cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Multi-Factor Authentication for the Hybrid Configuration Wizard and Remote PowerShell
By
The_Exchange_Team
Published Mar 14 2017 07:39 AM 23.7K Views
The_Exchange_Team
Microsoft
‎Mar 14 2017 07:39 AM

Multi-Factor Authentication for the Hybrid Configuration Wizard and Remote PowerShell

‎Mar 14 2017 07:39 AM

You can now use an Administrator account that is enabled for Multi-Factor Authentication to sign in to Exchange Online PowerShell and the Office 365 Hybrid Configuration Wizard (HCW). In case you are not aware, the Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365, users are required to acknowledge a phone call, text message, or app notification on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor has been satisfied. You can read more about the Office 365 Multi Factor Authentication option here. Many Exchange Online customers wanted the extra level of security that is offered with Multi-Factor Authentication, which allows you to force the administrator account to use Multi-Factor Authentication. However, because of a limitation in Remote PowerShell, Exchange Online administrators could not connect with a Multi-Factor enabled account. In addition, as the Office 365 Hybrid Wizard also requires Remote PowerShell connections to Exchange Online, prior to now, the account you used to run the HCW could not be enabled for Multi-Factor Authentication.

The Exchange Online PowerShell Module

There is a new module that was created that can be downloaded to allow you to connect with an account that is enabled for Multi-Factor Authentication. You can download the module from the Exchange Online Administration Center (the steps are outlined in this article). image

Note: We do not plan to discontinue traditional methods of connecting to Remote PowerShell; if you are not using Multi-Factor Authentication you can continue to connect using the methods you already have in place.

The Hybrid Wizard Update

The Hybrid Wizard has also been updated to allow for Multi-Factor Authentication enabled administrators to authenticate.

Note: There is an issue with this new Authentication method in the 21 Vianet Greater China tenants. For customers with Tenants in that region you cannot use the MFA module or Hybrid integration mentioned in this article and should instead use the Hybrid Wizard located here: http://aka.ms/HCWCN

In order to keep the sign in experience consistent for all customer whether they have MFA enabled or are using traditional credentials, we have updated our credentials page in the wizard. On the Credential page of the wizard you will see that the “next” button is not available. You are required to pick your credential for on-premises (which by default will be the currently signed in credentials) and “sign in” to Office 365. image Once you select “sign in” you will be prompted for credentials in a familiar looking screen. image If you have Multi-Factor Authentication enabled for the administrator, you would then be prompted for the second factor of authentication. image Once verified, you would see the credential card for both the on-premises and Exchange Online administrators. You will also notice that the “next” button is now activated. image

Conclusion

Your feedback about not being able to use MFA enabled account for Exchange Online administration was loud and clear! Please keep providing us feedback so we can continue to identify and address your needs. The Exchange Team
0 Likes
Like
22 Comments
Not applicable
‎Mar 14 2017 07:49 AM
‎Mar 14 2017 07:49 AM
We utilize ISE editor extensively when writing and running scripts. If our cloud accounts are MFA-enabled, how can we call this new MFA-enabled Powershell module in ISE Editor? It seems like it's not possible and we just have to run the MFA-enabled Powershell module on it's own.
0 Likes
Like
Not applicable
‎Mar 14 2017 07:49 AM
‎Mar 14 2017 07:49 AM
If you're using MFA with ISE Editor. Requiers you to run the above at least once before the the below script is working.

Connect with the following script:

$Path = $env:LOCALAPPDATA+"\Apps\2.0\"

Import-Module MSOnline

Connect-MsolService

Import-Module $((Get-ChildItem -Path $($Path) -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)

$NewSession = New-ExoPSSession

Import-PSSession $NewSession

0 Likes
Like
Not applicable
‎Mar 14 2017 07:49 AM
‎Mar 14 2017 07:49 AM
We are working with the MFA module folks to update content around this, but you are correct, the module should be runs on it's own for scripting
0 Likes
Like
Not applicable
‎Mar 14 2017 07:49 AM
‎Mar 14 2017 07:49 AM
Hey Sebastian Olsson

Thank you so much for this one mate.

THis is really very helpful.

Cheers.

Have a nice life.

Good things come back to you man.

!

0 Likes
Like
Not applicable
‎Mar 14 2017 08:24 AM
‎Mar 14 2017 08:24 AM
Thanks!

Is the new PowerShell module no longer in Preview?

