Forum Discussion
Azure Automation connecting to Exchange with MFA enforced
- Oct 08, 2019
Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
Richard_Hooper I have used the equivalent for automation, i.e. app secret for services that can accept these connection parameters e.g. PnP
$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
$appsecret = Get-AutomationVariable -Name "SPAppSecret"
Connect-PnPOnline -AppId $servicePrincipalConnection.ApplicationId -AppSecret $appsecret -Url ""
I don't see where Exchange connection supports app secrets.
Would you be able to provide a working or theoretical example of how the connection to Exchange online would use an application password as you suggest please as I'm not sure how I'd do this.
Chris Johnston Unfortunately what I was suggesting will not work. There seems to be a user voice regarding this. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/14890308-allow-admin-to-create-powershell-session-using-app
I am thinking that you will not be able to do what you want to do with MFA enabled.
- Chris JohnstonMay 10, 2019Brass Contributor
Richard_Hooper Hopefully I'll get an answer to this but in the meantime as a workaround, I'll look at using conditional access to block a service account (that doesn't have MFA enforced) unless it's from a named location of the data centre where the automation account has been provisioned.
https://www.microsoft.com/en-us/download/details.aspx?id=41653
Doesn't look like you can be more granular than that for a runbook
and presumably the IPs are subject to change, plus I will now have MFA exclusions requiring security approval so its not an ideal workaround tbh.
- Magnus TengmoAug 28, 2019Copper Contributor
Have someone solved to connect to EOP from Runbook with MFA enabled from Conditional Access? Or a workaround?
- Magnus TengmoAug 28, 2019Copper Contributor