Jun 02 2020
07:51 AM
- last edited on
Feb 06 2023
03:57 AM
by
TechCommunityAP
Jun 02 2020
07:51 AM
- last edited on
Feb 06 2023
03:57 AM
by
TechCommunityAP
Since Microsoft has taken away partners abilities to use conditional access with MFA I have been unable to run my scripts for all customers.
My main question, is there now a updated connect-msolservice that works with Modern auth? Below is an example of a script I would use. I know graph can be used, but I do not have the ability to learn it at the moment.
$credential = Get-Credential
Connect-MsolService -Credential $credential
$customers = Get-MsolPartnerContract -All
foreach ($customer in $customers) {
Write-Host "Enabling Audit Log on $($customer.name)" -ForegroundColor Yellow
$InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial}
$DelegatedOrgURL = "https://outlook.office365.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
$EXODS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
Import-PSSession $EXODS -CommandName Get-Mailbox, Set-Mailbox
Write-Host "Enabling Audit log on all mailboxes" -ForegroundColor DarkYellow
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf, UpdateInboxRules -AuditOwner UpdateFolderPermissions, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems, UpdateInboxRules, UpdateCalendarDelegation
$confirmPlans = Get-Mailbox -Filter {AuditLogAgeLimit -eq "180"}
if (!$confirmPlans) {
Write-Host "Audit settings updated for all users" -ForegroundColor Green
}
else {
Write-Host "Audit settings not updated for all Mailboxes" -ForegroundColor Red
}
Remove-PSSession $EXODS
}
Jun 02 2020 11:02 AM
The MSOnline module supports MFA just fine, but when you use the -Credentials variable it defaults to basic auth. If you have CA/MFA enforced, the connection attempt will fail and the module will failover to presenting the ADAL prompt. You should be able to go around this by whitelisting your IP(s).
Jun 02 2020 01:10 PM
@Vasil Michev Unfortunately a few months ago Microsoft made it where partners can no longer use conditional access to whitelist their internal IP address from prompting MFA. So now I am left with no options to manage all of my customers at once.