Running commands on all Tenants in Partner org

New Contributor

Since Microsoft has taken away partners abilities to use conditional access with MFA I have been unable to run my scripts for all customers.

 

My main question, is there now a updated connect-msolservice that works with Modern auth? Below is an example of a script I would use. I know graph can be used, but I do not have the ability to learn it at the moment.

 

 

 

 

$credential = Get-Credential
Connect-MsolService -Credential $credential
 
$customers = Get-MsolPartnerContract -All
 
foreach ($customer in $customers) {
 
    Write-Host "Enabling Audit Log on $($customer.name)" -ForegroundColor Yellow
    $InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial}
    $DelegatedOrgURL = "https://outlook.office365.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
    $EXODS = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
    Import-PSSession $EXODS -CommandName Get-Mailbox, Set-Mailbox
     
    Write-Host "Enabling Audit log on all mailboxes" -ForegroundColor DarkYellow
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf, UpdateInboxRules -AuditOwner UpdateFolderPermissions, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems, UpdateInboxRules, UpdateCalendarDelegation 
    $confirmPlans = Get-Mailbox -Filter {AuditLogAgeLimit -eq "180"}
    if (!$confirmPlans) {
        Write-Host "Audit settings updated for all users" -ForegroundColor Green
    }
    else {
        Write-Host "Audit settings not updated for all Mailboxes" -ForegroundColor Red
    }
        
    Remove-PSSession $EXODS
}

 

 

2 Replies

The MSOnline module supports MFA just fine, but when you use the -Credentials variable it defaults to basic auth. If you have CA/MFA enforced, the connection attempt will fail and the module will failover to presenting the ADAL prompt. You should be able to go around this by whitelisting your IP(s).

@Vasil Michev  Unfortunately a few months ago Microsoft made it where partners can no longer use conditional access to whitelist their internal IP address from prompting MFA. So now I am left with no options to manage all of my customers at once.