Jul 02 2021 11:46 AM
Wondering if anyone is aware of whether we can get API access to the Security and Compliance Center. I'm not even sure what to call it, but I'm in need to manage retention policies that today are managed at https://compliance.microsoft.com, or via Connect-IPPSSession (from the EXO v2 PS module).
What I'm trying to avoid is basic authentication with Connect-IPPSSession. I don't see anything for MS Graph from the v1.0/beta references, and I have already asked the Exchange Team in the comments for their blog post about the app-only/certificate authentication addition to Connect-ExchangeOnline (asked if they'll bring the same added functionality to Connect-IPPSSession).
My use case is to unattended'ly script the addition/removal of certain users to/from the excluded mailboxes list for a given retention policy. This would be done interactively like this:
Connect-IPPSSession <parameters of choice>
Set-RetentionCompliancePolicy <policy> -AddExchangeLocationException <one,or,more,users>
The reason is that a customer is using a retention policy to ensure their terminating users' mailboxes become Inactive Mailboxes. Since they rely so heavily on Inactive Mailboxes, auto-expanding archives are out of the question (as this takes away recoverability/restorability for Inactive Mailboxes). As a result, many mailboxes are hitting the 100GB Recoverable Items quota. So we have a manual process for now to exclude these mailboxes from the policy, then either wait or rush with Start-ManagedFolderAssistant to see the Recoverable Items consumption go down.
We can easily use Connect-ExchangeOnline, Get-EXOMailbox, and Get-EXOMailboxStatistics with an Azure AD app and a certificate to figure out which mailboxes are approaching the 100GB. But we can't do the same with Connect-IPPSSession. I am eagerly awaiting either MS Graph support for this, or for Connect-IPPSSession to be updated. Neither of these things are even announced that I can see.
Jul 03 2021 06:27 AM
Jul 04 2021 07:17 AM
Jul 09 2021 11:31 AM
Jul 09 2021 04:06 PM
Nov 24 2021 05:11 PM
Nov 24 2021 06:14 PM
Nov 25 2021 03:12 PM
Nov 25 2021 06:09 PM
Nov 28 2021 02:06 PM
Nov 28 2021 04:11 PM
Dec 09 2021 07:12 AM
@svermaak_MGL unfortunately my MS Support case spiraled, went nowhere and was closed with this guidance:
"As I have got the answer from my resources and we request you please use the following command ‘Connect-ExchangeOnline’ for future as both are global commands and nothing can we change. I am apologize for this..
We have a new preview version of the ExchangeOnlineManagement module that support the legacy Get-Mailbox without need for Basic Authentication through ‘Connect-ExchangeOnline’.
Please follow the link for more information.
Exchange Online PowerShell v2 Module Preview – Now More Secure - Microsoft Tech Community
Please let me know if you have further questions/any update on this."
I did respond and said that Connect-ExchangeOnline is not an alternative to nor a replacement for Connect-IPPSSession and mentioned that it was the EXO Cmdlets preview feedback email team who advised for MS Support cases to be opened to request the feature, and that clearly this case did not get received well.
For now, giving up, moving, using Basic Authentication against Connect-IPPSSession until whenever it's possible to not do this.
Dec 09 2021 01:19 PM
@JeremyTBradshaw, yeah, mine went back am forth too but I managed to get a workaround without the ticket. Just before you get your hopes up, my issue was a bit different to yours and I managed to get it working with in Azure Function App
Connect-IPPSSession -Credential $RunAs -ConnectionUri "https://ps.compliance.protection.outlook.com/powershell-liveid/";
$sessions = Get-PSSession;
Import-Module (Import-PSSession $sessions[$sessions.Count - 1] -AllowClobber) -Global
$retentionPolicy = Get-RetentionCompliancePolicy -Identity $retensionPolicyName -DistributionDetail;
What also helped me was I added this to the ExchangeOnlineManagement.psm1 file, around line 611
process {
try {
$EOPConnectionInProgress = $true
if ($isCloudShell -eq $false) {
Write-Host "Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -UserPrincipalName $UserPrincipalName.Value -PSSessionOption $PSSessionOption -Credential $Credential.Value -BypassMailboxAnchoring:$BypassMailboxAnchoring -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true"
Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -UserPrincipalName $UserPrincipalName.Value -PSSessionOption $PSSessionOption -Credential $Credential.Value -BypassMailboxAnchoring:$BypassMailboxAnchoring -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true
} else {
Write-Host "Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -PSSessionOption $PSSessionOption -BypassMailboxAnchoring:$BypassMailboxAnchoring -Device:$Device.Value -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true;"
Connect-ExchangeOnline -ConnectionUri $ConnectionUri -AzureADAuthorizationEndpointUri $AzureADAuthorizationEndpointUri -PSSessionOption $PSSessionOption -BypassMailboxAnchoring:$BypassMailboxAnchoring -Device:$Device.Value -ShowBanner:$false -DelegatedOrganization $DelegatedOrganization -Prefix $Prefix -CommandName $CommandName -FormatTypeName $FormatTypeName -UseRPSSession:$true
}
} finally {
$EOPConnectionInProgress = $false
}
}
This outputs the underlying command Connect-IPPSSession actually executes
Jan 25 2022 02:25 AM - edited Jan 25 2022 02:26 AM
SolutionGood news guys!
Our request just got updated!
Check it out: https://m365log.com/apps-365/certificate-based-authentication-for-security-and-compliance-center-pow...
Jan 25 2022 06:14 PM
Aug 05 2022 06:11 AM - edited Aug 24 2022 04:44 AM
@Jhosefer , @svermaak_MGL , @dgal73 , @Victor_Ivanidze Hi all,
I forgot to share something that was provided to me by Chris D on GitHub (I think, but sort of forget) MS Support. Right now, the Connect-IPPSSession which supports certificate based app-only authentication is only within the preview modules 2.0.6***. If we want to accomplish the same thing, but using the current GA 2.0.5, we can use Connect-ExchangeOnline and simply supply the -ConnectionUri parameter with the URL to the SCC:
Connect-ExchangeOnline -AppId e3de3805-2f5a-43c7-8541-b448b50936f4 -Organization MyTenant.onmicrosoft.com -Certificate (Get-ChildItem cert:\CurrentUser\My\98556EEAC704460287C809AEDA9CD3A33A9CAA9B) -ConnectionUri 'https://ps.compliance.protection.outlook.com'
... and it works flawlessly! I can't find this documented as supported, however, I do feel better using this approach in production scripts for clients, vs using the prerelease module versions. Hope you find it helpful!
Aug 24 2022 04:50 AM
Aug 24 2022 06:08 AM
@Jhosefer I think the main reason it's not documented is that it's still up in the air as to what will be the path forward (i.e., this solution I've shared, vs keeping/updating Connect-IPPSSession alive as its own cmdlet vs demoting it to be just an alias of the Connect-ExchangeOnline cmdlet). I'm definitely speculating here and do not have the internal answers but from my poking and prodding here and over on GitHub, it's my best guess.
In another GitHub issue, Chris also pointed out this same trick, while it works with the preview 2.0.6*** versions, since those versions default to non-RPS, we have to supply the -UseRPSSession switch. So again, not quite ready to be documented while things are in between current GA and final target state.
Jan 25 2022 02:25 AM - edited Jan 25 2022 02:26 AM
SolutionGood news guys!
Our request just got updated!
Check it out: https://m365log.com/apps-365/certificate-based-authentication-for-security-and-compliance-center-pow...