Multi-Factor Authentication for the Hybrid Configuration Wizard and Remote PowerShell

Published Mar 14 2017 07:39 AM 17.6K Views

You can now use an Administrator account that is enabled for Multi-Factor Authentication to sign in to Exchange Online PowerShell and the Office 365 Hybrid Configuration Wizard (HCW). In case you are not aware, the Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365, users are required to acknowledge a phone call, text message, or app notification on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor has been satisfied. You can read more about the Office 365 Multi Factor Authentication option here. Many Exchange Online customers wanted the extra level of security that is offered with Multi-Factor Authentication, which allows you to force the administrator account to use Multi-Factor Authentication. However, because of a limitation in Remote PowerShell, Exchange Online administrators could not connect with a Multi-Factor enabled account. In addition, as the Office 365 Hybrid Wizard also requires Remote PowerShell connections to Exchange Online, prior to now, the account you used to run the HCW could not be enabled for Multi-Factor Authentication.

The Exchange Online PowerShell Module

There is a new module that was created that can be downloaded to allow you to connect with an account that is enabled for Multi-Factor Authentication. You can download the module from the Exchange Online Administration Center (the steps are outlined in this article). image

Note: We do not plan to discontinue traditional methods of connecting to Remote PowerShell; if you are not using Multi-Factor Authentication you can continue to connect using the methods you already have in place.

The Hybrid Wizard Update

The Hybrid Wizard has also been updated to allow for Multi-Factor Authentication enabled administrators to authenticate.

Note: There is an issue with this new Authentication method in the 21 Vianet Greater China tenants. For customers with Tenants in that region you cannot use the MFA module or Hybrid integration mentioned in this article and should instead use the Hybrid Wizard located here:

In order to keep the sign in experience consistent for all customer whether they have MFA enabled or are using traditional credentials, we have updated our credentials page in the wizard. On the Credential page of the wizard you will see that the “next” button is not available. You are required to pick your credential for on-premises (which by default will be the currently signed in credentials) and “sign in” to Office 365. image Once you select “sign in” you will be prompted for credentials in a familiar looking screen. image If you have Multi-Factor Authentication enabled for the administrator, you would then be prompted for the second factor of authentication. image Once verified, you would see the credential card for both the on-premises and Exchange Online administrators. You will also notice that the “next” button is now activated. image


Your feedback about not being able to use MFA enabled account for Exchange Online administration was loud and clear! Please keep providing us feedback so we can continue to identify and address your needs. The Exchange Team
Not applicable
We utilize ISE editor extensively when writing and running scripts. If our cloud accounts are MFA-enabled, how can we call this new MFA-enabled Powershell module in ISE Editor? It seems like it's not possible and we just have to run the MFA-enabled Powershell module on it's own.
Not applicable
If you're using MFA with ISE Editor. Requiers you to run the above at least once before the the below script is working.

Connect with the following script:

$Path = $env:LOCALAPPDATA+"\Apps\2.0\"

Import-Module MSOnline


Import-Module $((Get-ChildItem -Path $($Path) -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)

$NewSession = New-ExoPSSession

Import-PSSession $NewSession

Not applicable
We are working with the MFA module folks to update content around this, but you are correct, the module should be runs on it's own for scripting
Not applicable
Hey Sebastian Olsson

Thank you so much for this one mate.

THis is really very helpful.


Have a nice life.

Good things come back to you man.


Not applicable

Is the new PowerShell module no longer in Preview?

Not applicable
The Module was in preview only till the HCW released the capability to use MFA, therefore it is no longer in preview
Not applicable
I appreciate it's not your team! but would you be able to find out if we have a date planned for the Security and Compliance PS to support MFA? - now EXO is GA, that's the only thing stopping us going fully MFA for all admins! (compliance searches etc)
Not applicable
Hello, We are a bunch of admins here who use Powershell extensively. Do I need to upgrade to the full version of Azure Multi-Factor Authentication if I need to take advantage of this.
Not applicable
Powershell for MFA will be interesting. Great work team.
Not applicable
Is Security & Compliance covered as well with MFA enabled account?
Not applicable
This is a connection to Exchange Online PowerShell with MFA, so anything you can do in Exchange Online PowerShell should work here
Not applicable
Great improvement! Are there plans to support Delegated Administrator Rights cmdlets in Exchange MFA PowerShell? I mean executing things with -TenantID parameter.
Not applicable
Can anyone get this new module to work with an authenticated proxy server? When doing a remote PowerShell session previously I was able to add options to the session to send it through our proxy server, is this possible with the MFA module?
Not applicable
Where do you guys keep the release notes for the HCW?
Not applicable
We do not have release notes for this application, we will sometimes add release information to the Exchange Release Notes, in TechNet articles, or in EHLO blogs whenever appropriate.
Not applicable
Hello, I am getting some timeout issues when trying to use PowerShell with dual factor authentication. After 1-2 hours, my online exchange commands stop working. They try to re-authenticate but fail since it pops up with a PowerShell authentication and not the Microsoft authentication to prompt for a code. Is there a fix for this?
Not applicable
I also put in a premier ticket to Microsoft about this issue and received a reply saying the product team will not be looking into this issue. I will have to close and reopen power shell every hour and go through the authentication again. Any thoughts on this?
Not applicable
Ours is timing out between one to two minutes. We have found it may have something to do with the proxy. Are you running it behind a proxy?
Not applicable
We are having the same time-out issue about every two minutes where we have to go through the MFA authentication process again. I do not believe we are behind a proxy, but will confirm. Were you able to get this resolved?
Not applicable
How can I pass to New-ExoPSSession Cmdlet at least the name of the admin and if possible the password ?
Not applicable
How does this (technically work)?

We have existing systems that need to integrate similarly.

Not applicable
Please feel free to use my connection script for PowerShell with MFA -


I have also created tutorials on MFA, including how to enable your admin account with MFA and how to configure your PC for PowerShell with MFA. -


The script was updated 1 July 2017 and will connect to the following services with MFA enabled -

- Exchange Online

- SharePoint Online

- Skype for Business Online

- Azure AD v1.0

- Azure AD v2.0

- Azure Resource Manager

- Azure Rights Manager

- Exchange Online Protection

Version history
Last update:
‎Jul 01 2019 04:29 PM
Updated by: