Azure Cloud Shell Now Supports Exchange Online
Published May 28 2019 07:28 AM 72.9K Views

We’re very happy to announce that the Exchange Online PowerShell module is now available in Azure Cloud Shell!

If you're an Exchange admin and you've never used Azure Cloud Shell before (or have no idea what it even is!), then this blog post is for you. We know it’s hard to keep up to date with all the different things Microsoft is doing at any point in time, so we’re making sure our Exchange admins know about this pretty nifty capability we recently released. In short, Azure Cloud Shell is a browser-based, authenticated shell experience, hosted by Microsoft.

You can use any browser to securely open a shell environment hosted in Azure, then you can connect to Exchange Online (and of course, Azure) – and have the exact same experience managing Exchange Online that you do today – but without any of the concerns about installation of required components or operating system suitability.

To get started, you can either point your browser at shell.azure.com or launch Cloud Shell directly from the Azure portal by clicking the Cloud Shell icon (shown below, top bar, highlighted by the small blue box) and select the PowerShell experience. If you’re coming from shell.azure.com you’ll have to authenticate and complete any MFA requirements (we hope that your subscription has MFA enabled across all accounts).

 

Azure Cloud Shell EXO Pic 1.jpg

 

From there all you need to do is run Connect-EXOPSSession. You need to use an account with the correct Role Based Access Control (RBAC) role assignments and permissions. The best part of this whole experience is that we have enabled Single Sign On (SSO) so there’s no need to provide any additional credentials.

The Exchange cmdlets are automatically pulled down to the Cloud Shell environment and this allows you to perform exactly the same tasks as you might normally have done using Exchange Online PowerShell directly.

Take a look at this video from last year’s Ignite conference to see how we tried to make this process as straightforward as possible. And all you need is a browser!

The section below covers some of the most frequent questions. However, we encourage you to use the comments section below to post your comments and questions and we’ll do our best to answer them.

 

How does this really work?

When you start a Cloud Shell session, you are connected to a Linux container run by Microsoft. Yes, it’s actually running on Linux. To make that possible we had to re-factor the Exchange Online PowerShell code to work with PowerShell Core.

Once that session is open, you can use any of the tools available in Azure Cloud Shell and Exchange Online PowerShell is now one of them.

What license or other requirements are there?

To use Cloud Shell, you only need an Azure subscription and an Azure Storage account. Cloud Shell needs a Storage account in Azure for temporary storage of the cmdlet working environment, for any import/exports you do, and to save your scripts and other files. This storage is persisted for your account, so wherever and whenever you use Cloud Shell any files/scripts you have are always available.

The only cost for running Azure Cloud Shell comes from using an Azure Storage account which is typically very low. Azure Storage charges are based on a consumption model, so you only pay for what you use. We highly recommend that you always monitor closely your Azure consumption. For more details on pricing please see here.

Is this really the full set of Exchange cmdlets? What’s missing?

Yes, this is the entire Exchange Online cmdlet library. Everything has been modified to work in PowerShell Core. Everything works in the same way as it does today, it’s just accessed differently.

Are you deprecating the current Exchange PowerShell module in favor of this?

We have no plans to do that currently.

What about RBAC?

RBAC is fully respected and works just as it does with Windows PowerShell.

How do I import and export data?

From the Azure Portal or shell.azure.com, there is an Upload/Download icon in the toolbar which can be used to move your local scripts to Cloud Shell and vice versa.  You are also able to drag and drop local files into the terminal and they will be automatically uploaded to Cloud Shell.

From the terminal, a Download command is available to install a desired file from Cloud Shell.

Files that are saved under the clouddrive in Cloud Shell will also be surfaced anywhere you can browse your Azure storage accounts, like for instance Azure Storage Explorer.

 

Azure Cloud Shell EXO Pic 2.jpg

 

How do I keep Cloud Shell up to date?

You don’t need to – we do that for you. That’s the beauty of this setup, it’s always up to date, and secure, and accessible from anywhere you can get to with a browser.

Are there any other ways of accessing Cloud Shell?

Azure Cloud Shell is available from the Azure Portal, shell.azure.com, the Azure Mobile App, the Azure Extension in Visual Studio Code, the “Try it” button in Microsoft Docs, and Microsoft Learn.

What other constraints are there?

The only one we want to call out is timeouts – in order to ensure we don’t have sessions running forever doing nothing, we timeout sessions that don’t have interactive use. In short, if you don’t touch the machine for more than 20 minutes (approx.) we will reclaim the session. We anticipate that the current timeout should work for most ad-hoc management scenarios but if you intend to execute long-running scripts then Cloud Shell is not the best tool for the job.

