SOLVED

Authenticating to O365 using Powershell and MFA

Steel Contributor

I am running into issues with autheticating to O365 on Powershell and in this case my account has been enabled with MFA.
I already installed the preview from https://blogs.technet.microsoft.com/enterprisemobility/2015/10/20/azure-ad-powershell-public-preview... and the authentication basically works but then comes in the question on how to authenticate with Exchange Online? I found a post already where a MSFT engineer states that the only way here would be to create a dedicated admin account without MFA enabled but we strictly enabled MFA on admin accounts for security reasons.
I noticed that there are no plans on uservoice (but some suggestions) to enable this. Has anyone already found another solution (except for creating another account without MFA)?

25 Replies

The module only helps with the Azure AD part, Exchange/Skype/SharePoint PowerShell and so on are still not able to take advantage of MFA. And it has been requested a million times already, without any official acknowledgement/confirmation on MS side (that I'm aware of).

This is a blocker to using MFA on our admin accounts too - we need to run scripts to take privileged actions but we can't enable MFA for those privileged accounts.

I'm with you.  I want MFA on all my admin IDs, yet MFA is not enabled when using PowerShell for O365 or Exchange Online.  Yes, I did get into Azure AD powershell with MFA and was not able to administer Exchange Online or anything else.   

 

Yep.  Not-so-patiently waiting for MS to imbed MFA here.  I love the extra level of security MFA adds to the game.

What we ended up doing, was configuring Conditional Access MFA on the O365 Exchange Endpoint to while not at work for our admin group.  This seems to have helped us from within the Azure AD Domain Applications list. 

The PnP powershell cmdlets can be use with MFA to peform many actions in SPO, see https://github.com/OfficeDev/PnP-PowerShell and use the https://github.com/OfficeDev/PnP-PowerShell/blob/master/Documentation/ConnectSPOnline.md with the UseWebLogin option

Not for connecting to Exchange Online, that is purely a PSSession in PowerShell, which is not ADAL enabled. The rest of the services, yes, those cmdlets work, but Exchange and EOP, are just PSSessions.

I agree that all PS connecting to O365 should support the ADAL library.

Waiting for this feature already more than 1 year.

best response confirmed by Mike Platvoet (Steel Contributor)
Solution

To save everyone from having to read @Anna Chu full post: there is now an Exchange Online Powershell module in preview available that supports MFA. I just tested it and it works (so far) as expected. Go to http://aka.ms/exopspreview to download the preview.

We've been able to get our Office 365 Admin accounts with MFA enabled working with Powershell for Exchange Online, Skype for Business etc.....with some caveats:

  • This requires an Azure AD Premium, Enterprise Mobility Suite or Azure Multi-Factor Authentication subscription
  • The admin account must be a cloud only account (will not work for federated accounts)

 

Assuming the above caveats are ok, follow the below steps to set it up:

  • Follow the below post on setting up Azure MFA contextual whitelisting, you will need to whitelist all ip address ranges that powershell logins will come from. In our case we've whitelisted all of our companies public IP address ranges: 

https://blogs.technet.microsoft.com/enterprisemobility/2014/04/25/enhancing-azure-mfa-with-contextua...

 

  • Enable MFA on your cloud admin account
  • Log into the Office 365 portal and configure MFA for your account
  • Go to this link: https://portal.office.com/account/#security
  • Click on Additional Security Verification (If this option doesn't show wait a few minutes and try again)
  • Click on Update my phone numbers used for account security
  • Click on the app passwords tab
  • Delete the default app password that was created (failing to this step will prevent you from logging into Office 365 services via powershell).

This has closed a security policy breach for us, we were struggling with it for a while, the missing piece for us was deleting the default app password that gets set up automatically when you enable MFA on your account. I hope that this can help other people struggling with the same issue.

 

The ideal solution will come when Microsoft updates each of their services to allow federated accounts with MFA

to authenticate via powershell (it seems like they are making slow progress).

