client with a user that has administrative rights in Azure AD.
2. Run Set-OutlookSignatures.ps1 -GraphOnly true
3. When asked for credentials, provide your Azure AD admin credentials
4. For the required permissions, grant consent in the name of your organization
   The easiest way is to once start Set-OutlookSignatures with a cloud administrator. The administrator then gets asked for admin consent for the correct permissions.

<!-- gh-comment-id:1563162961 --> @GruberMarkus commented on GitHub (May 25, 2023): Set-OutlookSignatures absolutely can retrieve local security groups and assign templates/signatures based on group membership. This is a very straight forward and typical usecase - but it requires a correct setup in hybrid environments. You will receive a secure upload link in a few minutes. Please make sure you read chapter 14.1 Basic Configuration in Readme - setting up Azure AD literally does not take more than a few minutes and a handful of clicks: 1. Log on to a client with a user that has administrative rights in Azure AD. 2. Run `Set-OutlookSignatures.ps1 -GraphOnly true` 3. When asked for credentials, provide your Azure AD admin credentials 4. For the required permissions, grant consent in the name of your organization The easiest way is to once start Set-OutlookSignatures with a cloud administrator. The administrator then gets asked for admin consent for the correct permissions.

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 25, 2023):

When uploading logs, please make sure that you have used the -verbose parameter for running Set-OutlookSignatures. This verbose output can be very helpful for debugging.

<!-- gh-comment-id:1563189721 --> @GruberMarkus commented on GitHub (May 25, 2023): When uploading logs, please make sure that you have used the `-verbose` parameter for running Set-OutlookSignatures. This verbose output can be very helpful for debugging.

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 26, 2023):

Hi Peter,

I received two log files.

'log2.txt' is not complete, because you have not followed the authentication process (a browser window pops up at first execution to obtain an OAuth-Token). The script output to follow is:

      Problem connecting to Microsoft Graph. Exit.
Get-MsalToken : The operation has timed out.
At \\ant-nordic\public\deploy\Signatures\Set-OutlookSignatures.ps1:3894 char:53
+ ... ClientApp | Get-MsalToken -LoginHint $(if ($script:CurrentUser) { $sc ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationTimeout: (Microsoft.Ident...arameterBuilder:AcquireTokenInteractiveParameterBui 
   lder) [Write-Error], TimeoutException
    + FullyQualifiedErrorId : GetMsalTokenFailureOperationTimeout,Get-MsalToken
 
No authentication possible. Try:
1. Delete MSAL.PS Graph token cache: 'C:\Users\se_pkim\AppData\Local\MSAL.PS\MSAL.PS.msalcache.bin3'"
2. Run Set-OutlookSignature with the "-Verbose" parameter and check for authentication messages
3. If the "Via Prompt with LoginHint and Timeout" authentication message is diplayed:
     - Check if a browser (the system default browser, if configured) opens for authentication
         - Yes:
             - Check if the correct user account is selected/entered and if the authentication is successful
             - Check if authentication happens within two minutes
             - Ensure that access to 'http://localhost' is allowed ('https://localhost' is currently not technically feasible, see 'https://
github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/System-Browser-on-.Net-Core' and 'https://github.com/AzureAD/microsoft-a
uthentication-library-for-dotnet/wiki/MSAL.NET-uses-web-browser' for details)
         - No:
             - Run Set-OutlookSignatures in a new PowerShell session
             - Check the system default browser
             - Make sure that Set-OutlookSignatures is executed in the security context of the currently logged-on user

The file 'log1.txt' gives some more hints. The problem is:

Get AD properties of each mailbox @2023-05-26T11:05:46+02:00@
  Mailbox 'first.last@example.com'
    Search for mailbox user object in domain/forest 'global.com': Not found

Please check is the user for this mailbox in your local (on-prem) Active Directory has the following attributes, and which values are defined for them: mail, legacyExchangeDN, msExchRecipientTypeDetails, msExchMailboxGuid and proxyAddresses

My guess is that some of these attributes do not have values, because they are not or no longer synced with Azure AD.

Please let me know when you upload new files, as I do not get informed about new uploads.

