Forum Discussion

Anonymous's avatar
Anonymous
Mar 01, 2018
Solved

Connect to Office365 via Powershell as a Delegate Access Partner with MFA enabled

Hi, we have identities in our Partner Center Azure AD which have e.g. global admin rights for the customer tenants. In the Partner Center Azure AD we´ve enabled MFA for this accounts. I can use t...
office 365
security
  • VasilMichev's avatar
    VasilMichev
    Mar 01, 2018

    We've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:

     

     Connect-IPPSSession -DelegatedOrganization

     

    It's just another example on how the different teams at Microsoft fail to talk to each other...

Pablo R. Ortiz's avatar
Pablo R. Ortiz
Iron Contributor
Mar 01, 2018

I couldn't find any documentation on connecting to EXO as a delegate with MFA. I don't even know if it's possible. This is what I would try:

1. Follow the instructions in the URL to install EXO MFA module, open it and run Connect-EXOPSSession as per the documentation. After connected run your $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection

VasilMichev's avatar
VasilMichev
MVP
Mar 01, 2018

We've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:

 

 Connect-IPPSSession -DelegatedOrganization

 

It's just another example on how the different teams at Microsoft fail to talk to each other...

  • Anonymous's avatar
    Anonymous
    Mar 01, 2018

    Hi Vasil,

     

    thank you again... I´ve missed the -delegatedorganization switch for the connect-ippssession command. 

     

    So... unfortunately we can´t support (except Security & Compliance) our customers via PS with mfa in this constellation. That´s odd...

     

    ...back to the drawing board

     

    • Anonymous's avatar
      Anonymous
      Mar 01, 2018

      So... please vote for: https://office365.uservoice.com/forums/264636-general/suggestions/33233917-powershell-mfa-for-csp-delegated-admin-privileges

      :)

      • VasilMichev's avatar
        VasilMichev
        MVP
        Mar 02, 2018

        Looking at the code, all the -DelegatedOrganization parameter does is to modify the ConnectionURI string:

         

            if (![string]::IsNullOrWhiteSpace($DelegatedOrganization))
    {
        [UriBuilder] $uriBuilder = New-Object -TypeName UriBuilder -ArgumentList $ConnectionUri;
        [string] $queryToAppend = "DelegatedOrg={0}" -f $DelegatedOrganization;
        if ($uriBuilder.Query -ne $null -and $uriBuilder.Query.Length -gt 0)
        {
            [string] $existingQuery = $uriBuilder.Query.Substring(1);
            $uriBuilder.Query = $existingQuery + "&" + $queryToAppend;
        }
        else
        {
            $uriBuilder.Query = $queryToAppend;
        }

        $newUri = $uriBuilder.ToString();
    }
    else
    {
       $newUri = $ConnectionUri;
    }

        As it still uses the same cmdlet as the ExO part, you should be able to use the exact same method. Whether this is supported server-side however I cannot tell, as I don't have any delegate account to use currently :)

         

Resources