Forum Discussion
Authenticating to O365 using Powershell and MFA
- Nov 10, 2016
To save everyone from having to read AnnaChu full post: there is now an Exchange Online Powershell module in preview available that supports MFA. I just tested it and it works (so far) as expected. Go to http://aka.ms/exopspreview to download the preview.
We've been able to get our Office 365 Admin accounts with MFA enabled working with Powershell for Exchange Online, Skype for Business etc.....with some caveats:
- This requires an Azure AD Premium, Enterprise Mobility Suite or Azure Multi-Factor Authentication subscription
- The admin account must be a cloud only account (will not work for federated accounts)
Assuming the above caveats are ok, follow the below steps to set it up:
- Follow the below post on setting up Azure MFA contextual whitelisting, you will need to whitelist all ip address ranges that powershell logins will come from. In our case we've whitelisted all of our companies public IP address ranges:
- Enable MFA on your cloud admin account
- Log into the Office 365 portal and configure MFA for your account
- Go to this link: https://portal.office.com/account/#security
- Click on Additional Security Verification (If this option doesn't show wait a few minutes and try again)
- Click on Update my phone numbers used for account security
- Click on the app passwords tab
- Delete the default app password that was created (failing to this step will prevent you from logging into Office 365 services via powershell).
This has closed a security policy breach for us, we were struggling with it for a while, the missing piece for us was deleting the default app password that gets set up automatically when you enable MFA on your account. I hope that this can help other people struggling with the same issue.
The ideal solution will come when Microsoft updates each of their services to allow federated accounts with MFA
to authenticate via powershell (it seems like they are making slow progress).