<!-- gh-comment-id:1564166689 --> @GruberMarkus commented on GitHub (May 26, 2023): Hi Peter, I received two log files. 'log2.txt' is not complete, because you have not followed the authentication process (a browser window pops up at first execution to obtain an OAuth-Token). The script output to follow is: ``` Problem connecting to Microsoft Graph. Exit. Get-MsalToken : The operation has timed out. At \\ant-nordic\public\deploy\Signatures\Set-OutlookSignatures.ps1:3894 char:53 + ... ClientApp | Get-MsalToken -LoginHint $(if ($script:CurrentUser) { $sc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationTimeout: (Microsoft.Ident...arameterBuilder:AcquireTokenInteractiveParameterBui lder) [Write-Error], TimeoutException + FullyQualifiedErrorId : GetMsalTokenFailureOperationTimeout,Get-MsalToken No authentication possible. Try: 1. Delete MSAL.PS Graph token cache: 'C:\Users\se_pkim\AppData\Local\MSAL.PS\MSAL.PS.msalcache.bin3'" 2. Run Set-OutlookSignature with the "-Verbose" parameter and check for authentication messages 3. If the "Via Prompt with LoginHint and Timeout" authentication message is diplayed: - Check if a browser (the system default browser, if configured) opens for authentication - Yes: - Check if the correct user account is selected/entered and if the authentication is successful - Check if authentication happens within two minutes - Ensure that access to 'http://localhost' is allowed ('https://localhost' is currently not technically feasible, see 'https:// github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/System-Browser-on-.Net-Core' and 'https://github.com/AzureAD/microsoft-a uthentication-library-for-dotnet/wiki/MSAL.NET-uses-web-browser' for details) - No: - Run Set-OutlookSignatures in a new PowerShell session - Check the system default browser - Make sure that Set-OutlookSignatures is executed in the security context of the currently logged-on user ``` The file 'log1.txt' gives some more hints. The problem is: ``` Get AD properties of each mailbox @2023-05-26T11:05:46+02:00@ Mailbox 'first.last@example.com' Search for mailbox user object in domain/forest 'global.com': Not found ``` Please check is the user for this mailbox in your local (on-prem) Active Directory has the following attributes, and which values are defined for them: mail, legacyExchangeDN, msExchRecipientTypeDetails, msExchMailboxGuid and proxyAddresses My guess is that some of these attributes do not have values, because they are not or no longer synced with Azure AD. Please let me know when you upload new files, as I do not get informed about new uploads.

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@Brosian commented on GitHub (May 26, 2023):

I've tried to authenticate with my admin account in the browser but get message "Need admin approval", maybe I need global admin or more permissions?

Only attributes that have values for the account is "mail" and "proxyAddresses"

<!-- gh-comment-id:1564560081 --> @Brosian commented on GitHub (May 26, 2023): I've tried to authenticate with my admin account in the browser but get message "Need admin approval", maybe I need global admin or more permissions? Only attributes that have values for the account is "mail" and "proxyAddresses"

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 26, 2023):

If you got the message "need admin approval", you have not followed the steps from comment 4:

Please make sure you read chapter 14.1 Basic Configuration in Readme - setting up Azure AD literally does not take more than a few minutes and a handful of clicks:
The easiest way is to once start Set-OutlookSignatures with a cloud administrator. The administrator then gets asked for admin consent for the correct permissions.

1. Log on to a client with a user that has administrative rights in Azure AD.
2. Run Set-OutlookSignatures.ps1 -GraphOnly true
3. When asked for credentials, provide your Azure AD admin credentials
4. For the required permissions, grant consent in the name of your organization

The other thing is about your local AD attributes: As not all the attributes defining a mailbox are set on-prem, Set-OutlookSignature can not find a mailbox in your on-prem AD. You have two options:

• Option A: Sync the mentioned attributes between your Azure AD and your on-prem AD, and make sure they have values. It is possible that not all required attributes are available or have values when you no longer have an Exchange server running on-prem. For this case, option B exists.
• Option B: Do not let Set-OutlookSignatures use your on-prem AD, but force it to only use Azure AD. You can achieve this with the -GraphOnly true parameter.

For option B, you need to configure or register an application in your Azure AD. Both possible scenarios, the easy registration and the advanced configuration, are described in the README file: Chapter 14, "Hybrid and cloud-only support". The easy registration scenario, which is the fastest and least error prone way, is outlined above for your convenience.

Please let me know if you find an error in the description. Should you be looking for professional implementation support, just get in touch with me and we'll go through the commercial options by video conference.

<!-- gh-comment-id:1564677233 --> @GruberMarkus commented on GitHub (May 26, 2023): If you got the message "need admin approval", you have not followed the steps from comment 4: ``` Please make sure you read chapter 14.1 Basic Configuration in Readme - setting up Azure AD literally does not take more than a few minutes and a handful of clicks: The easiest way is to once start Set-OutlookSignatures with a cloud administrator. The administrator then gets asked for admin consent for the correct permissions. 1. Log on to a client with a user that has administrative rights in Azure AD. 2. Run Set-OutlookSignatures.ps1 -GraphOnly true 3. When asked for credentials, provide your Azure AD admin credentials 4. For the required permissions, grant consent in the name of your organization ``` The other thing is about your local AD attributes: As not all the attributes defining a mailbox are set on-prem, Set-OutlookSignature can not find a mailbox in your on-prem AD. You have two options: - Option A: Sync the mentioned attributes between your Azure AD and your on-prem AD, and make sure they have values. It is possible that not all required attributes are available or have values when you no longer have an Exchange server running on-prem. For this case, option B exists. - Option B: Do not let Set-OutlookSignatures use your on-prem AD, but force it to only use Azure AD. You can achieve this with the `-GraphOnly true` parameter. For option B, you need to configure or register an application in your Azure AD. Both possible scenarios, the easy registration and the advanced configuration, are described in the README file: Chapter 14, "Hybrid and cloud-only support". The easy registration scenario, which is the fastest and least error prone way, is outlined above for your convenience. Please let me know if you find an error in the description. Should you be looking for professional implementation support, just get in touch with me and we'll go through the commercial options by video conference.

