SOLVED

Can I Connect to O365 Security & Compliance center via powershell with MFA on?

Steel Contributor

I currently use the below script to connect to the S&C Center. This does not work with MFA.

I was wondering if there is an Updated Module that I could use that supports modern authentication?

 

$Credential = get-credential -Credential username.com

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $Credential -Authentication Basic -AllowRedirection

 

Import-PSSession $Session -AllowClobber –DisableNameChecking

 

42 Replies
best response confirmed by VI_Migration (Silver Contributor)
Solution

Nope, not yet. It's the last of the "modules" I use to get MFA support :(

Thanks for the Response Vasil. Such a pain to have to turn of MFA to run a Purge!  

I contacted Microsoft Support today.  This the response

 

"I am aware of this limitation however when I checked in our RoadMap site I don’t see any mentioning of this as a coming soon feature. I also checked in our Database and it appears that unlike Exchange online security and compliance current design does not support MFA connection. The suggested work around from engineering is to create one compliance account and use it for that purpose ( do not enable MFA on that account)"

Well, the latest version of the MFA-enabled ExO PowerShell module hints that this might be coming soon(ish). Fingers crossed!

Hi,

 

You can download the latest MFA enabled Powershell from EAC. It contains the cmdlet name connect-IPPSsession which will connect to S&C.

 

2017-08-30_17-48-21.png

Does it work for you though? The cmdlet has been available for at least a month now, but every time I try to connect I get Access denied errors.

Hi Vasil,

 

Yup, its working. Please check the below screenshot.

 

2017-08-31_11-32-27.png

Yeah, for whatever reason it's not working in my tenant, as well as in my test tenants. I tried it earlier with a DEMO tenant and it works as expected.

 

Just curious, do you happen to have E5 licenses?

If you launch it from the "Microsoft Exchange Online Powershell Module" it works great...

But if you do lots of PS administration of O365, it's horrible to have to launch a separate window just for this.  I need to be able to have it import the commandlets from these modules into other PS consoles.

 

I found how to do the Exchange side (link below), but cannot figure out how to do the same for the Compliance Center.

 

Here is the short version for Exchange MFA...

 

	Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
	$EXOSession = New-ExoPSSession
Import-PSSession $EXOSession

https://github.com/Scine/Powershell/blob/master/Connect%20To%20Powershell%20with%20or%20without%202%...

 

Any ideas on how to do the same for Compliance Center?

It uses the same module and the same cmdlet, just differnt parameters. Simply open the CreateExoPSSession.ps1 from the install dir, and you will see it.

 

New-EXOPSSession -ConnectionUri 'https://ps.compliance.protection.outlook.com/PowerShell-LiveId'

Awesome.  That does it, which means we now have parity between PS with and without MFA!

 

So to connect ONLY to the CC using MFA, it looks like this:

 

Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
$MFCCPSSession = New-ExoPSSession -ConnectionUri 'https://ps.compliance.protection.outlook.com/PowerShell-LiveId'
import-pssession $MFCCPSSession

Also note:  Here is a MS Gallery script to connect to all the O365 components with MFA.  It currently doesn't include the Compliance Center, but I suspect it will soon!

 

Thanks Vasil!

-Shawn

https://gallery.technet.microsoft.com/Office-365-Connection-47e03052

Just FYI, the deployment seems to have finallized across all datacenters/regions. The issues I had with connecting have disappeared now, and I can access the SCC cmdlets with the MFA module just fine, across all tenants.

Through some trial and error, I have discovered that the below script allows me to connect to Security & Compliance Center. This is modified fromt he original located at https://support.office.com/en-us/article/Search-for-and-delete-email-messages-in-your-Office-365-org...

I also got the idea from you. :)

 

$UserCredential = Get-Credential
$Session = New-EXOPSSession -ConnectionUri 'https://ps.compliance.protection.outlook.com/powershell-liveid'
Import-PSSession $Session -AllowClobber -DisableNameChecking
$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Office 365 Security & Compliance Center)"

Hi, whether we need to change our existing scripts to add exopssession for the MFA authentication

how we can connect to MFA using regular powershell instead of connecting with module

You can't, that's the whole idea behind Microsoft releasing a new module. You can import/use it with your existing scripts however, there are examples in the thread above. Or you can get the token programmatically, but that's even more complicated.

The answer is Yes, the new module released for Exchange Online also includes a connection string for accessing the Security and Compliance Center.

 Connect to Exchange Online PowerShell using multi-factor authentication

This will install a ClickOnce app reference to launch the console with the module pre-loaded.

When you launch the console you will see this message:

--------------------------------------------------------------------------

This PowerShell module allows you to connect to Exchange Online service.
To connect, use: Connect-EXOPSSession -UserPrincipalName <your UPN>
This PowerShell module allows you to connect Exchange Online Protection and Security & Compliance Center services also.
To connect, use: Connect-IPPSSession -UserPrincipalName <your UPN>

To get additional information, use: Get-Help Connect-EXOPSSession, or Get-Help Connect-IPPSSession

--------------------------------------------------------------------------

 

Unfortunately, this limits the module's usefulness since we cannot run this in the ISE or on a different Powershell Console.

After some intense googling, binging I found a script that allows you to do just that.

Thanks to Vasil for pointing out that the code below is already in an earlier portion of the thread, Sorry I missed that. :)

Import-Module -Name $((Get-ChildItem -Path $($env:LOCALAPPDATA + '\Apps\2.0\') -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName | ?{ $_ -notmatch '_none_' } | Select-Object -First 1)
$EXOSession = New-ExoPSSession
Import-PSSession -Session $EXOSession -AllowClobber 

You must first install the module as indicated in the reference above.

Let me know if you have any questions.

NOTE: I should point out that I have had issues with this method when using the ISE. When the session has timed out, the ISE locks up when it comes time to prompt for credentials to reauthenticate.

 

This example is from the thread above, as I said :) And you DO need the module, so it's not just "regular" PowerShell.

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Nope, not yet. It's the last of the "modules" I use to get MFA support :(

View solution in original post