SOLVED
Home

Connect to Office365 via Powershell as a Delegate Access Partner with MFA enabled

%3CLINGO-SUB%20id%3D%22lingo-sub-166693%22%20slang%3D%22en-US%22%3EConnect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166693%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Ewe%20have%20identities%20in%20our%20Partner%20Center%20Azure%20AD%20which%20have%20e.g.%20global%20admin%20rights%20for%20the%20customer%20tenants.%20In%20the%20Partner%20Center%20Azure%20AD%20we%C2%B4ve%20enabled%20MFA%20for%20this%20accounts.%3C%2FP%3E%0A%3CP%3EI%20can%20use%20the%20admin%20portal%20as%20expected%20with%20this%20constellation%20when%20using%20the%20URL%3A%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%20lang%3D%22en-us%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2FPartner%2FBeginClientSession.aspx%3FCTID%3DTENANDGUID%26amp%3BCSDEST%3Do365admincenter%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22background%3A%20white%3B%22%3Ehttps%3A%2F%2Fportal.office.com%2FPartner%2FBeginClientSession.aspx%3FCTID%3D%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20background%3A%20white%3B%22%3ETENANDGUID%3C%2FSPAN%3E%3CSPAN%20style%3D%22background%3A%20white%3B%22%3E%26amp%3BCSDEST%3Do365admincenter%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%20lang%3D%22en-us%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20MFA%20is%20not%20enabled%20it%20works%20also%20fine%20with%20the%20PSSession%20Function%20(see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fpowershell%2Fconnect-to-exchange-online-tenants-with-remote-windows-powershell-for-delegated)%3A%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fpowershell%2Fconnect-to-exchange-online-tenants-with-remote-windows-powershell-for-delegated)%3A%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3E%24Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%253ccustomer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3Ehttps%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%3CCUSTOMER%3E%3C%2FCUSTOMER%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3E%20tenant%20domain%20name%26gt%3B-Credential%20%24UserCredential%20-Authentication%20Basic%20-AllowRedirection%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3EBut%20when%20I%C2%B4m%20trying%20to%20connect%20via%20Connect-Exopsession%20in%20a%20similar%20way%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3Econnect-exopsession%20-connectionuri%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%253ccustomer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%3CCUSTOMER%3E%3C%2FCUSTOMER%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Etenant%20domain%20name%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3Ethe%20authentication%20prompt%20came%20up%20and%20authenticates%20me%20successfull%2C%20but%20after%20that%20i%C2%B4m%20getting%20a%20HTML%20error%20reponse%20in%20the%20powershell%20like%20this%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20854px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F29424i50649F7B23AD24CC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222018-03-01%2013_18_27.png%22%20title%3D%222018-03-01%2013_18_27.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3EAny%20thoughts%20what%20i%C2%B4m%20doing%20wrong%20or%20why%20it%20doesn%C2%B4t%20work%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3EThank%20you%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2011.0pt%3B%20color%3A%20black%3B%22%3E%3CSPAN%20style%3D%22background%3A%20%23F9F9F9%3B%22%3EJakob%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-166693%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-168143%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168143%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20the%20issue%20is%20probably%20the%20lack%20of%20support%20for%20this%20server-side.%20Hopefully%20the%20UserVoice%20item%20will%20get%20some%20traction%20and%20the%20team%20will%20address%20this...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167723%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167723%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%0A%3CP%3Enice%20find%20-%26nbsp%3Bso%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Econnect-exopsession%20-connectionuri%26nbsp%3B-%3C%2FSPAN%3E%3CSPAN%3EDelegatedOrganization%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%253ccustomer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CCUSTOMER%3E%3C%2FCUSTOMER%3E%3C%2FA%3E%26nbsp%3Btenant%20domain%20name%26gt%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eis%20the%20same%20like%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Econnect-exopsession%20-connectionuri%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%253ccustomer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%3CCUSTOMER%3E%3C%2FCUSTOMER%3E%3C%2FA%3E%26nbsp%3Btenant%20domain%20name%26gt%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUnfortunately%20it%20results%20in%20the%20same%20error....%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167181%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167181%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20at%20the%20code%2C%20all%20the%20-DelegatedOrganization%20parameter%20does%20is%20to%20modify%20the%20ConnectionURI%20string%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%20%20%20%20if%20(!