That’s about all we need to tell you for now, and we’d love to hear your feedback in the comments section. There’s also a QuickStart guide here, so take Cloud Shell for a spin today.

 

Danny Maertens

Azure Cloud Shell PM (and a big fan of Exchange)

24 Comments
Brass Contributor

Nice, now does this include msol commandlets for checking MFA settings and or resetting users settings? Just because?

Deleted
Not applicable

Are the PS Core version of Exchange PS in github and available to add to vscode?

Are the PS Core version of Exchange PS in github and available to add to vscode? - No, not at this time. 

Copper Contributor

When I clicked the link it make me create an account and to create a subscription and it wanted me to put in credit card information to create the subscription. I just want to be able to manage my corporate exchange powershell easily. why would I need to enter a credit card to do this?

Copper Contributor

"The best part of this whole experience is that we have enabled Single Sign On (SSO) so there’s no need to provide any additional credentials."

While, yes, this is cool for accounts that have an Azure subscription, is it possible that we get the -UserPrincipalName option on the Connect-EXOPSSession?

Why?  Some of our Exchange admin accounts may not have a Azure subscription for storage, but we have other accounts that do.

Microsoft

@denstjames1, an Azure account is required to use Cloud Shell.  Make sure you are signed into your account if you have one. If you do not have an account, go here (https://azure.microsoft.com/free/) to try a free trial.

The compute power behind Cloud Shell is provided for free, but a storage account it required.  The storage is used to persist any files and settings that you have. The cost related to Cloud Shell storage is usually around a few cents (USD) per month.

Copper Contributor

Am I correct in seeing that this is only for those running Exchange in Azure and not a regular Office 365 tenant?

@Jason Head - no, not at all - in fact, the complete opposite. This is for O365 tenant admins - This connects to Exchange Online. This won't actually do anything for those running Exchange on VM's in Azure (which (for all but a few scenarios) is rarely a good idea generally speaking).  

Copper Contributor

Greg - I must be missing something then. Is it possible that this is only for certain Office 365 plans? I logged in as admin to a tenant that uses all Business Essentials licenses and the shell.azure.com link, after asking me to choose Bash or PowerShell, then says "No valid subscriptions found. You need an Azure subscription to use Azure cloud Shell." Same thing logging in as admin on a different tenant that uses a mixture of Business Essentials and Business Premium licenses.

Microsoft

@Jason Head, this does require that you have an Azure account, but that does not mean that you have to be running Exchange in Azure.  Just ensure that your account used to manage Exchange and to log into Azure are the same.

Steel Contributor

I think MFA is giving me issues when using Connect-EXOPSSession in the cloud shell.

 

PS C:\users\me:\>Get-Mailbox -Filter '(RecipientTypeDetails -eq "RoomMailBox")' | Get-MailboxRegionalConfiguration

 

works fine when executed from a powershell session on my pc, but returns an error when executing in the cloud shell

 

PS Azure:\> Get-Mailbox -Filter '(RecipientTypeDetails -eq "RoomMailBox")' | Get-MailboxStatistics
Sending data to a remote command failed with the following error message: Basic Authorization failed for user ..@... For more information, see the about_Remote_Troubleshooting Help topic.

 

With a select, it works ok:

PS Azure:\> Get-Mailbox -Filter '(RecipientTypeDetails -eq "RoomMailBox")' | Select Name,Alias

@bart vermeersch - good find. Looks like that might be a bug, we're investigating. Thanks for trying it out and of course the cool thing is when we fix it, you don't need to do anything. It'll just start working. 

 

I'll post back if I hear when we fix it. 

Copper Contributor

@Jason Head Having Exchange running in the cloud is not the same as having an Azure Subscription.  You can have the former without the latter.  The Azure Subscription that the cloud shell wants is just used for storing persistent files and stuff, and probably won't generate much, if any, actual billing against your credit card.  It'd be nice to get some estimates from Microsoft on what to expect here, though.

Copper Contributor

Does the PowerShell session also expire as often as before?  Or does it support modern Auth with OAuth Tokens

Copper Contributor

While technically accurate that running Exchange in the cloud and Azure Subscriptions may not be the same (e.g. running it in AWS), that’s not the case when running Exchange in Azure (IaaS VMs) because those VMs must be provisioned in an Azure Subscription.  However that is confusing the issue since this article and the question is about cloud shell for Exchange Online (Office 365).  The key point is the differences between Azure AD tenant (directory is a more accurate term), Azure Subscription, and Office 365 tenant/subscription. 

