Forum Discussion
Azure Automation connecting to Exchange with MFA enforced
- Oct 08, 2019
Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
https://www.powershellgallery.com/packages/AzureAutomationAgainstExchangeOnlineWithMFAEnabledAccount/1.0.0
Have you looked at using application passwords for the office 365 account with MFA? https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords
You could potentially store the application password in a keyVault and call it from your service principal.
- Chris JohnstonMay 09, 2019Brass Contributor
Richard_Hooper I have used the equivalent for automation, i.e. app secret for services that can accept these connection parameters e.g. PnP
$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
$appsecret = Get-AutomationVariable -Name "SPAppSecret"Connect-PnPOnline -AppId $servicePrincipalConnection.ApplicationId -AppSecret $appsecret -Url ""
I don't see where Exchange connection supports app secrets.
Would you be able to provide a working or theoretical example of how the connection to Exchange online would use an application password as you suggest please as I'm not sure how I'd do this.
- RobOnyxPublishingFeb 17, 2021Copper ContributorHi Richard
could you explain how you use create and use App Secret for connecting to PnP Connect-PnPOnline - May 09, 2019
Chris Johnston Unfortunately what I was suggesting will not work. There seems to be a user voice regarding this. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/14890308-allow-admin-to-create-powershell-session-using-app
I am thinking that you will not be able to do what you want to do with MFA enabled.
- Chris JohnstonMay 10, 2019Brass Contributor
Richard_Hooper Hopefully I'll get an answer to this but in the meantime as a workaround, I'll look at using conditional access to block a service account (that doesn't have MFA enforced) unless it's from a named location of the data centre where the automation account has been provisioned.
https://www.microsoft.com/en-us/download/details.aspx?id=41653
Doesn't look like you can be more granular than that for a runbook
https://social.msdn.microsoft.com/Forums/azure/en-US/26bd07d4-05bc-446f-a4d5-c185f517d8bb/storage-account-firewall-and-azure-automation?forum=windowsazuredata
and presumably the IPs are subject to change, plus I will now have MFA exclusions requiring security approval so its not an ideal workaround tbh.