0 Likes
Like
Not applicable
‎Mar 14 2017 08:24 AM
‎Mar 14 2017 08:24 AM
The Module was in preview only till the HCW released the capability to use MFA, therefore it is no longer in preview
0 Likes
Like
Not applicable
‎Mar 14 2017 09:12 AM
‎Mar 14 2017 09:12 AM
I appreciate it's not your team! but would you be able to find out if we have a date planned for the Security and Compliance PS to support MFA? - now EXO is GA, that's the only thing stopping us going fully MFA for all admins! (compliance searches etc)
0 Likes
Like
Not applicable
‎Mar 14 2017 09:24 AM
‎Mar 14 2017 09:24 AM
Hello, We are a bunch of admins here who use Powershell extensively. Do I need to upgrade to the full version of Azure Multi-Factor Authentication if I need to take advantage of this.
0 Likes
Like
Not applicable
‎Mar 14 2017 11:41 AM
‎Mar 14 2017 11:41 AM
Powershell for MFA will be interesting. Great work team.
0 Likes
Like
Not applicable
‎Mar 14 2017 11:56 AM
‎Mar 14 2017 11:56 AM
Is Security & Compliance covered as well with MFA enabled account?
0 Likes
Like
Not applicable
‎Mar 14 2017 11:56 AM
‎Mar 14 2017 11:56 AM
This is a connection to Exchange Online PowerShell with MFA, so anything you can do in Exchange Online PowerShell should work here
0 Likes
Like
Not applicable
‎Mar 14 2017 12:30 PM
‎Mar 14 2017 12:30 PM
Great improvement! Are there plans to support Delegated Administrator Rights cmdlets in Exchange MFA PowerShell? I mean executing things with -TenantID parameter.
0 Likes
Like
Not applicable
‎Mar 14 2017 04:35 PM
‎Mar 14 2017 04:35 PM
Can anyone get this new module to work with an authenticated proxy server? When doing a remote PowerShell session previously I was able to add options to the session to send it through our proxy server, is this possible with the MFA module?
0 Likes
Like
Not applicable
‎Mar 15 2017 05:42 PM
‎Mar 15 2017 05:42 PM
Where do you guys keep the release notes for the HCW?
0 Likes
Like
Not applicable
‎Mar 15 2017 05:42 PM
‎Mar 15 2017 05:42 PM
We do not have release notes for this application, we will sometimes add release information to the Exchange Release Notes, in TechNet articles, or in EHLO blogs whenever appropriate.
0 Likes
Like
Not applicable
‎Apr 11 2017 11:23 AM
‎Apr 11 2017 11:23 AM
Hello, I am getting some timeout issues when trying to use PowerShell with dual factor authentication. After 1-2 hours, my online exchange commands stop working. They try to re-authenticate but fail since it pops up with a PowerShell authentication and not the Microsoft authentication to prompt for a code. Is there a fix for this?
0 Likes
Like
Not applicable
‎Apr 11 2017 11:23 AM
‎Apr 11 2017 11:23 AM
I also put in a premier ticket to Microsoft about this issue and received a reply saying the product team will not be looking into this issue. I will have to close and reopen power shell every hour and go through the authentication again. Any thoughts on this?
0 Likes
Like
Not applicable
‎Apr 11 2017 11:23 AM
‎Apr 11 2017 11:23 AM
Ours is timing out between one to two minutes. We have found it may have something to do with the proxy. Are you running it behind a proxy?
0 Likes
Like
Not applicable
‎Apr 11 2017 11:23 AM
‎Apr 11 2017 11:23 AM
We are having the same time-out issue about every two minutes where we have to go through the MFA authentication process again. I do not believe we are behind a proxy, but will confirm. Were you able to get this resolved?
0 Likes
Like
Not applicable
‎Apr 13 2017 07:52 AM
‎Apr 13 2017 07:52 AM
How can I pass to New-ExoPSSession Cmdlet at least the name of the admin and if possible the password ?
0 Likes
Like
Not applicable
‎May 14 2017 03:46 PM
‎May 14 2017 03:46 PM
How does this (technically work)?

We have existing systems that need to integrate similarly.

0 Likes
Like
Not applicable
‎Jul 02 2017 02:51 PM
‎Jul 02 2017 02:51 PM
Please feel free to use my connection script for PowerShell with MFA -

- https://gallery.technet.microsoft.com/Office-365-Connection-47e03052

I have also created tutorials on MFA, including how to enable your admin account with MFA and how to configure your PC for PowerShell with MFA. -

- http://www.365admin.com.au/2017/07/all-mfa-multi-factor-authentication.html

The script was updated 1 July 2017 and will connect to the following services with MFA enabled -

- Exchange Online

- SharePoint Online

- Skype for Business Online

- Azure AD v1.0

- Azure AD v2.0

- Azure Resource Manager

- Azure Rights Manager

- Exchange Online Protection

0 Likes
Like
Version history
Last update:
‎Jul 01 2019 04:29 PM
Updated by: