Forum Discussion

Cecil C. Achord's avatar
Cecil C. Achord
Copper Contributor
May 22, 2018

Powershell login passthough?

So I activated MFA for both of my accounts.  One with my main company and one with my parent company.   My problem is this, using MS Exchange Online Powershell, it autologins when I Connect-Exopsse...
multi-factor authentication
powershell
windows 10
Willie Smit's avatar
Willie Smit
Copper Contributor
May 22, 2018

Are you connecting to the two accounts within the same PowerShell session? I just did the same, and it works without errors. As expected, just the latest tenant is accessible.

 

I have MFA enabled on the one account (#1). The first time I log into it I have to MFA as expected. I then switch to the other account  (#2) without MFA, and then switch back to the first account (#1). On the reconnection to the first account (#1), the Modern Auth form appears briefly, but automatically disappears. This is because I still have a valid refresh token, and nothing has caused it to expire. So it seamlessly gets a new access token to load PowerShell.

 

You could look at this article to change the validity of the tokens: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes

  • Cecil C. Achord's avatar
    Cecil C. Achord
    Copper Contributor
    May 22, 2018

    For powershell(Microsoft Exchange Online Powershell to be specific) it didn't even ask once for my main account the first time right after I downloaded it, and I can't get into the second account at all.

     

     I'm thinking it might have something to do maybe that my Win 10 install is "Connected" to Azure AD, it must pass it to things all over the system, including Powershell.  I might try disconnecting.  This machine is on-prem domain joined, but I also "connected" it to 365 Azure AD since it asked me. (We keep them separate and don't do any sync between on-prem AD and Azure)  I don't think it will really break anything and more of a convenience deal + if I had intune policies.

    • VasilMichev's avatar
      VasilMichev
      MVP
      May 23, 2018

      That's the new "accounts" feature in W10, you might have noticed the "add this account to Windows" prompts. You can think of it as the Outlook/Office auto-login features, connecting to ExO PowerShell or any other O365/AzureAD service works the same.

       

      And yes, it can definitely cause issues when trying to switch accounts. I'd advise opening a new PS window.

      • Cecil C. Achord's avatar
        Cecil C. Achord
        Copper Contributor
        May 23, 2018

        It wasn't any of that preventing me getting into the other account.  I couldn't get in on my Windows 7 machine either(why I didn't try this when I first had a problem, I don't know) with none of those auto-login things, and even after I turned off MFA and tried the old way.   It said "Bad Request for more information" and -2144108173,PSSessionOpenFailed  but none of that said Access Denied anywhere.

         

        Still, they could have been a little heavy handed as they were removing power shell access for all the regular users, they might have forgot to remove me from the CSV they used to script removing access.

Resources