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@Brosian commented on GitHub (May 26, 2023):

I did try to logon with admin account on a machine that has admin permissions in the 365 tenant and still got the same message "Need admin approval". I probably need elevated permissions in 365 and will contact our global IT next week.

Thank you for your patience and support. Have a great weekend!

<!-- gh-comment-id:1564775308 --> @Brosian commented on GitHub (May 26, 2023): I did try to logon with admin account on a machine that has admin permissions in the 365 tenant and still got the same message "Need admin approval". I probably need elevated permissions in 365 and will contact our global IT next week. Thank you for your patience and support. Have a great weekend!

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (Jun 2, 2023):

Hi @Brosian,

do you have any news regarding this issue, maybe feedback from your global IT?

Kind regards

Markus

<!-- gh-comment-id:1573310912 --> @GruberMarkus commented on GitHub (Jun 2, 2023): Hi @Brosian, do you have any news regarding this issue, maybe feedback from your global IT? Kind regards Markus

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@Brosian commented on GitHub (Jun 2, 2023):

Hi Markus, no progress in this matter unfortunately. I will work with a colleague that has elevated permissions next week.
You can close this case if you want to.

<!-- gh-comment-id:1573396861 --> @Brosian commented on GitHub (Jun 2, 2023): Hi Markus, no progress in this matter unfortunately. I will work with a colleague that has elevated permissions next week. You can close this case if you want to.

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (Jun 2, 2023):

Please keep me updated. Documenting your experience will help other users facing the same problem in the future.

I will close this issue if I don't hear from you until the 11th of June.

Have a great weekend!

<!-- gh-comment-id:1573400932 --> @GruberMarkus commented on GitHub (Jun 2, 2023): Please keep me updated. Documenting your experience will help other users facing the same problem in the future. I will close this issue if I don't hear from you until the 11th of June. Have a great weekend!

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (Jun 14, 2023):

Hi @Brosian,

do you have any news on this issue, or should I close it due to inactivity?

<!-- gh-comment-id:1591757396 --> @GruberMarkus commented on GitHub (Jun 14, 2023): Hi @Brosian, do you have any news on this issue, or should I close it due to inactivity?

kerem commented 2026-02-27 20:30:52 +03:00

Author

Owner

Copy link

@Brosian commented on GitHub (Jun 18, 2023):

Hi @GruberMarkus

I won't be able to give you an update until late Aug so please close this thread.

Thank you for your engagement in the issue.

<!-- gh-comment-id:1596123000 --> @Brosian commented on GitHub (Jun 18, 2023): Hi @GruberMarkus I won't be able to give you an update until late Aug so please close this thread. Thank you for your engagement in the issue.

kerem referenced this issue 2026-02-27 20:31:12 +03:00

[PR #22] [MERGED] v2.3.1 #85

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v4.26.1

v4.26.0

v4.25.0

v4.24.0

v4.23.0

v4.22.0

v4.21.0

v4.20.4

v4.20.3

v4.20.2

v4.20.1

v4.20.0

v4.19.0

v4,18.3

v4.18.3

v4.18.2

v4.18.1

v4.18.0

v4.17.0

v4.16.1

v4.16.0

v4.15.0

v4.14.2

v4.14.1

v4.14.0

v4.13.0

v4.12.2

v4.12.1

v4.12.0

v4.11.0

v4.10.1

v4.10.0

v4.9.0

v4.8.1

v4.8.0

v4.8.0-beta.2

v1.3.0

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v2.0.0

v1.2.1

v1.2.0

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.3.0

v2.3.0-beta1

v2.3.0-beta2

v2.3.0-beta3

v2.3.0-beta5

v2.5.2

v2.4.0

v2.4.0-beta1

v2.5.0

v2.5.0-beta1

v2.5.0-beta2

v2.5.0-beta3

v1.1.0

v1.0.0

v2.5.1

v3.6.1

v3.6.0

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.0-alpha3

v3.3.0-alpha2

v3.3.0-alpha1

v3.3.0

v3.2.2

v3.2.1-beta3

v3.2.1-beta2

v3.2.1-beta1

v3.2.1

v3.2.0-beta1

v3.2.0

v3.1.0-alpha.54

v3.1.0-alpha.52

v3.1.0-alpha.51

v3.1.0-alpha.42

v3.1.0

v3.0.0-beta1

v3.0.0

v2.3.1

v2.3.0-beta4

v4.7.0

v4.6.1

v4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.1

v4.2.0

v4.1.0

v4.0.0

Labels

Clear labels   

bug

  

dependencies

  

documentation

  

enhancement

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

dependencies

documentation

enhancement

invalid

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Set-OutlookSignatures-Set-OutlookSignatures#22

No description provided.