May 08 2019 08:08 AM
I have a tenant with MFA a requirement for any account with elevated privileges.
I can use Azure Automation PowerShell runbook for Azure AD using the service principal and certificate e.g.
# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
I cannot however seem to work out a way to connect to Exchange when MFA is enforced:
To demonstrate, I configure the automation account credentials to use a global admin account and then try:
Connect-ExchangeOnlineShell -Credential $Credential
I get an error 'you must use multi-factor authentication to access'
It appears there isn't an equivalent certificate based login for Exchange as in place for Azure AD so my only option is to use credentials for an account which doesn't have MFA, which from security is going to problematic. Does anyone therefore know how to connect to EOL when MFA is enforced?
Note: Connect-ExchangeOnlineShell is a wrapper for Import-PSSession $Session method to connect to Exchange online which I have also investigated.
May 09 2019 04:36 AM
Have you looked at using application passwords for the office 365 account with MFA? https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-us...
You could potentially store the application password in a keyVault and call it from your service principal.
May 09 2019 05:14 AM
@Richard_Hooper I have used the equivalent for automation, i.e. app secret for services that can accept these connection parameters e.g. PnP
$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
$appsecret = Get-AutomationVariable -Name "SPAppSecret"
Connect-PnPOnline -AppId $servicePrincipalConnection.ApplicationId -AppSecret $appsecret -Url ""
I don't see where Exchange connection supports app secrets.
Would you be able to provide a working or theoretical example of how the connection to Exchange online would use an application password as you suggest please as I'm not sure how I'd do this.
May 09 2019 05:38 AM
@Chris Johnston Unfortunately what I was suggesting will not work. There seems to be a user voice regarding this. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/14890308-allow-admin-to-c...
I am thinking that you will not be able to do what you want to do with MFA enabled.
May 10 2019 01:45 AM
@Richard_Hooper Hopefully I'll get an answer to this but in the meantime as a workaround, I'll look at using conditional access to block a service account (that doesn't have MFA enforced) unless it's from a named location of the data centre where the automation account has been provisioned.
https://www.microsoft.com/en-us/download/details.aspx?id=41653
Doesn't look like you can be more granular than that for a runbook
and presumably the IPs are subject to change, plus I will now have MFA exclusions requiring security approval so its not an ideal workaround tbh.
Aug 28 2019 02:21 AM
Have someone solved to connect to EOP from Runbook with MFA enabled from Conditional Access? Or a workaround?
Aug 28 2019 02:35 AM
Sep 09 2019 11:16 PM
@Magnus Tengmo did you manage to solve this ?
Oct 08 2019 11:00 AM
Solution@Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
Oct 09 2019 08:24 AM
@MichaelMardahl looking at the script comments the key is that the user account used, has never logged on, which then lets us bypass MFA. It has the feel of a loophole that may close at some point but many thanks for the post, I'll give this a go 🙂
Oct 09 2019 11:35 AM
Oct 12 2019 11:27 AM
This could be an issue with how the connection is happening. If you are using a Microsoft hosted server to run the runbook, it would be using the default Exchange Online PowerShell. Once MFA is enabled you need to switch to a new connection. See the URL https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powe...
To get this working on Azure AUtomation, try using a hybrid run book server. You can then download the correct PowerShell modules and get the service account to work from there.
Oct 12 2019 11:39 AM
Hi Craig.
The example runbook in the PS gallery I have linked to, works just fine without a hybrid worker.
No exclusions, or trusted site lists, with full enforced MFA for priv. accounts.
It uses a module called exchangeOnlineShell which works like the one you are linking to, but without requiring the installation, which is a problem in azure automation, and yes, that would require a hybrid worker as you say.
I am sure we will soon see some solutions from microsoft for authenticating with certificates against Exchange Online... (Fingers crossed)
Nov 13 2019 12:01 AM
Microsoft have released a complete new module for Exchange with support for modern authentication alot of other improvements.
Aug 20 2020 09:02 AM
I deployed this and the only thing I changed was the user account name (which is definately in Azure Automation Credentials) and it just gets stuck on
Logging in to Exchange Online...
and never stops. The account has permissions and can login using powershell.
Im finding every solution I have tried to use Exchange Online with Azure Automation does the same and gets stuck. Any ideas?
Oct 07 2020 03:12 PM
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure RM..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
"Logging into EXOL"
Connect-ExchangeOnline -CertificateThumbPrint "yourthumprintfromyourAzureAutomationregistrationasAnADapp" -AppID "foundonyourappinAAD" -Organization "tenant.com"
}
Oct 07 2020 03:12 PM
You also need to make sure then your Automation account is given the Compliance Admin role to be able to connect to exchange online and do most things...
Feb 17 2021 06:23 AM
May 20 2023 01:41 PM - edited May 20 2023 01:43 PM
@MichaelMardahl, the gallery states that you delisted this, why is that? Does this no longer work?
May 20 2023 09:45 PM
It is always a challenge but yes we did consider security, how about Service Principal?
Oct 08 2019 11:00 AM
Solution@Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.