Forum Discussion

Deleted's avatar
Deleted
Mar 01, 2018
Solved

Connect to Office365 via Powershell as a Delegate Access Partner with MFA enabled

Hi, we have identities in our Partner Center Azure AD which have e.g. global admin rights for the customer tenants. In the Partner Center Azure AD we´ve enabled MFA for this accounts. I can use t...
office 365
security
  • VasilMichev's avatar
    VasilMichev
    Mar 01, 2018

    We've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:

     

     Connect-IPPSSession -DelegatedOrganization

     

    It's just another example on how the different teams at Microsoft fail to talk to each other...

Pablo R. Ortiz's avatar
Pablo R. Ortiz
Iron Contributor
Mar 01, 2018

Note that for cmdlet Connect-EXOPSSession the ConnectionUri parameter is different from that of New-PSSession (Office 365 DE has a different ConnectionUri, while other Office 365 tenant locations don't have any). Check the following guide for installing remote EXO powershell module with MFA enabled, and samples on how to connect:

https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

Deleted's avatar
Deleted
Mar 01, 2018

Hi Pablo,

thank you for your reply. I thought the cmdlet´s use the same targets in general.

But the original question is how to connect to office 365 / Exchange Online via PS with MFA as a delegate access partner.

 

Jakob

  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Iron Contributor
    Mar 01, 2018

    I couldn't find any documentation on connecting to EXO as a delegate with MFA. I don't even know if it's possible. This is what I would try:

    1. Follow the instructions in the URL to install EXO MFA module, open it and run Connect-EXOPSSession as per the documentation. After connected run your $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection

    • VasilMichev's avatar
      VasilMichev
      MVP
      Mar 01, 2018

      We've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:

       

       Connect-IPPSSession -DelegatedOrganization

       

      It's just another example on how the different teams at Microsoft fail to talk to each other...

      • Deleted's avatar
        Deleted
        Mar 01, 2018

        Hi Vasil,

         

        thank you again... I´ve missed the -delegatedorganization switch for the connect-ippssession command. 

         

        So... unfortunately we can´t support (except Security & Compliance) our customers via PS with mfa in this constellation. That´s odd...

         

        ...back to the drawing board

         

Resources