Forum Discussion

Anonymous's avatar
Anonymous
Mar 01, 2018
Solved

Connect to Office365 via Powershell as a Delegate Access Partner with MFA enabled

Hi, we have identities in our Partner Center Azure AD which have e.g. global admin rights for the customer tenants. In the Partner Center Azure AD we´ve enabled MFA for this accounts. I can use t...
office 365
security
  • VasilMichev's avatar
    VasilMichev
    Mar 01, 2018

    We've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:

     

     Connect-IPPSSession -DelegatedOrganization

     

    It's just another example on how the different teams at Microsoft fail to talk to each other...

Anonymous's avatar
Anonymous
Mar 01, 2018

Hi Vasil,

 

thank you again... I´ve missed the -delegatedorganization switch for the connect-ippssession command. 

 

So... unfortunately we can´t support (except Security & Compliance) our customers via PS with mfa in this constellation. That´s odd...

 

...back to the drawing board

 

Anonymous's avatar
Anonymous
Mar 01, 2018

So... please vote for: https://office365.uservoice.com/forums/264636-general/suggestions/33233917-powershell-mfa-for-csp-delegated-admin-privileges

:)

  • VasilMichev's avatar
    VasilMichev
    MVP
    Mar 02, 2018

    Looking at the code, all the -DelegatedOrganization parameter does is to modify the ConnectionURI string:

     

        if (![string]::IsNullOrWhiteSpace($DelegatedOrganization))
    {
        [UriBuilder] $uriBuilder = New-Object -TypeName UriBuilder -ArgumentList $ConnectionUri;
        [string] $queryToAppend = "DelegatedOrg={0}" -f $DelegatedOrganization;
        if ($uriBuilder.Query -ne $null -and $uriBuilder.Query.Length -gt 0)
        {
            [string] $existingQuery = $uriBuilder.Query.Substring(1);
            $uriBuilder.Query = $existingQuery + "&" + $queryToAppend;
        }
        else
        {
            $uriBuilder.Query = $queryToAppend;
        }

        $newUri = $uriBuilder.ToString();
    }
    else
    {
       $newUri = $ConnectionUri;
    }

    As it still uses the same cmdlet as the ExO part, you should be able to use the exact same method. Whether this is supported server-side however I cannot tell, as I don't have any delegate account to use currently :)

     

    • Anonymous's avatar
      Anonymous
      Mar 05, 2018

      Hi Vasil,

      nice find - so:

       

      connect-exopsession -connectionuri -DelegatedOrganization https://ps.outlook.com/powershell-liveid?DelegatedOrg=%3ccustomer tenant domain name>

       

      is the same like: 

       

      connect-exopsession -connectionuri https://ps.outlook.com/powershell-liveid?DelegatedOrg=%3ccustomer tenant domain name>

       

      Unfortunately it results in the same error....

      • VasilMichev's avatar
        VasilMichev
        MVP
        Mar 06, 2018

        Yeah, the issue is probably the lack of support for this server-side. Hopefully the UserVoice item will get some traction and the team will address this...

Resources