Blog Post

Exchange Team Blog
2 MIN READ

Modern Auth and Unattended Scripts in Exchange Online PowerShell V2

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 30, 2020
Today, we are happy to announce the Public Preview of a Modern Auth unattended scripting option for use with Exchange Online PowerShell V2. This feature provides customers the ability to run non-inte...
Updated Jul 30, 2020
Version 6.0
administration
All Posts
announcements
exchange
exchange online
office 365
scripting
security
Abhishek_Prasad's avatar
Abhishek_Prasad
Copper Contributor
Aug 28, 2020

Hi,

 

Dave Goldman - I was hoping the community could guide me appropriately. 

 

Our product uses a non-interactive service to connect and execute PowerShell v1 cmdlets for Exchange Online. After reviewing the available documentation and community posts, here is our understanding in terms of the options to move away from basic authentication for our service.

 

  • MFA bypass using trusted IPs as explained https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips – This is definitely not desirable as it defeats the purpose of securing the environment by introducing MFA. We also see our customers rejecting this mechanism to connect with custom configuration to bypass MFA.

 

  • MFA using Secure Application Model – This model is based on the refresh token mechanism as explained https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0#exchange and https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#:~:text=Get%20refresh%20token&text=Make%20a%20POST%20call%20to,token%20in%20Azure%20Key%20Vault. This mechanism uses the ‘New-PSSession’ cmdlet with a credential object(through ‘New-PartnerAccessToken cmdlet’)  which is also stated to be deprecated https://docs.microsoft.com/en-us/powershell/exchange/basic-auth-connect-to-exo-powershell?view=exchange-ps. Also, the note here in the community post states, that this would break after basic authentication is disabled (“Please note that if you are using new-pssession with credential parameter, it will break after Basic Authentication is disabled”).

 

  • Using the PowerShell V2 module – This seems to be the recommended mechanism. But with App-only authentication for unattended scripts in the EXO v2 module being in public preview, production usage is a no go.

This leaves us in flux without an ability to support our service with basic authentication disabled. Until certificate-based authentication in EXO v2 becomes generally available, what is the recommendation to support authentication for non-interactive scripts?

 

Any help would be great!