%5Bstring%5D%3A%3AIsNullOrWhiteSpace(%24DelegatedOrganization))%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%5BUriBuilder%5D%20%24uriBuilder%20%3D%20New-Object%20-TypeName%20UriBuilder%20-ArgumentList%20%24ConnectionUri%3B%0A%20%20%20%20%20%20%20%20%5Bstring%5D%20%24queryToAppend%20%3D%20%22DelegatedOrg%3D%7B0%7D%22%20-f%20%24DelegatedOrganization%3B%0A%20%20%20%20%20%20%20%20if%20(%24uriBuilder.Query%20-ne%20%24null%20-and%20%24uriBuilder.Query.Length%20-gt%200)%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%5Bstring%5D%20%24existingQuery%20%3D%20%24uriBuilder.Query.Substring(1)%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%24uriBuilder.Query%20%3D%20%24existingQuery%20%2B%20%22%26amp%3B%22%20%2B%20%24queryToAppend%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%24uriBuilder.Query%20%3D%20%24queryToAppend%3B%0A%20%20%20%20%20%20%20%20%7D%0A%0A%20%20%20%20%20%20%20%20%24newUri%20%3D%20%24uriBuilder.ToString()%3B%0A%20%20%20%20%7D%0A%20%20%20%20else%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%24newUri%20%3D%20%24ConnectionUri%3B%0A%20%20%20%20%7D%3C%2FPRE%3E%0A%3CP%3EAs%20it%20still%20uses%20the%20same%20cmdlet%20as%20the%20ExO%20part%2C%20you%20should%20be%20able%20to%20use%20the%20exact%20same%20method.%20Whether%20this%20is%20supported%20server-side%20however%20I%20cannot%20tell%2C%20as%20I%20don't%20have%20any%20delegate%20account%20to%20use%20currently%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166735%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166735%22%20slang%3D%22en-US%22%3E%3CP%3ESo...%20please%20vote%20for%3A%20%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F33233917-powershell-mfa-for-csp-delegated-admin-privileges%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F33233917-powershell-mfa-for-csp-delegated-admin-privileges%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166730%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166730%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethank%20you%20again...%20I%C2%B4ve%20missed%20the%20-delegatedorganization%20switch%20for%20the%20connect-ippssession%20command.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo...%20unfortunately%20we%20can%C2%B4t%20support%20(except%20Security%20%26amp%3B%20Compliance)%20our%20customers%20via%20PS%20with%20mfa%20in%20this%20constellation.%20That%C2%B4s%20odd...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E...back%20to%20the%20drawing%20board%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166723%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166723%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20brought%20this%20issue%20several%20times%20already%2C%20but%20afaik%20it's%20still%20not%20supported.%20On%20the%20other%20hand%2C%20the%20%22sister%22%20SCC%20MFA%20module%20does%20support%20delegate%20access%20via%20the%20corresponding%20parameter%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3BConnect-IPPSSession%20-DelegatedOrganization%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20just%20another%20example%20on%20how%20the%20different%20teams%20at%20Microsoft%20fail%20to%20talk%20to%20each%20other...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166708%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166708%22%20slang%3D%22en-US%22%3E%3CP%3EI%20couldn't%20find%20any%20documentation%20on%20connecting%20to%20EXO%20as%20a%20delegate%20with%20MFA.%3CI%3E%26nbsp%3B%3C%2FI%3EI%20don't%20even%20know%20if%20it's%20possible.%26nbsp%3BThis%20is%20what%26nbsp%3BI%20would%20try%3A%3C%2FP%3E%0A%3CP%3E1.%20Follow%20the%20instructions%20in%20the%20URL%26nbsp%3Bto%20install%20EXO%20MFA%20module%2C%20open%20it%20and%20run%20Connect-EXOPSSession%20as%20per%20the%20documentation.%20After%20connected%20run%20your%20%24Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%3CA%20href%3D%22https%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%26lt%3Bcustomer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fps.outlook.com%2Fpowershell-liveid%3FDelegatedOrg%3D%3CCUSTOMER%3E%3C%2FCUSTOMER%3E%3C%2FA%3E%20tenant%20domain%20name%26gt%3B-Credential%20%24UserCredential%20-Authentication%20Basic%20-AllowRedirection%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166706%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166706%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Pablo%2C%3C%2FP%3E%0A%3CP%3Ethank%20you%20for%20your%20reply.%20I%20thought%20the%20cmdlet%C2%B4s%20use%20the%20same%20targets%20in%20general.%3C%2FP%3E%0A%3CP%3EBut%20the%20original%20question%20is%20how%20to%20connect%20to%20office%20365%20%2F%20Exchange%20Online%20via%20PS%20with%20MFA%20as%20a%20delegate%20access%20partner.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJakob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166700%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Office365%20via%20Powershell%20as%20a%20Delegate%20Access%20Partner%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166700%22%20slang%3D%22en-US%22%3E%3CP%3ENote%20that%20for%20cmdlet%20Connect-EXOPSSession%20the%20ConnectionUri%20parameter%20is%20different%20from%20that%20of%20New-PSSession%20(Office%20365%20DE%20has%20a%20different%20ConnectionUri%2C%20while%20other%20Office%20365%20tenant%20locations%20don't%20have%20any).%20Check%20the%20following%20guide%20for%20installing%20remote%20EXO%20powershell%20module%20with%20MFA%20enabled%2C%20and%20samples%20on%20how%20to%20connect%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt775114(v%3Dexchg.160).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt775114(v%3Dexchg.160).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi,

