Forum Discussion
Azure Automation connecting to Exchange with MFA enforced
I have a tenant with MFA a requirement for any account with elevated privileges.
I can use Azure Automation PowerShell runbook for Azure AD using the service principal and certificate e.g.
# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
I cannot however seem to work out a way to connect to Exchange when MFA is enforced:
To demonstrate, I configure the automation account credentials to use a global admin account and then try:
Connect-ExchangeOnlineShell -Credential $Credential
I get an error 'you must use multi-factor authentication to access'
It appears there isn't an equivalent certificate based login for Exchange as in place for Azure AD so my only option is to use credentials for an account which doesn't have MFA, which from security is going to problematic. Does anyone therefore know how to connect to EOL when MFA is enforced?
Note: Connect-ExchangeOnlineShell is a wrapper for Import-PSSession $Session method to connect to Exchange online which I have also investigated.
Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
Have you looked at using application passwords for the office 365 account with MFA? https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords
You could potentially store the application password in a keyVault and call it from your service principal.
Richard_Hooper I have used the equivalent for automation, i.e. app secret for services that can accept these connection parameters e.g. PnP
$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
$appsecret = Get-AutomationVariable -Name "SPAppSecret"Connect-PnPOnline -AppId $servicePrincipalConnection.ApplicationId -AppSecret $appsecret -Url ""
I don't see where Exchange connection supports app secrets.
Would you be able to provide a working or theoretical example of how the connection to Exchange online would use an application password as you suggest please as I'm not sure how I'd do this.
Chris Johnston Unfortunately what I was suggesting will not work. There seems to be a user voice regarding this. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/14890308-allow-admin-to-create-powershell-session-using-app
I am thinking that you will not be able to do what you want to do with MFA enabled.
Chris Johnston The answer is deceptively simple....
I published a Runbook script to get you started with the initial connection, then you can add your own script form there on.
MichaelMardahl looking at the script comments the key is that the user account used, has never logged on, which then lets us bypass MFA. It has the feel of a loophole that may close at some point but many thanks for the post, I'll give this a go 🙂
- I got it from the official partner documentation 🙂
I am contemplating the issues. But for now I just configure a 50char password and put it away in a locked box.
If you wanna be REALLY secure. Then use the demo azure atomation script that connects securely to azure ad using a cert.
From there, create the user with my method.
The do your thing with exchange. And delete the user again! 🙂
Seems messy, but the odds of anyone being able to compromise the account in the few minutes it lives, are 0.00000000000001
I deployed this and the only thing I changed was the user account name (which is definately in Azure Automation Credentials) and it just gets stuck on
Logging in to Exchange Online...and never stops. The account has permissions and can login using powershell.
Im finding every solution I have tried to use Exchange Online with Azure Automation does the same and gets stuck. Any ideas?
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName"Logging in to Azure RM..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint"Logging into EXOL"
Connect-ExchangeOnline -CertificateThumbPrint "yourthumprintfromyourAzureAutomationregistrationasAnADapp" -AppID "foundonyourappinAAD" -Organization "tenant.com"
}
MichaelMardahl, the gallery states that you delisted this, why is that? Does this no longer work?
This could be an issue with how the connection is happening. If you are using a Microsoft hosted server to run the runbook, it would be using the default Exchange Online PowerShell. Once MFA is enabled you need to switch to a new connection. See the URL https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps
To get this working on Azure AUtomation, try using a hybrid run book server. You can then download the correct PowerShell modules and get the service account to work from there.
Hi Craig.
The example runbook in the PS gallery I have linked to, works just fine without a hybrid worker.
No exclusions, or trusted site lists, with full enforced MFA for priv. accounts.It uses a module called exchangeOnlineShell which works like the one you are linking to, but without requiring the installation, which is a problem in azure automation, and yes, that would require a hybrid worker as you say.
I am sure we will soon see some solutions from microsoft for authenticating with certificates against Exchange Online... (Fingers crossed)
Microsoft have released a complete new module for Exchange with support for modern authentication alot of other improvements.
It is always a challenge but yes we did consider security, how about Service Principal?
