Exchange Online PowerShell Using Multi-Factor Authentication

exchange online powershell using multi-factor authentication

If you’ve been using PowerShell to manage your Office 365 mailboxes, chances are you’ve been connecting with a remote PowerShell session, similar to this:

  1. $Credentials = Get-Credential
  2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
  3. Import-PSSession $Session -DisableNameChecking

If you follow Microsoft’s advice to enable MFA (Multi-Factor Authentication) on your admin account you will now be facing this nasty output:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:2 char:12 + $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Provide a valid value for the argument, and then try running the command again. At line:3 char:18 + Import-PSSession $Session -DisableNameChecking + ~~~~~~~~ + CategoryInfo : InvalidData: (:) [Import-PSSession], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand

Apparently, doing remote PowerShell against Exchange Online with multi-factor authentication enabled simply isn’t going to fly…

Exchange Online PowerShell V2 Module to the Rescue

To run PowerShell scripts with an MFA enabled admin account against Exchange Online you need the ExchangeOnlineManagement module aka EXO V2.

Install the module from PSGallery using this command:

  1. Install-Module ExchangeOnlineManagement

After the module is installed you can connect to Exchange Online using the following command:

  1. Connect-ExchangeOnline

The ExchangeOnlineManagement module has all the old familiar Exchange CmdLets so basically your old scripts will remain functional. However a few commands have been upgraded and are available using the EXO prefix. This information is summarized in the following output:

---------------------------------------------------------------------------- We have released new management cmdlets which are faster and more reliable. |--------------------------------------------------------------------------| | Old Cmdlets | New/Reliable/Faster Cmdlets | |--------------------------------------------------------------------------| | Get-CASMailbox | Get-EXOCASMailbox | | Get-Mailbox | Get-EXOMailbox | | Get-MailboxFolderPermission | Get-EXOMailboxFolderPermission | | Get-MailboxFolderStatistics | Get-EXOMailboxFolderStatistics | | Get-MailboxPermission | Get-EXOMailboxPermission | | Get-MailboxStatistics | Get-EXOMailboxStatistics | | Get-MobileDeviceStatistics | Get-EXOMobileDeviceStatistics | | Get-Recipient | Get-EXORecipient | | Get-RecipientPermission | Get-EXORecipientPermission | |--------------------------------------------------------------------------| To get additional information, run: Get-Help Connect-ExchangeOnline Please send your feedback and suggestions to exocmdletpreview@service.microsoft.com ----------------------------------------------------------------------------

Immediately after this output is seen, the Connect-ExchangeOnline cmdlet will present you with the MFA aware modern authentication logon prompt:

Exchange Online Management MFA Signin
Exchange Online Management MFA Signin
Exchange Online Management MFA Signin

After successfully entering your credentials and your MFA pin you’re ready to rock!

Summary

The ExchangeOnlineModule was released end of 2019 and is still in preview. But since multi-factor authentication for admins is becoming increasingly popular you should consider migrating to this new module.

Indeed, Basic Authentication support on Exchange Online will end 13th of October 2020. Past this date you will not be able to use the standard Exchange PowerShell remoting – even with MFA disabled.

Did you like this post? Maybe your friends will too!