Home

Exchange Online Powershell auto login and unable to login to other tenant-domain

%3CLINGO-SUB%20id%3D%22lingo-sub-196298%22%20slang%3D%22en-US%22%3EExchange%20Online%20Powershell%20auto%20login%20and%20unable%20to%20login%20to%20other%20tenant-domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196298%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20have%20admin%20accounts%20for%20two%20companies.%26nbsp%3B%20A%20main%20account%20which%20my%20machine%20is%20all%20setup%20with%20and%20our%20new%20parent%20company%20account.%26nbsp%3B%20After%20turning%20on%20MFA%20for%20both%2C%20my%20Outlook%20stopped%20liking%20the%20second%20account(still%20haven't%20figured%20that%20out%2C%20but%20that's%20another%20story).%26nbsp%3B%20So%20in%20the%20process%20of%20troubleshooting%20that%2C%20I%20was%20getting%20powershell%20working%20with%20MFA.%26nbsp%3B%20Long%20story%20short%2C%20I%20got%20powershell%20working%20no%20problem%2C%20however%20it%20autologins%20when%20I%20Connect-Exopssession%20-UserPrincipalName%20%3CMY%20upn%3D%22%22%20here%3D%22%22%3E%20for%20my%20main%20account%20which%20I%20don't%20really%20think%20is%20a%20good%20thing%20from%20a%20security%20standpoint%2C%20and%202%2C%20when%20I%20put%20the%20UPN%20from%20the%20other%20tenant%2Fdomain%20in%20there%2C%20it%20fails%20with%20%22Bad%20request%20for%20more%20information%22%20after%20doing%20the%20MFA%20login.%3C%2FMY%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20installed%20Microsoft%20Online%20Services%20Sign-In%20Assistant%20which%20I%20thought%20could%20be%20the%20culprit%2C%20but%20getting%20rid%20of%20it%20and%20restarted%20did%20not%20help.%26nbsp%3B%20Any%20Ideas%20on%20how%20to%20stop%20this%20behavior%20and%20make%20me%20log%20in%20MFA%20every%20time%20instead%20of%20passthough%20and%20also%20why%20it%20might%20have%20broken%20logging%20into%20the%20other.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20I'm%20done%20with%20that%20rabbit%20hole%20I'm%20going%20to%20try%20and%20figure%20out%20why%20Outlook%20doesn't%20like%20the%20other%20account(doesn't%20even%20come%20up%20with%20the%20MFA%20stuff%20for%20it)%2C%20but%20first%20things%20first.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-196298%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti-tenant%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-773159%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Powershell%20auto%20login%20and%20unable%20to%20login%20to%20other%20tenant-domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773159%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149411%22%20target%3D%22_blank%22%3E%40Cecil%20C.%20Achord%3C%2FA%3E%26nbsp%3B%20This%20is%20default%20behavior%20when%20you%20have%20SSO%20with%20pass%20through%20enabled%20(in%20Azure%20AD%20Connect)%20and%20probably%20your%20new%20tenant%20(which%20doesn't%20work%20to%20connect%20with%20EXO%20PowerShell)%20has%20conditional%20access%20policy%20in%20azure%20ad%20to%20allow%20access%20to%20azure%20ad%20resources%20via%20domain%20joined%20devices%20only%20(which%20isnt%20right%20because%20you%20are%20on%20your%20old%20Company%20domain%20joine%20device%20.%20May%20be%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Cecil C. Achord
Occasional Contributor

So I have admin accounts for two companies.  A main account which my machine is all setup with and our new parent company account.  After turning on MFA for both, my Outlook stopped liking the second account(still haven't figured that out, but that's another story).  So in the process of troubleshooting that, I was getting powershell working with MFA.  Long story short, I got powershell working no problem, however it autologins when I Connect-Exopssession -UserPrincipalName <my UPN here> for my main account which I don't really think is a good thing from a security standpoint, and 2, when I put the UPN from the other tenant/domain in there, it fails with "Bad request for more information" after doing the MFA login.

 

I had installed Microsoft Online Services Sign-In Assistant which I thought could be the culprit, but getting rid of it and restarted did not help.  Any Ideas on how to stop this behavior and make me log in MFA every time instead of passthough and also why it might have broken logging into the other.

 

Once I'm done with that rabbit hole I'm going to try and figure out why Outlook doesn't like the other account(doesn't even come up with the MFA stuff for it), but first things first.

1 Reply

@Cecil C. Achord  This is default behavior when you have SSO with pass through enabled (in Azure AD Connect) and probably your new tenant (which doesn't work to connect with EXO PowerShell) has conditional access policy in azure ad to allow access to azure ad resources via domain joined devices only (which isnt right because you are on your old Company domain joine device . May be ?

 

Ankit Shukla