Mail Activation doesn't work on Azure AD privileged account

[sanjeev40084]

My company is moving towards using Azure AD privileged account (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) and I found out the mailbox activation command doesn't work successfully if we use privileged account. The script (Set-CrmUserMailbox) works successfully if non-privileged account with (Exchange Admin or Global Admin) is used.

[seanmcne]

@sanjeev40084 does this similar issue cover your scenario/situation? #454

[sanjeev40084]

@seanmcne in that issue, i used service principal but the issue i am having is while using the actual account (privilege account with exchange admin role). Unfortunately for the work i am doing, i won't be able to use service principal and have to use my actual account.

[seanmcne]

Just to make sure I understand, you have an account w/ PIM enabled and once you JIT up to a privileged admin role to approve mailboxes your permission isn't recognized as you would expect? Are you able to approve in the web/interactively once your role is activated via PIM?

[sanjeev40084]

Yes, that is correct. I was able to activate mailbox by logging into mailbox page through UI. Not sure if it makes difference, but my new account is cloud only account (xxx@xxx.onmicrosoft.com), meaning it doesn't sync from on-prem AD to cloud AD. I didn't had this issue when i used my other account with admin rights which sync from on-prem to azure ad and didn't had PIM setup.