Exchange Online PowerShell Using Multi-Factor Authentication

exchange online powershell using multi-factor authentication

If you’ve been using PowerShell to manage your Office 365 mailboxes, chances are you’ve been connecting with a remote PowerShell session, similar to this:

$Credentials = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

If you follow Microsoft’s advice to enable MFA (Multi-Factor Authentication) on your admin account you will now be facing this nasty output:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : 
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:2 char:12
+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Provide a valid value for the argument,
and then try running the command again.
At line:3 char:18
+ Import-PSSession $Session -DisableNameChecking
+                  ~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Import-PSSession], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand

Apparently, doing remote PowerShell against Exchange Online with multi-factor authentication enabled simply isn’t going to fly…

Exchange Online PowerShell V2 Module to the Rescue

To run PowerShell scripts with an MFA enabled admin account against Exchange Online you need the ExchangeOnlineManagement module aka EXO V2.

Install the module from PSGallery using this command:

Install-Module ExchangeOnlineManagement

After the module is installed you can connect to Exchange Online using the following command:

Connect-ExchangeOnline

The ExchangeOnlineManagement module has all the old familiar Exchange CmdLets so basically your old scripts will remain functional. However a few commands have been upgraded and are available using the EXO prefix. This information is summarized in the following output:

----------------------------------------------------------------------------
We have released new management cmdlets which are faster and more reliable.
|--------------------------------------------------------------------------|
|    Old Cmdlets                    |    New/Reliable/Faster Cmdlets       |
|--------------------------------------------------------------------------|
|    Get-CASMailbox                 |    Get-EXOCASMailbox                 |
|    Get-Mailbox                    |    Get-EXOMailbox                    |
|    Get-MailboxFolderPermission    |    Get-EXOMailboxFolderPermission    |
|    Get-MailboxFolderStatistics    |    Get-EXOMailboxFolderStatistics    |
|    Get-MailboxPermission          |    Get-EXOMailboxPermission          |
|    Get-MailboxStatistics          |    Get-EXOMailboxStatistics          |
|    Get-MobileDeviceStatistics     |    Get-EXOMobileDeviceStatistics     |
|    Get-Recipient                  |    Get-EXORecipient                  |
|    Get-RecipientPermission        |    Get-EXORecipientPermission        |
|--------------------------------------------------------------------------|
To get additional information, run: Get-Help Connect-ExchangeOnline
Please send your feedback and suggestions to exocmdletpreview@service.microsoft.com
----------------------------------------------------------------------------

Immediately after this output is seen, the Connect-ExchangeOnline cmdlet will present you with the MFA aware modern authentication logon prompt:

Exchange Online Management MFA Signin
Exchange Online Management MFA Signin
Exchange Online Management MFA Signin

After successfully entering your credentials and your MFA pin, you’re ready to rock!

Manage Office 365 Mailboxes From AD User Properties

Easy365Manager is a small snap-in to Active Directory Users & Computers that allows you to manage Office 365 licenses and mailboxes directly from AD user properties.

Many tasks that normally require PowerShell scripting can now be performed directly in user properties.

As an example, you’ll save a lot of time and inconvenience by delegating calendar permission directly in AD:

How to delegate calendar permissions with Easy365Manager

Easy365Manager supports MFA authentication and securely caches your Office 365 token, so you don’t need to re-authenticate every time you use Active Directory.

Easy365Manager can be installed and configured on any machine with RSAT/ADUC in just a few minutes and is a real time saver.

You can even remove your last on-premises Exchange Server.

For a complete list of features, read this.

Download the fully functional 30-day trial here.

Summary

The ExchangeOnlineModule was released end of 2019 and is still in preview. But since multi-factor authentication for admins is becoming increasingly popular, you should consider migrating to this new module.

Indeed, Basic Authentication support on Exchange Online will end 13th of October 2020. Therefore, you will not be able to use the standard Exchange PowerShell remoting past this date – even with MFA disabled.

Did you like this post? Maybe your friends will too!