Forum Discussion
Azure Automation connecting to Exchange with MFA enforced
Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
https://www.powershellgallery.com/packages/AzureAutomationAgainstExchangeOnlineWithMFAEnabledAccount/1.0.0
Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
https://www.powershellgallery.com/packages/AzureAutomationAgainstExchangeOnlineWithMFAEnabledAccount/1.0.0
MichaelMardahl, the gallery states that you delisted this, why is that? Does this no longer work?
https://www.powershellgallery.com/packages/AzureAutomationAgainstExchangeOnlineWithMFAEnabledAccount/1.0.0
I deployed this and the only thing I changed was the user account name (which is definately in Azure Automation Credentials) and it just gets stuck on
Logging in to Exchange Online...and never stops. The account has permissions and can login using powershell.
Im finding every solution I have tried to use Exchange Online with Azure Automation does the same and gets stuck. Any ideas?
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName"Logging in to Azure RM..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint"Logging into EXOL"
Connect-ExchangeOnline -CertificateThumbPrint "yourthumprintfromyourAzureAutomationregistrationasAnADapp" -AppID "foundonyourappinAAD" -Organization "tenant.com"
}You also need to make sure then your Automation account is given the Compliance Admin role to be able to connect to exchange online and do most things...
MichaelMardahl looking at the script comments the key is that the user account used, has never logged on, which then lets us bypass MFA. It has the feel of a loophole that may close at some point but many thanks for the post, I'll give this a go 🙂
- I got it from the official partner documentation 🙂
I am contemplating the issues. But for now I just configure a 50char password and put it away in a locked box.
If you wanna be REALLY secure. Then use the demo azure atomation script that connects securely to azure ad using a cert.
From there, create the user with my method.
The do your thing with exchange. And delete the user again! 🙂
Seems messy, but the odds of anyone being able to compromise the account in the few minutes it lives, are 0.00000000000001
