Forum Discussion
Powershell login passthough?
So I activated MFA for both of my accounts. One with my main company and one with my parent company.
My problem is this, using MS Exchange Online Powershell, it autologins when I Connect-Exopssession -UserPrincipalName <my UPN here> for my main account which I don't really think is a good thing from a security standpoint (no user/password prompt, MFA etc.), and 2, when I put the UPN from the other tenant/domain in there, it fails with "Bad request for more information" after actually doing the MFA login.
I had installed Microsoft Online Services Sign-In Assistant which I thought could be the culprit, but getting rid of it and restarting did not help. Any Ideas on how to stop this behavior and make me log in MFA every time instead of passthough and also why it might have broken logging into the other.
Win 10 1709. Azure AD "Connected" not joined to main account, if that matters.
6 Replies
- Nick BothaBrass ContributorWould you consider white listing your offices so that you are not prompted for MFA when using Powershell from the office ? 
- Willie SmitCopper ContributorAre you connecting to the two accounts within the same PowerShell session? I just did the same, and it works without errors. As expected, just the latest tenant is accessible. I have MFA enabled on the one account (#1). The first time I log into it I have to MFA as expected. I then switch to the other account (#2) without MFA, and then switch back to the first account (#1). On the reconnection to the first account (#1), the Modern Auth form appears briefly, but automatically disappears. This is because I still have a valid refresh token, and nothing has caused it to expire. So it seamlessly gets a new access token to load PowerShell. You could look at this article to change the validity of the tokens: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes - Cecil C. AchordCopper ContributorFor powershell(Microsoft Exchange Online Powershell to be specific) it didn't even ask once for my main account the first time right after I downloaded it, and I can't get into the second account at all. I'm thinking it might have something to do maybe that my Win 10 install is "Connected" to Azure AD, it must pass it to things all over the system, including Powershell. I might try disconnecting. This machine is on-prem domain joined, but I also "connected" it to 365 Azure AD since it asked me. (We keep them separate and don't do any sync between on-prem AD and Azure) I don't think it will really break anything and more of a convenience deal + if I had intune policies. - That's the new "accounts" feature in W10, you might have noticed the "add this account to Windows" prompts. You can think of it as the Outlook/Office auto-login features, connecting to ExO PowerShell or any other O365/AzureAD service works the same. - And yes, it can definitely cause issues when trying to switch accounts. I'd advise opening a new PS window.