Oct 20 2016 04:40 AM
Hi.
I am testing MFA on some admin users. I have given the MFA admins a EMS licens so whitelisting of IPs is supported.
So I have whitelisted our office IP, and when my admin go to https://outlook.office365.com, MFA is not active. Doing so outside the office will ask for MFA code so Im sure it works.
But when the same admin starts a Azure powershell connection to https://outlook.office365.com/powershell-liveid/ it fails. When using an admin account without MFA it works fine....
I cant seem to find out what the difference is, can any tell me?
My goal is to enable MFA for all global admins, but of course they will need to be able to connect to office 365 via powershell....
Oct 20 2016 05:06 AM
Oct 20 2016 05:22 AM
Oct 20 2016 05:40 AM
Yup, not supported. We should have a ADAL-enabled PowerShell module for Exchange Online soo(ish), then you will be finally able to use MFA for all admin account (that require access to ExO PowerShell).
Oct 20 2016 06:09 AM
FYI, If you use the PnP PowerShell module for SPO tasks, you can use MFA. You need to specify the -UseWebLogin param in the Connect-SPOnline
Oct 20 2016 10:03 AM
I just sat in a meeting hosted by MS and the PM stated that they are working hard on making all of the modules MFA capable. He mentioned that the EXO module with MFA was in Preview.
@Brandon Koeller may be able to provide some more details
Oct 20 2016 10:54 AM
Still private preview AFAIK, but at least we know it's coming!
Oct 21 2016 12:59 AM
Oct 21 2016 10:53 AM
I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue. I am glad to hear this will be fixed and that there are work arounds for Exchange and SharePoint.
Oct 21 2016 10:53 AM
I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue. I am glad to hear this will be fixed and that there are work arounds for Exchange and SharePoint.
Oct 24 2016 10:56 AM
SolutionHey Everyone,
Thanks for your continued engagement. The MFA Powershell team says I can share the link with y'all: http://aka.ms/exopspreview
Do let us know if you have feedback.
Thanks!
Brandon Koeller
Nov 11 2016 08:28 AM
Hi I got problem installing this app. When i double click on it it tells me this:
PLATFORM VERSION INFO
Windows : 10.0.14393.0 (Win32NT)
Common Language Runtime : 4.0.30319.42000
System.Deployment.dll : 4.6.1586.0 built by: NETFXREL2
clr.dll : 4.6.1586.0 built by: NETFXREL2
dfdll.dll : 4.6.1586.0 built by: NETFXREL2
dfshim.dll : 10.0.14393.0 (rs1_release.160715-1616)
SOURCES
Deployment url : file:///C:/Users/j.cizek/Downloads/Microsoft.Online.CSE.PSModule.Client.application
IDENTITIES
Deployment Identity : Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.1509.0, Culture=neutral, PublicKeyToken=c3bce3770c238a49, processorArchitecture=msil
APPLICATION SUMMARY
* Installable application.
* Trust url parameter is set.
ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation of C:\Users\j.cizek\Downloads\Microsoft.Online.CSE.PSModule.Client.application resulted in exception. Following failure messages were detected:
+ Deployment and application do not have matching security zones.
COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.
WARNINGS
There were no warnings during this operation.
OPERATION PROGRESS STATUS
* [11.11.2016 17:27:14] : Activation of C:\Users\j.cizek\Downloads\Microsoft.Online.CSE.PSModule.Client.application has started.
* [11.11.2016 17:27:14] : Processing of deployment manifest has successfully completed.
* [11.11.2016 17:27:14] : Installation of the application has started.
ERROR DETAILS
Following errors were detected during this operation.
* [11.11.2016 17:27:14] System.Deployment.Application.InvalidDeploymentException (Zone)
- Deployment and application do not have matching security zones.
- Source: System.Deployment
- Stack trace:
at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
COMPONENT STORE TRANSACTION DETAILS
No transaction information is available.
Do you know how to solve this?
Nov 14 2016 11:17 PM
@Jan Čížek: Not sure about the error, it worked fine for me when I installed it from the link. Did you add the required sites from Microsoft O365 in your IE security zones? Could it be that you are missing the following sites in IE (Security -> Trusted sites):
https://*.outlook.com
https://*.microsoftonline.com
https://*.lync.com
https://*.sharepoint.com
Since the error you got are regarding a trust I suppose that it may involve this setting or another trust setting in IE.
Nov 17 2016 02:24 AM
hi how do you set bulk users to disbaled status from enabled? i am using the below script
$users = Import-Csv 'C:\support\BulkUpdateMFASampleFile.csv'
foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = “Disabled”
$sta = @($st)
Set-MsolUser -UserPrincipalName $user.Username -StrongAuthenticationRequirements $sta
}
Nov 18 2016 06:22 AM
had the same until i downloaded it with ie .... weird
Jan 05 2017 03:15 PM
Hi Jesper,
Not sure if this is still an issue for you, but we've been able to get this working for our Admins (note that for this to work the admin account needs to be cloud only, federated accounts will not work).
You've already done the IP whitelisting which is good, the missing piece (for us) was to delete the default app password that get's created when you enable MFA on the admin account.
Follow the below steps to delete the default app password:
Try connecting to Office 365 services via Powershell.
Mar 07 2017 01:51 AM
Don't know if I am the only one that missed this, but Microsoft released an Exchange online Powershell that support MFA.
Oct 24 2016 10:56 AM
SolutionHey Everyone,
Thanks for your continued engagement. The MFA Powershell team says I can share the link with y'all: http://aka.ms/exopspreview
Do let us know if you have feedback.
Thanks!
Brandon Koeller