Azure Automation connecting to Exchange with MFA enforced

Brass Contributor

I have a tenant with MFA a requirement for any account with elevated privileges.
I can use Azure Automation PowerShell runbook for Azure AD using the service principal and certificate e.g.

# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName         

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
    -ApplicationId $servicePrincipalConnection.ApplicationId `
    -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

I cannot however seem to work out a way to connect to Exchange when MFA is enforced:
To demonstrate, I configure the automation account credentials to use a global admin account and then try:
Connect-ExchangeOnlineShell -Credential $Credential
I get an error 'you must use multi-factor authentication to access'
It appears there isn't an equivalent certificate based login for Exchange as in place for Azure AD so my only option is to use credentials for an account which doesn't have MFA, which from security is going to problematic. Does anyone therefore know how to connect to EOL when MFA is enforced? 
Note: Connect-ExchangeOnlineShell is a wrapper for Import-PSSession $Session method to connect to Exchange online which I have also investigated. 

19 Replies

@Chris Johnston 

Have you looked at using application passwords for the office 365 account with MFA?


You could potentially store the application password in a keyVault and call it from your service principal.

@Richard Hooper I have used the equivalent for automation, i.e. app secret for services that can accept these connection parameters e.g. PnP

$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
$appsecret = Get-AutomationVariable -Name "SPAppSecret"

Connect-PnPOnline -AppId $servicePrincipalConnection.ApplicationId -AppSecret $appsecret -Url ""


I don't see where Exchange connection supports app secrets. 


Would you be able to provide a working or theoretical example of how the connection to Exchange online would use an application password as you suggest please as I'm not sure how I'd do this. 



@Chris Johnston Unfortunately what I was suggesting will not work. There seems to be a user voice regarding this.


I am thinking that you will not be able to do what you want to do with MFA enabled.

@Richard Hooper Hopefully I'll get an answer to this but in the meantime as a workaround, I'll look at using conditional access to block a service account (that doesn't have MFA enforced) unless it's from a named location of the data centre where the automation account has been provisioned.

Doesn't look like you can be more granular than that for a runbook

and presumably the IPs are subject to change, plus I will now have MFA exclusions requiring security approval so its not an ideal workaround tbh. 


@Chris Johnston 


Have someone solved to connect to EOP from Runbook with MFA enabled from Conditional Access? Or a workaround?

@Magnus Tengmo did you manage to solve this ?

best response confirmed by Chris Johnston (Brass Contributor)

@Chris Johnston The answer is deceptively simple....


I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.



@MichaelMardahl looking at the script comments the key is that the user account used, has never logged on, which then lets us bypass MFA. It has the feel of a loophole that may close at some point but many thanks for the post, I'll give this a go :)    

I got it from the official partner documentation :)
I am contemplating the issues. But for now I just configure a 50char password and put it away in a locked box.

If you wanna be REALLY secure. Then use the demo azure atomation script that connects securely to azure ad using a cert.
From there, create the user with my method.
The do your thing with exchange. And delete the user again! :)

Seems messy, but the odds of anyone being able to compromise the account in the few minutes it lives, are 0.00000000000001

Hi @Chris Johnston 


This could be an issue with how the connection is happening. If you are using a Microsoft hosted server to run the runbook, it would be using the default Exchange Online PowerShell. Once MFA is enabled you need to switch to a new connection. See the URL


To get this working on Azure AUtomation, try using a hybrid run book server. You can then download the correct PowerShell modules and get the service account to work from there.



Hi Craig. 

The example runbook in the PS gallery I have linked to, works just fine without a hybrid worker.
No exclusions, or trusted site lists, with full enforced MFA for priv. accounts.

It uses a module called exchangeOnlineShell which works like the one you are linking to, but without requiring the installation, which is a problem in azure automation, and yes, that would require a hybrid worker as you say.


I am sure we will soon see some solutions from microsoft for authenticating with certificates against Exchange Online... (Fingers crossed)

Microsoft have released a complete new module for Exchange with support for modern authentication alot of other improvements.



I deployed this and the only thing I changed was the user account name (which is definately in Azure Automation Credentials) and it just gets stuck on 

Logging in to Exchange Online...

 and never stops. The account has permissions and can login using powershell.

Im finding every solution I have tried to use Exchange Online with Azure Automation does the same and gets stuck. Any ideas?


$connectionName = "AzureRunAsConnection"
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

"Logging in to Azure RM..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

"Logging into EXOL"
Connect-ExchangeOnline -CertificateThumbPrint "yourthumprintfromyourAzureAutomationregistrationasAnADapp" -AppID "foundonyourappinAAD" -Organization ""


You also need to make sure then your Automation account is given the Compliance Admin role to be able to connect to exchange online and do most things...



Hi Richard

could you explain how you use create and use App Secret for connecting to PnP Connect-PnPOnline

@MichaelMardahl, the gallery states that you delisted this, why is that? Does this no longer work?

@Chris Johnston 

It is always a challenge but yes we did consider security, how about Service Principal?

1 best response

Accepted Solutions
best response confirmed by Chris Johnston (Brass Contributor)

@Chris Johnston The answer is deceptively simple....


I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.



View solution in original post