Running commands on all Tenants in Partner org

New Contributor

Since Microsoft has taken away partners abilities to use conditional access with MFA I have been unable to run my scripts for all customers.


My main question, is there now a updated connect-msolservice that works with Modern auth? Below is an example of a script I would use. I know graph can be used, but I do not have the ability to learn it at the moment.





$credential = Get-Credential
Connect-MsolService -Credential $credential
$customers = Get-MsolPartnerContract -All
foreach ($customer in $customers) {
    Write-Host "Enabling Audit Log on $($" -ForegroundColor Yellow
    $InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial}
    $DelegatedOrgURL = "" + $InitialDomain.Name
    $EXODS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
    Import-PSSession $EXODS -CommandName Get-Mailbox, Set-Mailbox
    Write-Host "Enabling Audit log on all mailboxes" -ForegroundColor DarkYellow
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf, UpdateInboxRules -AuditOwner UpdateFolderPermissions, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems, UpdateInboxRules, UpdateCalendarDelegation 
    $confirmPlans = Get-Mailbox -Filter {AuditLogAgeLimit -eq "180"}
    if (!$confirmPlans) {
        Write-Host "Audit settings updated for all users" -ForegroundColor Green
    else {
        Write-Host "Audit settings not updated for all Mailboxes" -ForegroundColor Red
    Remove-PSSession $EXODS



2 Replies

The MSOnline module supports MFA just fine, but when you use the -Credentials variable it defaults to basic auth. If you have CA/MFA enforced, the connection attempt will fail and the module will failover to presenting the ADAL prompt. You should be able to go around this by whitelisting your IP(s).

@Vasil Michev  Unfortunately a few months ago Microsoft made it where partners can no longer use conditional access to whitelist their internal IP address from prompting MFA. So now I am left with no options to manage all of my customers at once.