Today, we are happy to announce the Public Preview of a Modern Auth unattended scripting option for use with Exchange Online PowerShell V2. This feature provides customers the ability to run non-inte...
Updated Jul 30, 2020
Version 6.0
Blog Post
Warning:
- You want to make sure this below are completed on a highly secured dedicated computer/server. Anyone with Administrator access to the server can use the connection, using the APID.
There are two certificate based authenticate options using APID
- Option1 - Connect using Thumbprint
- Option2 - Connect using PFX
Both methods are well document online (https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps).
However, I prefer the Thumbprint option, which is easier to manage - no need for pfx or private key password.
See detail implementation steps below:
1. Register the application in Azure AD.
2. Assign Exchange Online API permissions to the application.
3. Generate a self-signed certificate
4. Export self-signed certificate public key (.cer)
5. Attach the certificate to the Azure AD application (This will be the .cer field generated in step 4 above.)
6. Assign Azure AD roles to the application
7. Make a note of the certificate thumbprint because you'll need it in the next step. See How to: Retrieve the Thumbprint of a Certificate.
8. Give the domain based service account used for running the script instance ('xxxx' ) permission to access the certificates private key.
To do this using the MMC:
8a. Open the MMC snap-in for certificates. See How to: View Certificates with the MMC Snap-in.
8b. Expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.
8c. In the right pane, right-click the self signed certificate (created in step 3 above), select "All Tasks", and then choose Manage Private Keys.
8d In the Security dialog box, choose Add.
8e. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the dedicated user account (script will run under the context of this account - usually, this is a dedicated service account from your Active directory domain/ldap server). Then, choose the OK button.
8f. In the Full Control field, select Allow, and then choose the OK button.
Sample connection: Connect Exchange Online, cmdlet example - using certificate thumbPrint (no need for pfx)
$CertificateThumbprint='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' <# This is the thumbprint for the self-signed cert in step 3. #>
$Organization = 'xxxxx.onmicrosoft.com' <# This is your organizations'.onmicrosoft.com' FQDN. #>
$AppId = 'xxxxxxxxxxxxx'
Connect-ExchangeOnline -CertificateThumbprint $CertificateThumbprint -AppId $AppId -Organization $Organization