Silently connect to 2FA enabled Exchange Server by remote Powershell

Question

I can silently (without using UI and popups) connect to a Exchange Server by remote Powershell with a Basic authentication:

$Password = ConvertTo-SecureString -AsPlainText "xxxxx" -Force                                                                                            
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList "xxxxxxx@xxx.com", $Password  
Connect-ExchangeOnline -Credential $Creds  

But here I receive an error because there is enabled 2FA. If I just execute "Connect-ExchangeOnline", it will show popup that I cannot afford because this script should run at the server side. I also tried to connect using JWT access_tokens from device-login authentication:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/71c8293a-e5d1-4498-a9da-873a7dc8c946

but it also doesn't work:

$Password = ConvertTo-SecureString -AsPlainText "Bearer DEVICE_TOKEN" -Force  
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList "xxxxxxx@xxx.com", $Password  
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $Creds -Authentication Basic -AllowRedirection  

Answer 1

I'd look at the new Cert-based auth capabilities of the Exch PS module instead of using a service account and password

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/

Answer 2

Multi-factor authentication is a dynamic verification which will be used after verifying account and password. You cannot used it to silent connection to Exchange online PowerShell.

So, if you still want to connect to Exchange online PowerShell silently, you may need to take Andy's suggestion to use Cert-based AUTH replace account and password. Or create a dedicated admin account which doesn't enabled MFA.

Answer 3

Ok, please see my previous response.
Dont use New-ExoPSSession

Per that doc:

Examples:

Connect-ExchangeOnline -CertificateFilePath "C:\Users\johndoe\Desktop\automation-cert.pfx" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Connect-ExchangeOnline -CertificateThumbPrint "012THISISADEMOTHUMBPRINT" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Also make sure you have setup the app in Azure correctly. All those steps in the docs that I linked earlier need to be followed
you will also need to supply the private key password of pfx as a secure string

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7

Answer 4

Hi @MarkBabayev-6068

Yes, if you are running this against another tenant, then an admin who has access to consent will need to allow that app. There is nothing required on the "Exchange" side. This is an Azure app which will have the same permissions as an Exchange Administrator Role in Office 365 and can manage as the Exchange admin

You assign the app in the tenant where its being used. You tenant doesnt have access to their Exchange objects.
Make sense?

Answer 5

You arent using the correct steps.
Per that doc:

Examples:

Connect-ExchangeOnline -CertificateFilePath "C:\Users\johndoe\Desktop\automation-cert.pfx" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Connect-ExchangeOnline -CertificateThumbPrint "012THISISADEMOTHUMBPRINT" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Also make sure you have setup the app in Azure correctly. All those steps in the docs that I linked earlier need to be followed