Powershell login passthough?

%3CLINGO-SUB%20id%3D%22lingo-sub-196338%22%20slang%3D%22en-US%22%3EPowershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196338%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20activated%20MFA%20for%20both%20of%20my%20accounts.%26nbsp%3B%20One%20with%20my%20main%20company%20and%20one%20with%20my%20parent%20company.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20problem%20is%20this%2C%20using%20MS%20Exchange%20Online%20Powershell%2C%20it%20autologins%20when%20I%20Connect-Exopssession%20-UserPrincipalName%20%3CMY%20upn%3D%22%22%20here%3D%22%22%3E%20for%20my%20main%20account%20which%20I%20don't%20really%20think%20is%20a%20good%20thing%20from%20a%20security%20standpoint%20(no%20user%2Fpassword%20prompt%2C%20MFA%20etc.)%2C%20and%202%2C%20when%20I%20put%20the%20UPN%20from%20the%20other%20tenant%2Fdomain%20in%20there%2C%20it%20fails%20with%20%22Bad%20request%20for%20more%20information%22%20after%20actually%20doing%20the%20MFA%20login.%3C%2FMY%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20installed%20Microsoft%20Online%20Services%20Sign-In%20Assistant%20which%20I%20thought%20could%20be%20the%20culprit%2C%20but%20getting%20rid%20of%20it%20and%20restarting%20did%20not%20help.%20Any%20Ideas%20on%20how%20to%20stop%20this%20behavior%20and%20make%20me%20log%20in%20MFA%20every%20time%20instead%20of%20passthough%20and%20also%20why%20it%20might%20have%20broken%20logging%20into%20the%20other.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWin%2010%201709.%26nbsp%3B%20Azure%20AD%20%22Connected%22%20not%20joined%20to%20main%20account%2C%20if%20that%20matters.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-196338%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewindows%2010%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-198141%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-198141%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20you%20consider%20white%20listing%20your%20offices%20so%20that%20you%20are%20not%20prompted%20for%20MFA%20when%20using%20Powershell%20from%20the%20office%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197158%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197158%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20say%20they%2C%20do%20you%20refer%20to%20your%20security%20department%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20a%20very%20similar%20issue%20yesterday.%20Received%20a%20%22Bad%20Request...%20Access%20Denied%22%20error.%20In%20our%20case%20it%20was%20due%20to%20new%20proxy%20servers%20added%20to%20the%20farm%2C%20but%20the%20public%20IP%20addresses%20not%20being%20added%20the%20the%20skip%20MFA%20for%20trusted%20network%20locations.%20Once%20added%2C%20the%20Microsoft%20Exchange%20Online%20PowerShell%20Module%20connected%20without%20issues%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197014%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197014%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20wasn't%20any%20of%20that%20preventing%20me%20getting%20into%20the%20other%20account.%26nbsp%3B%20I%20couldn't%20get%20in%20on%20my%20Windows%207%20machine%20either(why%20I%20didn't%20try%20this%20when%20I%20first%20had%20a%20problem%2C%20I%20don't%20know)%20with%20none%20of%20those%20auto-login%20things%2C%20and%20even%20after%20I%20turned%20off%20MFA%20and%20tried%20the%20old%20way.%26nbsp%3B%20%26nbsp%3BIt%20said%20%22Bad%20Request%20for%20more%20information%22%20and%26nbsp%3B-2144108173%2CPSSessionOpenFailed%26nbsp%3B%20but%20none%20of%20that%20said%20Access%20Denied%20anywhere.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%2C%20they%20could%20have%20been%20a%20little%20heavy%20handed%20as%20they%20were%20removing%20power%20shell%20access%20for%20all%20the%20regular%20users%2C%20they%20might%20have%20forgot%20to%20remove%20me%20from%20the%20CSV%20they%20used%20to%20script%20removing%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196640%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196640%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20the%20new%20%22accounts%22%20feature%20in%20W10%2C%20you%20might%20have%20noticed%20the%20%22add%20this%20account%20to%20Windows%22%20prompts.%20You%20can%20think%20of%20it%20as%20the%20Outlook%2FOffice%20auto-login%20features%2C%20connecting%20to%20ExO%20PowerShell%20or%20any%20other%20O365%2FAzureAD%20service%20works%20the%20same.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20yes%2C%20it%20can%20definitely%20cause%20issues%20when%20trying%20to%20switch%20accounts.%20I'd%20advise%20opening%20a%20new%20PS%20window.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196453%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196453%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20powershell(Microsoft%20Exchange%20Online%20Powershell%20to%20be%20specific)%20it%20didn't%20even%20ask%20once%20for%20my%20main%20account%20the%20first%20time%20right%20after%20I%20downloaded%20it%2C%20and%20I%20can't%20get%20into%20the%20second%20account%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI'm%20thinking%20it%20might%20have%20something%20to%20do%20maybe%20that%20my%20Win%2010%20install%20is%20%22Connected%22%20to%20Azure%20AD%2C%20it%20must%20pass%20it%20to%20things%20all%20over%20the%20system%2C%20including%20Powershell.%26nbsp%3B%20I%20might%20try%20disconnecting.%26nbsp%3B%20This%20machine%20is%20on-prem%20domain%20joined%2C%20but%20I%20also%20%22connected%22%20it%20to%20365%20Azure%20AD%20since%20it%20asked%20me.%20(We%20keep%20them%20separate%20and%20don't%20do%20any%20sync%20between%20on-prem%20AD%20and%20Azure)%26nbsp%3B%20I%20don't%20think%20it%20will%20really%20break%20anything%20and%20more%20of%20a%20convenience%20deal%20%2B%20if%20I%20had%20intune%20policies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196375%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20login%20passthough%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196375%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20connecting%20to%20the%20two%20accounts%20within%20the%20same%20PowerShell%20session%3F%20I%20just%20did%20the%20same%2C%20and%20it%20works%20without%20errors.%20As%20expected%2C%20just%20the%20latest%20tenant%20is%20accessible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20MFA%20enabled%20on%20the%20one%20account%20(%231).%20The%20first%20time%20I%20log%20into%20it%20I%20have%20to%20MFA%20as%20expected.%20I%20then%20switch%20to%20the%20other%20account%26nbsp%3B%20(%232)%20without%20MFA%2C%20and%20then%20switch%20back%20to%20the%20first%20account%20(%231).%20On%20the%20reconnection%20to%20the%20first%20account%20(%231)%2C%20the%20Modern%20Auth%20form%20appears%20briefly%2C%20but%20automatically%20disappears.%20This%20is%20because%20I%20still%20have%20a%20valid%20refresh%20token%2C%20and%20nothing%20has%20caused%20it%20to%20expire.%20So%20it%20seamlessly%20gets%20a%20new%20access%20token%20to%20load%20PowerShell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20look%20at%20this%20article%20to%20change%20the%20validity%20of%20the%20tokens%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

So I activated MFA for both of my accounts.  One with my main company and one with my parent company.

 

My problem is this, using MS Exchange Online Powershell, it autologins when I Connect-Exopssession -UserPrincipalName <my UPN here> for my main account which I don't really think is a good thing from a security standpoint (no user/password prompt, MFA etc.), and 2, when I put the UPN from the other tenant/domain in there, it fails with "Bad request for more information" after actually doing the MFA login.

 

I had installed Microsoft Online Services Sign-In Assistant which I thought could be the culprit, but getting rid of it and restarting did not help. Any Ideas on how to stop this behavior and make me log in MFA every time instead of passthough and also why it might have broken logging into the other.

 

Win 10 1709.  Azure AD "Connected" not joined to main account, if that matters.

6 Replies

Are you connecting to the two accounts within the same PowerShell session? I just did the same, and it works without errors. As expected, just the latest tenant is accessible.

 

I have MFA enabled on the one account (#1). The first time I log into it I have to MFA as expected. I then switch to the other account  (#2) without MFA, and then switch back to the first account (#1). On the reconnection to the first account (#1), the Modern Auth form appears briefly, but automatically disappears. This is because I still have a valid refresh token, and nothing has caused it to expire. So it seamlessly gets a new access token to load PowerShell.

 

You could look at this article to change the validity of the tokens: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetime...

For powershell(Microsoft Exchange Online Powershell to be specific) it didn't even ask once for my main account the first time right after I downloaded it, and I can't get into the second account at all.

 

 I'm thinking it might have something to do maybe that my Win 10 install is "Connected" to Azure AD, it must pass it to things all over the system, including Powershell.  I might try disconnecting.  This machine is on-prem domain joined, but I also "connected" it to 365 Azure AD since it asked me. (We keep them separate and don't do any sync between on-prem AD and Azure)  I don't think it will really break anything and more of a convenience deal + if I had intune policies.

That's the new "accounts" feature in W10, you might have noticed the "add this account to Windows" prompts. You can think of it as the Outlook/Office auto-login features, connecting to ExO PowerShell or any other O365/AzureAD service works the same.

 

And yes, it can definitely cause issues when trying to switch accounts. I'd advise opening a new PS window.

It wasn't any of that preventing me getting into the other account.  I couldn't get in on my Windows 7 machine either(why I didn't try this when I first had a problem, I don't know) with none of those auto-login things, and even after I turned off MFA and tried the old way.   It said "Bad Request for more information" and -2144108173,PSSessionOpenFailed  but none of that said Access Denied anywhere.

 

Still, they could have been a little heavy handed as they were removing power shell access for all the regular users, they might have forgot to remove me from the CSV they used to script removing access.

When you say they, do you refer to your security department?

 

I had a very similar issue yesterday. Received a "Bad Request... Access Denied" error. In our case it was due to new proxy servers added to the farm, but the public IP addresses not being added the the skip MFA for trusted network locations. Once added, the Microsoft Exchange Online PowerShell Module connected without issues again.

Would you consider white listing your offices so that you are not prompted for MFA when using Powershell from the office ?