Mar 01 2018 04:26 AM
Mar 01 2018 04:26 AM
Hi,
we have identities in our Partner Center Azure AD which have e.g. global admin rights for the customer tenants. In the Partner Center Azure AD we´ve enabled MFA for this accounts.
I can use the admin portal as expected with this constellation when using the URL:
https://portal.office.com/Partner/BeginClientSession.aspx?CTID=TENANDGUID&CSDEST=o365admincenter
When MFA is not enabled it works also fine with the PSSession Function (see https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-exchange-online-tenants-...
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection
But when I´m trying to connect via Connect-Exopsession in a similar way:
connect-exopsession -connectionuri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>
the authentication prompt came up and authenticates me successfull, but after that i´m getting a HTML error reponse in the powershell like this:
Any thoughts what i´m doing wrong or why it doesn´t work?
Thank you
Jakob
Mar 01 2018 04:56 AM - edited Mar 01 2018 04:58 AM
Note that for cmdlet Connect-EXOPSSession the ConnectionUri parameter is different from that of New-PSSession (Office 365 DE has a different ConnectionUri, while other Office 365 tenant locations don't have any). Check the following guide for installing remote EXO powershell module with MFA enabled, and samples on how to connect:
https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
Mar 01 2018 05:13 AM
Hi Pablo,
thank you for your reply. I thought the cmdlet´s use the same targets in general.
But the original question is how to connect to office 365 / Exchange Online via PS with MFA as a delegate access partner.
Jakob
Mar 01 2018 05:25 AM
I couldn't find any documentation on connecting to EXO as a delegate with MFA. I don't even know if it's possible. This is what I would try:
1. Follow the instructions in the URL to install EXO MFA module, open it and run Connect-EXOPSSession as per the documentation. After connected run your $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection
Mar 01 2018 05:52 AM
SolutionWe've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:
Connect-IPPSSession -DelegatedOrganization
It's just another example on how the different teams at Microsoft fail to talk to each other...
Mar 01 2018 06:02 AM
Hi Vasil,
thank you again... I´ve missed the -delegatedorganization switch for the connect-ippssession command.
So... unfortunately we can´t support (except Security & Compliance) our customers via PS with mfa in this constellation. That´s odd...
...back to the drawing board
Mar 01 2018 06:22 AM
Mar 01 2018 06:22 AM
So... please vote for: https://office365.uservoice.com/forums/264636-general/suggestions/33233917-powershell-mfa-for-csp-de...
:)
Mar 02 2018 06:31 AM
Looking at the code, all the -DelegatedOrganization parameter does is to modify the ConnectionURI string:
if (![string]::IsNullOrWhiteSpace($DelegatedOrganization)) { [UriBuilder] $uriBuilder = New-Object -TypeName UriBuilder -ArgumentList $ConnectionUri; [string] $queryToAppend = "DelegatedOrg={0}" -f $DelegatedOrganization; if ($uriBuilder.Query -ne $null -and $uriBuilder.Query.Length -gt 0) { [string] $existingQuery = $uriBuilder.Query.Substring(1); $uriBuilder.Query = $existingQuery + "&" + $queryToAppend; } else { $uriBuilder.Query = $queryToAppend; } $newUri = $uriBuilder.ToString(); } else { $newUri = $ConnectionUri; }
As it still uses the same cmdlet as the ExO part, you should be able to use the exact same method. Whether this is supported server-side however I cannot tell, as I don't have any delegate account to use currently :)
Mar 05 2018 02:04 AM
Hi Vasil,
nice find - so:
connect-exopsession -connectionuri -DelegatedOrganization <customer tenant domain name>
is the same like:
connect-exopsession -connectionuri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>
Unfortunately it results in the same error....
Mar 05 2018 09:19 PM
Yeah, the issue is probably the lack of support for this server-side. Hopefully the UserVoice item will get some traction and the team will address this...
Mar 01 2018 05:52 AM
SolutionWe've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:
Connect-IPPSSession -DelegatedOrganization
It's just another example on how the different teams at Microsoft fail to talk to each other...