we have identities in our Partner Center Azure AD which have e.g. global admin rights for the customer tenants. In the Partner Center Azure AD we´ve enabled MFA for this accounts.

I can use the admin portal as expected with this constellation when using the URL:

https://portal.office.com/Partner/BeginClientSession.aspx?CTID=TENANDGUID&CSDEST=o365admincenter

 

When MFA is not enabled it works also fine with the PSSession Function (see https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-exchange-online-tenants-...

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection

 

But when I´m trying to connect via Connect-Exopsession in a similar way:

connect-exopsession -connectionuri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name> 

the authentication prompt came up and authenticates me successfull, but after that i´m getting a HTML error reponse in the powershell like this:

2018-03-01 13_18_27.png

Any thoughts what i´m doing wrong or why it doesn´t work?

 

Thank you

Jakob

9 Replies
Highlighted

Note that for cmdlet Connect-EXOPSSession the ConnectionUri parameter is different from that of New-PSSession (Office 365 DE has a different ConnectionUri, while other Office 365 tenant locations don't have any). Check the following guide for installing remote EXO powershell module with MFA enabled, and samples on how to connect:

https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

Highlighted

Hi Pablo,

thank you for your reply. I thought the cmdlet´s use the same targets in general.

But the original question is how to connect to office 365 / Exchange Online via PS with MFA as a delegate access partner.

 

Jakob

Highlighted

I couldn't find any documentation on connecting to EXO as a delegate with MFA. I don't even know if it's possible. This is what I would try:

1. Follow the instructions in the URL to install EXO MFA module, open it and run Connect-EXOPSSession as per the documentation. After connected run your $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection

Highlighted
Solution

We've brought this issue several times already, but afaik it's still not supported. On the other hand, the "sister" SCC MFA module does support delegate access via the corresponding parameter:

 

 Connect-IPPSSession -DelegatedOrganization

 

It's just another example on how the different teams at Microsoft fail to talk to each other...

Highlighted

Hi Vasil,

 

thank you again... I´ve missed the -delegatedorganization switch for the connect-ippssession command. 

 

So... unfortunately we can´t support (except Security & Compliance) our customers via PS with mfa in this constellation. That´s odd...

 

...back to the drawing board

 

Highlighted

Looking at the code, all the -DelegatedOrganization parameter does is to modify the ConnectionURI string:

 

    if (![string]::IsNullOrWhiteSpace($DelegatedOrganization))
    {
        [UriBuilder] $uriBuilder = New-Object -TypeName UriBuilder -ArgumentList $ConnectionUri;
        [string] $queryToAppend = "DelegatedOrg={0}" -f $DelegatedOrganization;
        if ($uriBuilder.Query -ne $null -and $uriBuilder.Query.Length -gt 0)
        {
            [string] $existingQuery = $uriBuilder.Query.Substring(1);
            $uriBuilder.Query = $existingQuery + "&" + $queryToAppend;
        }
        else
        {
            $uriBuilder.Query = $queryToAppend;
        }

        $newUri = $uriBuilder.ToString();
    }
    else
    {
       $newUri = $ConnectionUri;
    }

As it still uses the same cmdlet as the ExO part, you should be able to use the exact same method. Whether this is supported server-side however I cannot tell, as I don't have any delegate account to use currently :)

 

Highlighted

Hi Vasil,

nice find - so:

 

connect-exopsession -connectionuri -DelegatedOrganization <customer tenant domain name>

 

is the same like: 

 

connect-exopsession -connectionuri https://ps.outlook.com/powershell-liveid?DelegatedOrg=<customer tenant domain name>

 

Unfortunately it results in the same error....

Highlighted

Yeah, the issue is probably the lack of support for this server-side. Hopefully the UserVoice item will get some traction and the team will address this...