 

If you have an Office 365 subscription you automatically have an “Azure AD Tenant”, which is where your identities are managed (even if you  use ADFS and/or directory synchronization).  This, however, does not automatically mean you have an “Azure Subscription”.  An Azure AD tenant (or directory) can have zero or more Azure subscriptions associated with it.  You do not automatically get an Azure Subscription when you establish an Office 365 tenant.

 

If you want to use Azure Cloud Shell, an Azure Subscription (however you decide to provision one) must be associated with the same Azure AD directory that is used by your Office 365 Exchange Online tenant.  Each user that wants to have Azure cloud shell does not need their own Azure Subscription (but they could if they want). Likewise, they don’t need to have their own storage account (but could if they want one).  An organization could establish a single Azure Subscription with a storage account and allow their admins to use it (RBAC permissions).  They would each have their own storage container (isolated from each other from within cloud shell, i.e. I don’t think you can change directory between users cloud shells)

 

The costs to run this would likely be much less than $1 USD as long as you don’t store large amounts of data in it (dozens of GBs).  You can estimate this by running the Azure Cost Estimator tool and adding some estimates for a “general purpose storage account” in a region near you (example: a general purpose v1 storage account in West US costs about $0.024 per GB) and “Bandwidth” (network egress traffic for downloading files from the storage account, which is free for the first 5GBs of egress per month).  There are also some storage transaction costs but I think those are a fraction of a fraction of a penny for the amount that would be generated for cloud shell use.  

 

One limitation that I have is that exchange online management is limited to only the Office 365 tenant that the Azure AD tenant is associated with.  I don’t think (or have not yet found) a way to manage another Office 365 tenant from a cloud shell that is in an Azure Subscription in another Azure AD tenant, which is the case when managing multiple organizations. 

 

Copper Contributor

Hi @Greg Taylor - EXCHANGE / @The_Exchange_Team !

 

I noticed you mention you got Connect-EXOPSSession working in Core for this project.. is that something more widely available? aka running Connect-EXOPSSession from a Mac on PSCore? https://github.com/MicrosoftDocs/PowerShell-Docs/issues/3758

 

Some of our administrators are moving over to the Mac OS, so we are exploring options to keep them up and running in relation to administering Exchange Online.

 

Thanks in advance.

 

Ben.

Brass Contributor

Just tested this for Exchange Online and works nicely for the set of basic cmdlets I tried. I would love to start using this full time however for that all O365 workloads (AAD, SPO, Teams etc.) which use Powershell should start supporting this. Otherwise I'd still need multiple sessions open and reduces the value of this solution.

Microsoft

@Ben Harris, the Exchange Online team is exploring placing this module on the PowerShell Gallery so that it will be available for users to install locally.

Microsoft

@NITIN SHUKLA, the Teams module is available in Cloud Shell, run "Import-Module MicrosoftTeams".  The AAD module is also in Cloud Shell, just under a different name: AzureAD.Standard.Preview.  We are actively working on expanding the other modules that are available for use in Cloud Shell.

Brass Contributor

What is the plan for supporting Connect-ExchangeOnline V2 cmdlets

Brass Contributor

Everywhere I see articles on Cloud Shell I can't find anyone who tells you what the bare minimum Azure Storage subscription you should spin up if this is all you're going to use in it. Someone here said it should cost less than $1USD/month but when you go to the Azure calculator there are so many options how do you know what to pick? @Bryan Hall above gives some closer guidelines, just don't know what "Type" of storage to pick, what capacity (GB) to start with, and how many storage transactions to estimate.

 

If I choose Block Blob Storage, Standard tier, General Purpose V1 type, 1GB capacity, 100 transactions, it's $0.06USD/month which is great. Would this be sufficient for a few PowerShell commands/month, for example, with nowhere the need of 1GB storage? I don't know if the Linux VM takes more than 1GB or if that's just included... lots to figure out here.

Steel Contributor

@LowellP you don't have to take the Linux VM into account, just your own scripts/history/exports

Copper Contributor

How do we disable this feature across our tenant or control access to it? Any reference material available on that or a PowerShell cmdlet to set it to $FALSE?

Copper Contributor

This should be free, really free for any Microsoft 365 subscription. The Azure Storage fee is dumb.

Version history
Last update:
‎May 28 2019 09:55 AM
Updated by: