Error executing request. Can’t connect to the mailbox of user Mailbox database guid: <some guid> because the ExchangePrincipal object contains outdated information. The mailbox may have been moved recently. Microsoft.Exchange.Data.Storage.MailboxInfoStaleException

if you’re getting the above, on april 30th 2026 Microsoft began enforcing that the X-AnchorMailbox header contains the actual mailbox identity (ID) (and @tenantId) instead of the generic SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} value.

This, however, is currently only enforced for specific in-mailbox commands, e.g. Get-ExoMailboxFolderPermission

If you’re using Michev’s admin api method, you may run into this 🙂

Automation, EntraID, LCToolkit

SPNRoleMgr Tool added

25/04/2026 JosL Leave a comment

https://lieben.nu/tools/SPNRoleMgr

Helps easily set/modify/remove permissions on Managed Identies, a feature totally lacking from the entra portal 🙂

Automation, Sharepoint Online

Path fix tool for Sharepoint update

22/04/2026 JosL 1 Comment

Updated with a modern GUI, smart renaming/restructuring rules, delegated or app auth, fast and parallel scanning….

Handy when your excel references break over 200+ url lengths, or you have sync issues when going beyond 256 characters!

Download/install the PS module from PSGallery!

https://www.powershellgallery.com/packages/SPPathFixer

Azure DevOps

Enumerating organizations and projects in Azure DevOps using a Service Principal

16/04/2026 JosL 1 Comment

Azure DevOp’s API’s still have a slight preference for delegated api calls (calls from users). For M365permissions scans run through a managed identity, which as a type of service principal cannot normally enumerate the organizations in a tenant. Not knowing the orgs, you also can’t enumerate projects etc.

I tried a year ago and failed. Coming back to it now in some spare time, after struggling a lot with Fiddler & PowerShell, I finally figured out how to get orgs without delegated authentication.

It was actually quite simple, as always…just a single GET to:

https://vsaex.dev.azure.com/_apis/EnterpriseCatalog/Organizations?tenantId=YOURTENANTIDHERE&api-version=7.1-preview.1

https://vsaex.dev.azure.com/_apis/EnterpriseCatalog/Organizations?tenantId=YOURTENANTIDHERE&api-version=7.1-preview.1

This returns a csv type formatted string with all orgs your SPN has permissions to! Isn’t that cool?

Oh and don’t forget, the token you get should be for the audience 499b84ac-1321-427f-aa17-267ca6975798

Liebensraum

New tools added!

Microsoft.Exchange.Data.Storage.MailboxInfoStaleException

SPNRoleMgr Tool added

Path fix tool for Sharepoint update

Enumerating organizations and projects in Azure DevOps using a Service Principal

Microsoft 365, Azure, Automation & Code