Home

PowersHell and Basic authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-301382%22%20slang%3D%22en-US%22%3EPowersHell%20and%20Basic%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301382%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20get%20the%20PowersHell%20connections%20to%20work%20to%20Office%20365%20and%20current%20results%20are%3A%3C%2FP%3E%3CP%3E(AD)%20Connect-AzureAD%3A%20%3CSTRONG%3E%3CFONT%20color%3D%22green%22%3EWorking%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E(Exchange)%20Connect-EXOPSSession%3A%20%3CSTRONG%3E%3CFONT%20color%3D%22red%22%3ENot%20working%3C%2FFONT%3E%3C%2FSTRONG%3E%20(%3CEM%3EBasic%20authentication%20is%20currently%20disabled...%3C%2FEM%3E)%3C%2FP%3E%3CP%3E(Skype)%20New-csOnlineConnection%3A%20%3CSTRONG%3E%3CFONT%20color%3D%22red%22%3ENot%20working%3C%2FFONT%3E%3C%2FSTRONG%3E%20(%3CEM%3EBasic%20authentication%20is%20currently%20disabled...%3C%2FEM%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%20to%20you%20who%20might%20know%20this%20better%3A%20why%20AzureAD%20is%20working%20while%20others%20doesn't%3F%20Has%20AzureAD%20team%20done%20some%20fixes%20to%20their%20connection%20and%20Exchange%2FSkype%20team%20has%20not%3F%20Both%20of%20them%20are%20asking%20the%20MFA%20credentials%2C%20but%20when%20I%20have%20appoved%20the%20authentication%20request%20on%20my%20phone%20the%20error%20appears.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20connections%20are%20coming%20through%20the%20proxy%20and%20the%20MFA%20is%20enabled%20on%20the%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-301382%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20App%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESkype%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301647%22%20slang%3D%22en-US%22%3ERe%3A%20PowersHell%20and%20Basic%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301647%22%20slang%3D%22en-US%22%3E%3CP%3EBecause%20Exchange%20and%20SfBO%20use%20%22hacks%22%20to%20connect.%20They%20are%20basically%20fetching%20the%20token%20via%20the%20ADAL%20controls%2C%20but%20still%20passing%20it%20using%20Basic%20authentication.%20I%20have%20some%20examples%20on%20how%20you%20can%20do%20this%20on%20my%20blog%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F1771%2Fhacking-your-way-around-modern-authentication-and-the-powershell-modules-for-office-365%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F1771%2Fhacking-your-way-around-modern-authentication-and-the-powershell-modules-for-office-365%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBottom%20line%20is%2C%20they%20do%20need%20Basic%20authentication%20enabled%20in%20WinRM%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-574911%22%20slang%3D%22en-US%22%3ERe%3A%20PowersHell%20and%20Basic%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-574911%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%22%3CSPAN%3EThey%20are%20basically%20fetching%20the%20token%20via%20the%20ADAL%20controls%2C%20but%20still%20passing%20it%20using%20Basic%20authentication.%22%20Is%20this%20based%20on%20your%20own%20investigation%20or%20do%20you%20have%20a%20document%20that%20spells%20this%20out%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-575548%22%20slang%3D%22en-US%22%3ERe%3A%20PowersHell%20and%20Basic%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-575548%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20need%20for%20a%20document%2C%20simply%20look%20at%20the%20way%20credentials%20are%20passed%20and%20the%20connection%20string.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%24Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2FPowerShell-LiveId%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2FPowerShell-LiveId%3C%2FA%3E%3F%3CU%3E%3CSTRONG%3EBasicAuthToOAuthConversion%3C%2FSTRONG%3E%3C%2FU%3E%3Dtrue%20-Credential%20%24Ctoken%20-Authentication%20Basic%20-AllowRedirection%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi there,

I have been trying to get the PowersHell connections to work to Office 365 and current results are:

(AD) Connect-AzureAD: Working

(Exchange) Connect-EXOPSSession: Not working (Basic authentication is currently disabled...)

(Skype) New-csOnlineConnection: Not working (Basic authentication is currently disabled...)

 

Question to you who might know this better: why AzureAD is working while others doesn't? Has AzureAD team done some fixes to their connection and Exchange/Skype team has not? Both of them are asking the MFA credentials, but when I have appoved the authentication request on my phone the error appears.

 

My connections are coming through the proxy and the MFA is enabled on the tenant.

3 Replies

Because Exchange and SfBO use "hacks" to connect. They are basically fetching the token via the ADAL controls, but still passing it using Basic authentication. I have some examples on how you can do this on my blog: https://www.michev.info/Blog/Post/1771/hacking-your-way-around-modern-authentication-and-the-powersh...

 

Bottom line is, they do need Basic authentication enabled in WinRM settings.

@Vasil Michev"They are basically fetching the token via the ADAL controls, but still passing it using Basic authentication." Is this based on your own investigation or do you have a document that spells this out?

No need for a document, simply look at the way credentials are passed and the connection string.

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $Ctoken -Authentication Basic -AllowRedirection