SOLVED

MFA and Powershell

Brass Contributor

Hi.

I am testing MFA on some admin users. I have given the MFA admins a EMS licens so whitelisting of IPs is supported.

 

So I have whitelisted our office IP, and when my admin go to https://outlook.office365.com, MFA is not active. Doing so outside the office will ask for MFA code so Im sure it works.

 

But when the same admin starts a Azure powershell connection to https://outlook.office365.com/powershell-liveid/ it fails. When using an admin account without MFA it works fine....

 

I cant seem to find out what the difference is, can any tell me?

 

My goal is to enable MFA for all global admins, but of course they will need to be able to connect to office 365 via powershell....

21 Replies
I am also interested in this response.

Currently Jesper my understanding is that Powershell administration with MFA turned on is not supported. Or at least wasn't supported. Something may have changed!
Found a thread that indicates that it is not possible to administrate EXO with Powershell when admin is MFA enabled: https://techcommunity.microsoft.com/t5/Identity-Authentication/Authenticating-to-O365-using-Powershe...

Yup, not supported. We should have a ADAL-enabled PowerShell module for Exchange Online soo(ish), then you will be finally able to use MFA for all admin account (that require access to ExO PowerShell).

FYI, If you use the PnP PowerShell module for SPO tasks, you can use MFA. You need to specify the -UseWebLogin param in the Connect-SPOnline

I just sat in a meeting hosted by MS and the PM stated that they are working hard on making all of the modules MFA capable. He mentioned that the EXO module with MFA was in Preview.

 

@Brandon Koeller may be able to provide some more details

Still private preview AFAIK, but at least we know it's coming!

Just got confirmation from a MS supporter, that it is not possible. So we must wait for the new EXO module....

I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue.  I am glad to hear this will be fixed and that there are work arounds for Exchange and SharePoint.

I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue.  I am glad to hear this will be fixed and that there are work arounds for Exchange and SharePoint.

best response confirmed by VI_Migration (Silver Contributor)
Solution

Hey Everyone,

Thanks for your continued engagement. The MFA Powershell team says I can share the link with  y'all: http://aka.ms/exopspreview

Do let us know if you have feedback.

Thanks!

Brandon Koeller

Yay finally! Thanks for sharing!

Fantastic info thanks Dean!
amazing thanks!

Hi I got problem installing this app. When i double click on it it tells me this: 

 

PLATFORM VERSION INFO
Windows : 10.0.14393.0 (Win32NT)
Common Language Runtime : 4.0.30319.42000
System.Deployment.dll : 4.6.1586.0 built by: NETFXREL2
clr.dll : 4.6.1586.0 built by: NETFXREL2
dfdll.dll : 4.6.1586.0 built by: NETFXREL2
dfshim.dll : 10.0.14393.0 (rs1_release.160715-1616)

SOURCES
Deployment url : file:///C:/Users/j.cizek/Downloads/Microsoft.Online.CSE.PSModule.Client.application

IDENTITIES
Deployment Identity : Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.1509.0, Culture=neutral, PublicKeyToken=c3bce3770c238a49, processorArchitecture=msil

APPLICATION SUMMARY
* Installable application.
* Trust url parameter is set.
ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation of C:\Users\j.cizek\Downloads\Microsoft.Online.CSE.PSModule.Client.application resulted in exception. Following failure messages were detected:
+ Deployment and application do not have matching security zones.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.

WARNINGS
There were no warnings during this operation.

OPERATION PROGRESS STATUS
* [11.11.2016 17:27:14] : Activation of C:\Users\j.cizek\Downloads\Microsoft.Online.CSE.PSModule.Client.application has started.
* [11.11.2016 17:27:14] : Processing of deployment manifest has successfully completed.
* [11.11.2016 17:27:14] : Installation of the application has started.

ERROR DETAILS
Following errors were detected during this operation.
* [11.11.2016 17:27:14] System.Deployment.Application.InvalidDeploymentException (Zone)
- Deployment and application do not have matching security zones.
- Source: System.Deployment
- Stack trace:
at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

COMPONENT STORE TRANSACTION DETAILS
No transaction information is available.

 

Do you know how to solve this? 

@Jan Čížek: Not sure about the error, it worked fine for me when I installed it from the link. Did you add the required sites from Microsoft O365 in your IE security zones? Could it be that you are missing the following sites in IE (Security -> Trusted sites):

https://*.outlook.com

https://*.microsoftonline.com

https://*.lync.com

https://*.sharepoint.com

 

Since the error you got are regarding a trust I suppose that it may involve this setting or another trust setting in IE.

hi how do you set bulk users to disbaled status from enabled? i am using the below script

 

$users = Import-Csv 'C:\support\BulkUpdateMFASampleFile.csv'

foreach ($user in $users)

{

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$st.RelyingParty = "*"

$st.State = “Disabled”

$sta = @($st)

Set-MsolUser -UserPrincipalName $user.Username -StrongAuthenticationRequirements $sta

}

 

had the same until i downloaded it with ie .... weird

Hi Jesper,

 

Not sure if this is still an issue for you, but we've been able to get this working for our Admins (note that for this to work the admin account needs to be cloud only, federated accounts will not work).

 

You've already done the IP whitelisting which is good, the missing piece (for us) was to delete the default app password that get's created when you enable MFA on the admin account.

 

Follow the below steps to delete the default app password:

  • Enable MFA on your cloud admin account
  • Go to this link: https://portal.office.com/account/#security
  • Click on Additional Security Verification
  • Click on Update my phone numbers used for account security
  • Click on the app passwords tab
  • Delete the default app password that was created

Try connecting to Office 365 services via Powershell.

 

Don't know if I am the only one that missed this, but Microsoft released an Exchange online Powershell that support MFA.

 

https://gotoguy.blog/2017/01/12/exchange-online-powershell-with-modern-authentication-and-azure-mfa-...

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Hey Everyone,

Thanks for your continued engagement. The MFA Powershell team says I can share the link with  y'all: http://aka.ms/exopspreview

Do let us know if you have feedback.

Thanks!

Brandon Koeller

View solution in original post