Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Securely Administrate Exchange Online with Multi-Factor Authentication (MFA)

Jeff Sun's avatar
Jeff Sun
Icon for Microsoft rankMicrosoft
Jun 22, 2018

Overview

MFA enablement completely changes an organization’s security posture. Even though MFA does not necessarily provide perfect security, it does make it significantly more challenging to breach accounts and perhaps enough to encourage the attacker to seek out an easier target instead. This statement is not a presumption; during the 2017 Black Hat conference, multi-factor authentication and encryption were the 2 biggest named obstacles surveyed from hackers. Organizations recognize the benefits of MFA but we’ve received feedback about usability challenges in Exchange administration scenarios. This post identifies the popular administration workflows and will reference tools to fulfill them in accounts with MFA enforced.

 

To help increase the security of administrator accounts, you should enable MFA for your administrative accounts. For instructions on how to turn on MFA for Office 365 accounts, see this article. The workflow for users to set up MFA on their accounts is laid out in this document.

Exchange Online Administration Tools

Depending on the organization, Exchange Online is administrated through several different interfaces. The Office 365 customer base is incredibly diverse with larger tenants relying on automation to service their users while less complex organizations administrate the service from the portals.

Automation

Automation of Exchange administration is exposed primarily through remote PowerShell cmdlets. Many administrators use standard Windows PowerShell to connect to a remote Exchange server but if the account has MFA enabled,  you need to install a separate Exchange Online PowerShell module based on the instructions in this document.

 

Follow the instructions here to connect to Exchange Online PowerShell with MFA. You can run scripts from this client or interact directly with Exchange. Some organizations create custom interactive scripts which provides a more admin friendly and less error prone interface for common administrative tasks on the tenant. 

Portals

Office 365 provides portals to administrate Exchange Online, such as the Admin center, Security & Compliance Center and Exchange admin center. When MFA is enabled, you will be prompted for an authentication code.

 

 

Other Administration Workflows

Scheduled Automation

One of the main reasons organizations need to periodically run scripts on their tenant is for compliance/reporting requirements to scan the states of various assets. Some organizations have established procedures for employees to run a set of scripts as a part of their weekly/monthly responsibilities.

 

Some admins set up scheduled PowerShell tasks to delegate the responsibility of running this script to a machine. Of course, since the objective is to run these scripts without human intervention, MFA is not possible and will need to be turned off on these accounts. In order to authenticate into the service, administrators will still need to submit their credentials. Credentials should never be stored in plaintext. Instead, use the commands below to encode your password. You can only decode the password on the same computer with the same user account.

 

$AdminCred = Get-Credential
$AdminCred.Password | ConvertFrom-SecureString | Out-File C:\AdminCred.txt

 

To submit this password in your scripts use the commands below. Replace "AdminUsername" with your account username.

 

$password = Get-Content C:\AdminCred.txt | ConvertTo-SecureString
$Credentials = New-Object -typename System.Management.Automation.PSCredential -ArgumentList "AdminUsername",$password
Connect-EXOPSSession -Credential $AdminCred
Import-PSSession $ExoSession

 

Since this does still register a risk if an adversary breaches your computer, you should take the following precautions on the machine with the scheduled task:

  • Tightly control access to the machine and disable Remote Desktop Protocol (RDP)
  • Limit the use of the account to only administrative activities (disable mail or use an alt account)
  • Set strong passwords
  • Enable unified audit log and mailbox auditing
  • Periodically review the audit logs for this account for signs of compromise
  • Confine admin activities to within your network perimeter
  • Constrain cmdlets permissions as tightly as possible to the account through role management

Exchange Role Management

 You can limit the permissions of administrative accounts using role groups to ensure that even if the account does get breached, the actions that the attacker can take are limited to the administration responsibilities of the account. Details on how to manage role assignments are in this article.

Long-running Scripts

When running long scripts from the standard Windows PowerShell client, administrators have faced session timeouts. Typically, the solution is to wrap the script with a loop that checks for session timeouts and recover by submitting saved credentials to re-establish the session. Now, how would you do this without human intervention for MFA accounts which require a second method of authentication?

 

Fortunately, the Exchange Online PowerShell Module takes care of session timeouts by re-establishing the session automatically. NOTE: it is important to use the UserPrincipalName parameter to connect so that the client can automatically re-establish the session for you.

 

Connect-EXOPSSession –UserPrincipalName joe@contoso.com 

 

See below, the original PowerShell session has expired before I ran the Get-mailbox command. The client recognizes that the session has expired and automatically creates a new session without prompting for credentials.

 

 

General Secure Administration Recommendations

Beyond using MFA for Exchange administration, Microsoft recommends that you also take a broader look at your security.  Below are some great solutions and ideas to help protect administrator accounts:

We hope this post has helped create a more secure and usability friendly administration story for you. Leave us a comment below with feedback!

 

 

Updated May 11, 2021
Version 4.0
  • Very good  - even so short  - article, Jeff.

     

    MFA (in several methods, not only via code from the app or via SMS) should be written as a required policy for every administrative and upper privileged account. As well for every user which have access to any kind of sensitive data. And of course, the best option will be enabling it for whole organizations with enforcement it for all members of the boards, CEO, CFO, CSO, CXO and other. 
    And enabling it is soo simple.

    Waiting for next part from you.

     

    BR Tobias

  • MatthewWong's avatar
    MatthewWong
    Copper Contributor

    Long-running Scripts

     

    What if the timeout occurs during the execution of a cmdlet?

    For example, there are a large amount of mailbox to return in the Get-Mailbox cmdlet, after running it for a while, the timeout occurs and it will stop with this error:

       Processing data for a remote command failed with the following error message: Access is denied.

     

    It is not very reliable to run long-running scripts.  The script/cmdlet may only process the first part and fails in the middle and you may not know that.

     

  • MatthewWong very large organizations can have this issue; this is not due to MFA but a limitation of Exchange Remote Powershell and is not covered in this blogpost. Nevertheless, I understand that this can be very frustrating; please reach out to Microsoft support, they should be able to suggest a workaround.