@Richard Hooper I have used the equivalent for automation, i.e. app secret for services that can accept these connection parameters e.g. PnP

$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
$appsecret = Get-AutomationVariable -Name "SPAppSecret"

Connect-PnPOnline -AppId $servicePrincipalConnection.ApplicationId -AppSecret $appsecret -Url ""

I don't see where Exchange connection supports app secrets. 

Would you be able to provide a working or theoretical example of how the connection to Exchange online would use an application password as you suggest please as I'm not sure how I'd do this. 

@Chris Johnston Unfortunately what I was suggesting will not work. There seems to be a user voice regarding this. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/14890308-allow-admin-to-c...

I am thinking that you will not be able to do what you want to do with MFA enabled.

@Richard Hooper Hopefully I'll get an answer to this but in the meantime as a workaround, I'll look at using conditional access to block a service account (that doesn't have MFA enforced) unless it's from a named location of the data centre where the automation account has been provisioned.

https://www.microsoft.com/en-us/download/details.aspx?id=41653

Doesn't look like you can be more granular than that for a runbook 

https://social.msdn.microsoft.com/Forums/azure/en-US/26bd07d4-05bc-446f-a4d5-c185f517d8bb/storage-ac...

and presumably the IPs are subject to change, plus I will now have MFA exclusions requiring security approval so its not an ideal workaround tbh. 

@Chris Johnston 

Have someone solved to connect to EOP from Runbook with MFA enabled from Conditional Access? Or a workaround?

@Magnus Tengmo did you manage to solve this ?

@MichaelMardahl looking at the script comments the key is that the user account used, has never logged on, which then lets us bypass MFA. It has the feel of a loophole that may close at some point but many thanks for the post, I'll give this a go :)    

Hi Craig. 

The example runbook in the PS gallery I have linked to, works just fine without a hybrid worker.
No exclusions, or trusted site lists, with full enforced MFA for priv. accounts.

It uses a module called exchangeOnlineShell which works like the one you are linking to, but without requiring the installation, which is a problem in azure automation, and yes, that would require a hybrid worker as you say.

I am sure we will soon see some solutions from microsoft for authenticating with certificates against Exchange Online... (Fingers crossed)

Microsoft have released a complete new module for Exchange with support for modern authentication alot of other improvements. 

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/e...

@MichaelMardahl 

I deployed this and the only thing I changed was the user account name (which is definately in Azure Automation Credentials) and it just gets stuck on 

Logging in to Exchange Online...

 and never stops. The account has permissions and can login using powershell.

Im finding every solution I have tried to use Exchange Online with Azure Automation does the same and gets stuck. Any ideas?

@PhilRiceUoS 

$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

"Logging in to Azure RM..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

"Logging into EXOL"
Connect-ExchangeOnline -CertificateThumbPrint "yourthumprintfromyourAzureAutomationregistrationasAnADapp" -AppID "foundonyourappinAAD" -Organization "tenant.com"


}

You also need to make sure then your Automation account is given the Compliance Admin role to be able to connect to exchange online and do most things...

@MichaelMardahl, the gallery states that you delisted this, why is that? Does this no longer work? 

https://www.powershellgallery.com/packages/AzureAutomationAgainstExchangeOnlineWithMFAEnabledAccount...