Forum Discussion
MFA and Powershell
Hi.
I am testing MFA on some admin users. I have given the MFA admins a EMS licens so whitelisting of IPs is supported.
So I have whitelisted our office IP, and when my admin go to https://outlook.office365.com, MFA is not active. Doing so outside the office will ask for MFA code so Im sure it works.
But when the same admin starts a Azure powershell connection to https://outlook.office365.com/powershell-liveid/ it fails. When using an admin account without MFA it works fine....
I cant seem to find out what the difference is, can any tell me?
My goal is to enable MFA for all global admins, but of course they will need to be able to connect to office 365 via powershell....
Hey Everyone,
Thanks for your continued engagement. The MFA Powershell team says I can share the link with y'all: http://aka.ms/exopspreview
Do let us know if you have feedback.
Thanks!
Brandon Koeller
Hi Jesper,
Not sure if this is still an issue for you, but we've been able to get this working for our Admins (note that for this to work the admin account needs to be cloud only, federated accounts will not work).
You've already done the IP whitelisting which is good, the missing piece (for us) was to delete the default app password that get's created when you enable MFA on the admin account.
Follow the below steps to delete the default app password:
- Enable MFA on your cloud admin account
- Go to this link: https://portal.office.com/account/#security
- Click on Additional Security Verification
- Click on Update my phone numbers used for account security
- Click on the app passwords tab
- Delete the default app password that was created
Try connecting to Office 365 services via Powershell.
Don't know if I am the only one that missed this, but Microsoft released an Exchange online Powershell that support MFA.
- I am also interested in this response.
Currently Jesper my understanding is that Powershell administration with MFA turned on is not supported. Or at least wasn't supported. Something may have changed!FYI, If you use the PnP PowerShell module for SPO tasks, you can use MFA. You need to specify the -UseWebLogin param in the Connect-SPOnline
- Fantastic info thanks Dean!
- Found a thread that indicates that it is not possible to administrate EXO with Powershell when admin is MFA enabled: https://techcommunity.microsoft.com/t5/Identity-Authentication/Authenticating-to-O365-using-Powershell-and-MFA/m-p/3954#M14
Yup, not supported. We should have a ADAL-enabled PowerShell module for Exchange Online soo(ish), then you will be finally able to use MFA for all admin account (that require access to ExO PowerShell).
I just sat in a meeting hosted by MS and the PM stated that they are working hard on making all of the modules MFA capable. He mentioned that the EXO module with MFA was in Preview.
Brandon Koeller may be able to provide some more details
I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue. I am glad to hear this will be fixed and that there are work arounds for Exchange and SharePoint.
I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue. I am glad to hear this will be fixed and that there are work arounds for Exchange and SharePoint.