We enabled MFA for our Exchange Admins and they are able to run the PowerShell okay.  We are finding that they are having to re-auth every 30 minute or so.  Anyone know if there's a way to extend this?

 

Also, is Exchange PowerShell the only one that is supporting MFA at this time?  I'm not seeing anything for SharePoint...

Seems that Exchange Online ist MFA enabled now.

Have a look at this article:

"Connect to Exchange Online PowerShell using multi-factor authentication"

https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

Anyone have a clue as to how to use MFA login in an unattended powershell script?

 

I have MFA working fine with powershell interactively - The login and MFA dialogs come up and do the right thing but this does me no good for the scheduled things I need to do off-hours.

 

TIA

 

--Brian

You need to use the PnP SharePoint cmdlets to use MFA with SPO, see https://github.com/SharePoint/PnP-PowerShell,

 

If the account requires MFA, the UseWebLogin parameter is needed, see https://github.com/SharePoint/PnP-PowerShell/blob/master/Documentation/ConnectPnPOnline.md

I think that you will need to use a Service account that does not require MFA.

If you have very strict requirements, you may want to use Azure Privileged Identity Management, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-managem... to get started with that.

This works well now for using PowerShell with SharePoint Online and MFA - interactive, but approach works with MFA - https://technet.microsoft.com/en-us/library/fp161372.aspx

I tried to get send emails from powershell when MFA is enabled, but no avail. 

 

Background:

This worked when my account did not have MFA enabled (just example):

  • tried to send email using Send-MailMessage -To "xx@xx.fi" -From $cred.UserName -Subject "The subject" -Body $body -UseSsl -Encoding UTF8 -SmtpServer "smtp.office365.com" -Port 587 -Credential $cred -ErrorVariable mailError

When I enabled MFA for my account then sending email is not possible through powershell anymore.

Getting this error: 
Send-MailMessage : The SMTP server requires a secure connection or the client was not authenticated

 

Followed this article and one hour later got it working:

https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

- run into problems like only IE working and runas IE different user not working

- tip: log on to your machine with the account you have as  Exchange admin privileges, don't try to use runas -functionality to fool your browser, because it will try to install Microsoft Exchange Online Powershell Module from the Exchange admin center to user who is logged on. I got weird errors like this is already installed from a different location and ofcourse the dirrefent zone error and so on.

After once succesfully done that with the proper account, the "normal account" I use to run my scripts in this machine seems to work fine.

 

 

Got the Connect-EXOPSSession working fine and was very frustated to find out that there seems to be no way to send email through EXOPSSession.

It does not have that "inside" Connect-EXOPSSession:

>Get-Command -Module tmp_riwbx11w.0ow

 

>....

>Function Search-MessageTrackingReport 1.0 tmp_riwbx11w.0ow

>(SHOULD BE here!)
>Function Send-TextMessagingVerificationCode 1.0 tmp_riwbx11w.0ow
>Function Set-CalendarNotification 1.0 tmp_riwbx11w.0ow

>...

 

So all the connecting to Exchange Online with MFA was for nothing.

 

I simply conclude that I've to use local Outlook to send messages with powershell if MFA is enabled:

$Outlook = New-Object -ComObject Outlook.Application
$Mail = $Outlook.CreateItem(0)
$Mail.To = "xxx@xxx.fi"
$Mail.Subject = "Testpost"
$Mail.Body ="some writing"
$Mail.Send()

 

To summarize: 

  • If MFA enabled there is no way to connect to Exchange Online to send emails

Solution:

  • drop the MFA or use the local Outlook client to send messages

Hope this helps to avoid the same searching and googling to find out there is no cure. Better yet if anybody has answers.

You can still use the apppassword as a regular password for these cases until MFA is good and natively supported.
1 best response

Accepted Solutions
best response confirmed by Mike Platvoet (Steel Contributor)
Solution

To save everyone from having to read @Anna Chu full post: there is now an Exchange Online Powershell module in preview available that supports MFA. I just tested it and it works (so far) as expected. Go to http://aka.ms/exopspreview to download the preview.

View solution in original post