Running commands on all Tenants in Partner org

%3CLINGO-SUB%20id%3D%22lingo-sub-1433557%22%20slang%3D%22en-US%22%3ERunning%20commands%20on%20all%20Tenants%20in%20Partner%20org%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1433557%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20Microsoft%20has%20taken%20away%20partners%20abilities%20to%20use%20conditional%20access%20with%20MFA%20I%20have%20been%20unable%20to%20run%20my%20scripts%20for%20all%20customers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20main%20question%2C%20is%20there%20now%20a%20updated%20connect-msolservice%20that%20works%20with%20Modern%20auth%3F%20Below%20is%20an%20example%20of%20a%20script%20I%20would%20use.%20I%20know%20graph%20can%20be%20used%2C%20but%20I%20do%20not%20have%20the%20ability%20to%20learn%20it%20at%20the%20moment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%24credential%20%3D%20Get-Credential%0AConnect-MsolService%20-Credential%20%24credential%0A%20%0A%24customers%20%3D%20Get-MsolPartnerContract%20-All%0A%20%0Aforeach%20(%24customer%20in%20%24customers)%20%7B%0A%20%0A%20%20%20%20Write-Host%20%22Enabling%20Audit%20Log%20on%20%24(%24customer.name)%22%20-ForegroundColor%20Yellow%0A%20%20%20%20%24InitialDomain%20%3D%20Get-MsolDomain%20-TenantId%20%24customer.TenantId%20%7C%20Where-Object%20%7B%24_.IsInitial%7D%0A%20%20%20%20%24DelegatedOrgURL%20%3D%20%22https%3A%2F%2Foutlook.office365.com%2Fpowershell-liveid%3FDelegatedOrg%3D%22%20%2B%20%24InitialDomain.Name%0A%20%20%20%20%24EXODS%20%3D%20New-PSSession%20-ConnectionUri%20%24DelegatedOrgURL%20-Credential%20%24credential%20-Authentication%20Basic%20-ConfigurationName%20Microsoft.Exchange%20-AllowRedirection%0A%20%20%20%20Import-PSSession%20%24EXODS%20-CommandName%20Get-Mailbox%2C%20Set-Mailbox%0A%20%20%20%20%20%0A%20%20%20%20Write-Host%20%22Enabling%20Audit%20log%20on%20all%20mailboxes%22%20-ForegroundColor%20DarkYellow%0A%20%20%20%20Get-Mailbox%20-ResultSize%20Unlimited%20-Filter%20%7BRecipientTypeDetails%20-eq%20%22UserMailbox%22%20-or%20RecipientTypeDetails%20-eq%20%22SharedMailbox%22%20-or%20RecipientTypeDetails%20-eq%20%22RoomMailbox%22%20-or%20RecipientTypeDetails%20-eq%20%22DiscoveryMailbox%22%7D%20%7C%20Set-Mailbox%20-AuditEnabled%20%24true%20-AuditLogAgeLimit%20180%20-AuditAdmin%20Update%2C%20MoveToDeletedItems%2C%20SoftDelete%2C%20HardDelete%2C%20SendAs%2C%20SendOnBehalf%2C%20Create%2C%20UpdateFolderPermissions%2C%20UpdateInboxRules%2C%20UpdateCalendarDelegation%20-AuditDelegate%20Update%2C%20SoftDelete%2C%20HardDelete%2C%20SendAs%2C%20Create%2C%20UpdateFolderPermissions%2C%20MoveToDeletedItems%2C%20SendOnBehalf%2C%20UpdateInboxRules%20-AuditOwner%20UpdateFolderPermissions%2C%20MailboxLogin%2C%20Create%2C%20SoftDelete%2C%20HardDelete%2C%20Update%2C%20MoveToDeletedItems%2C%20UpdateInboxRules%2C%20UpdateCalendarDelegation%20%0A%20%20%20%20%24confirmPlans%20%3D%20Get-Mailbox%20-Filter%20%7BAuditLogAgeLimit%20-eq%20%22180%22%7D%0A%20%20%20%20if%20(!%24confirmPlans)%20%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22Audit%20settings%20updated%20for%20all%20users%22%20-ForegroundColor%20Green%0A%20%20%20%20%7D%0A%20%20%20%20else%20%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22Audit%20settings%20not%20updated%20for%20all%20Mailboxes%22%20-ForegroundColor%20Red%0A%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20Remove-PSSession%20%24EXODS%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1433557%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EO365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Powershell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPartner%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1434443%22%20slang%3D%22en-US%22%3ERe%3A%20Running%20commands%20on%20all%20Tenants%20in%20Partner%20org%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434443%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20Unfortunately%20a%20few%20months%20ago%20Microsoft%20made%20it%20where%20partners%20can%20no%20longer%20use%20conditional%20access%20to%20whitelist%20their%20internal%20IP%20address%20from%20prompting%20MFA.%20So%20now%20I%20am%20left%20with%20no%20options%20to%20manage%20all%20of%20my%20customers%20at%20once.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1434093%22%20slang%3D%22en-US%22%3ERe%3A%20Running%20commands%20on%20all%20Tenants%20in%20Partner%20org%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434093%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20MSOnline%20module%20supports%20MFA%20just%20fine%2C%20but%20when%20you%20use%20the%20-Credentials%20variable%20it%20defaults%20to%20basic%20auth.%20If%20you%20have%20CA%2FMFA%20enforced%2C%20the%20connection%20attempt%20will%20fail%20and%20the%20module%20will%20failover%20to%20presenting%20the%20ADAL%20prompt.%20You%20should%20be%20able%20to%20go%20around%20this%20by%20whitelisting%20your%20IP(s).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Since Microsoft has taken away partners abilities to use conditional access with MFA I have been unable to run my scripts for all customers.

 

My main question, is there now a updated connect-msolservice that works with Modern auth? Below is an example of a script I would use. I know graph can be used, but I do not have the ability to learn it at the moment.

 

 

 

 

$credential = Get-Credential
Connect-MsolService -Credential $credential
 
$customers = Get-MsolPartnerContract -All
 
foreach ($customer in $customers) {
 
    Write-Host "Enabling Audit Log on $($customer.name)" -ForegroundColor Yellow
    $InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial}
    $DelegatedOrgURL = "https://outlook.office365.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
    $EXODS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
    Import-PSSession $EXODS -CommandName Get-Mailbox, Set-Mailbox
     
    Write-Host "Enabling Audit log on all mailboxes" -ForegroundColor DarkYellow
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf, UpdateInboxRules -AuditOwner UpdateFolderPermissions, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems, UpdateInboxRules, UpdateCalendarDelegation 
    $confirmPlans = Get-Mailbox -Filter {AuditLogAgeLimit -eq "180"}
    if (!$confirmPlans) {
        Write-Host "Audit settings updated for all users" -ForegroundColor Green
    }
    else {
        Write-Host "Audit settings not updated for all Mailboxes" -ForegroundColor Red
    }
        
    Remove-PSSession $EXODS
}

 

 

2 Replies
Highlighted

The MSOnline module supports MFA just fine, but when you use the -Credentials variable it defaults to basic auth. If you have CA/MFA enforced, the connection attempt will fail and the module will failover to presenting the ADAL prompt. You should be able to go around this by whitelisting your IP(s).

Highlighted

@Vasil Michev  Unfortunately a few months ago Microsoft made it where partners can no longer use conditional access to whitelist their internal IP address from prompting MFA. So now I am left with no options to manage all of my customers at once.