SOLVED

Can I Connect to O365 Security & Compliance center via powershell with MFA on?

Steel Contributor

I currently use the below script to connect to the S&C Center. This does not work with MFA.

I was wondering if there is an Updated Module that I could use that supports modern authentication?

 

$Credential = get-credential -Credential username.com

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $Credential -Authentication Basic -AllowRedirection

 

Import-PSSession $Session -AllowClobber –DisableNameChecking

 

42 Replies

MFA seems to be working for other items, but when I try Security and Compliance, I'm getting a 500 error back from the server. See below.

 

PS C:\Users\Jeff> Connect-IPPSSession
WARNING: Your connection has been redirected to the following URI:
"https://nam02b.ps.compliance.protection.outlook.com/PowerShell-LiveId?BasicAuthToOAuthConversion=tru... "
New-ExoPSSession : Connecting to remote server nam02b.ps.compliance.protection.outlook.com failed with the following error message : <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>500 - Internal server error.</h2>
<h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
</fieldset></div>
</div>
</body>
</html>
For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Users\Jeff\AppData\Local\Apps\2.0\ER689GCY.C50\E15M7H1X.VJ5\micr..tion_d8f8f667ee342b5c_0010.0000_46e6ccd01daac800\CreateExoPSSession.ps1:183 char:22
+ ... PSSession = New-ExoPSSession -UserPrincipalName $UserPrincipalName -C ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [New-ExoPSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException,Microsoft.Exchange.Management.ExoPowershellSnapin.NewExoP
SSession

Yup, I get the same today. Let me ping some folks...

Well it took some time, but it seems to be working fine now.

i'm able to connect to exchange online by below method not security compliance center.

That method does not seem to work for connecting to the SCC.

The one Tony posted but using the SCC cmdlet instead of the EXO cmdlet.

You simply need to provide the SCC endpoint:

 

$session = New-ExoPSSession -ConnectionUri https://ps.compliance.protection.outlook.com/PowerShell-LiveId

Thanks folk for this thread, I was able to connect with Connect-IPPSession for MFA enabled account. I want to know is there a way I can check if a session to compliance center already exist. This way I can avoid authentication multiple times.

Thanks

This module gets better and better.

@Rahul Srivastav that depends on the method you used to connect. If it's be built-in method from the module, it will clear *any* existing sessions upon connect, including ExO/SCC ones, so there is no need to check. If you use a custom method, simply check via Get-PSSession, the SCC one has "compliance" in the connectionURI.

@Vasil Michev : Thanks for the explanation, I wasn't aware of this fact that it closes the earlier connected session.

Even I am getting this error, it worked fine last week and now it doesn't, almost like 2 days.

Connecting to remote server aus01b.ps.compliance.protection.outlook.com failed with the following error message : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>500 - Internal server error.</h2>
<h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
</fieldset></div>
</div>
</body>
</html>

 

Any idea?

I'm also running into the same issue was fine few days ago now the same error. did you manage to fix this?

@Andrew Hammond  No, I am still struggling, I have raised the issue with MS, will keep you posted if I find any solution.  

Works fine here folks. If you are still having issues, make sure to open a support case.

 

I am having a problem where I am connecting to Exchange Online, Compliance Center, Exchange On-Premises, and Active Directory PowerShell modules to run commands from each. But the Exchange On-Premises commands are clobbering the Exchange Online commands even though I add a prefix for Exchange On-Premises.  To connect to Online modules with the following commands:

Connect-EXOPSSession -UserPrincipalName <UPN>
Connect-IPPSSession -UserPrincipalName <UPN>

 

For Exchange On-Premises I use:

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ConnUri -Authentication Kerberos
$importresults = Import-PSSession $s -AllowClobber -Prefix EXOP

 

I can then use the Get-EXOPRecipient command (for Exchange On-Premises) but then I lose the Get-Mailbox (for Exchange Online).  If I reconnect the Exchange Online and Compliance sessions, I get the reverse where I can run Get-Mailbox but lose Get-EXOPRecipient.

 

Does anyone know how to resolve this issue?

The problem is with the crappy logic used within the MFA-enabled ExO PowerShell module - there is a line there that will *remove* any other PSSessions. You need to edit the underlying script file manually. Line 175 if you are using the latest version.

I opened a ticket with Premier Support and I got it resolved.  I discovered what was in conflict was that the "Connect-EXOPSSession" session was conflicting with the "Connect-IPPSSession" session; not the Exchange On-Premises session.  So it is not possible use the Exchange Online PS commands and the Security & Compliance PS commands at the same time.  But the Engineer pointed me to a O365 PS script that offers the code to connect to them. 

https://gallery.technet.microsoft.com/Office-365-Connection-47e03052

 

So my function to connect to Exchange Online is:

function Connect-EXO
    {
        $ExoConnectionUri = "https://ps.outlook.com/powershell"

        Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName | ?{ $_ -notmatch "_none_" } | select -First 1)
      $EXOSession = New-ExoPSSession -Credential $EXOcreds
      $ExoImportresults = Import-PSSession $ExoSession -AllowClobber -Prefix EXO
      }

 

and then connect to SC:

function Connect-Compliance
    {
       $CompConnectionUri = "https://ps.compliance.protection.outlook.com/powershell-liveid/"
        Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName | ?{ $_ -notmatch "_none_" } | select -First 1)
        $Comp = New-EXOPSSession -ConnectionUri $CompConnectionUri -Credential $EXOcreds
        $CompImportresults = Import-PSSession $Comp -AllowClobber
    }

 

You will need to install the latest version of the Exchange Online Power Module for MFA though.