question

MarkBabayev-6068 avatar image
0 Votes"
MarkBabayev-6068 asked azure-cxp-api edited

Silently connect to 2FA enabled Exchange Server by remote Powershell

I can silently (without using UI and popups) connect to a Exchange Server by remote Powershell with a Basic authentication:

 $Password = ConvertTo-SecureString -AsPlainText "xxxxx" -Force                                                                                          
 $Creds = New-Object System.Management.Automation.PSCredential -ArgumentList "xxxxxxx@xxx.com", $Password
 Connect-ExchangeOnline -Credential $Creds

But here I receive an error because there is enabled 2FA. If I just execute "Connect-ExchangeOnline", it will show popup that I cannot afford because this script should run at the server side. I also tried to connect using JWT access_tokens from device-login authentication:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/71c8293a-e5d1-4498-a9da-873a7dc8c946

but it also doesn't work:

 $Password = ConvertTo-SecureString -AsPlainText "Bearer DEVICE_TOKEN" -Force
 $Creds = New-Object System.Management.Automation.PSCredential -ArgumentList "xxxxxxx@xxx.com", $Password
 $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $Creds -Authentication Basic -AllowRedirection

office-exchange-server-connectivityazure-ad-graph
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?


If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

I'm trying to connect with certificate as described here by still unsuccessfully.
https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

As far, I have this error:
New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\2.0.3\ExchangeOnlineManagement.psm1:481 char:30

0 Votes 0 ·
AndyDavid1608 avatar image
1 Vote"
AndyDavid1608 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image
1 Vote"
KyleXu-MSFT answered

Multi-factor authentication is a dynamic verification which will be used after verifying account and password. You cannot used it to silent connection to Exchange online PowerShell.

So, if you still want to connect to Exchange online PowerShell silently, you may need to take Andy's suggestion to use Cert-based AUTH replace account and password. Or create a dedicated admin account which doesn't enabled MFA.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered

You arent using the correct steps.
Per that doc:

Examples:


Connect-ExchangeOnline -CertificateFilePath "C:\Users\johndoe\Desktop\automation-cert.pfx" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Connect-ExchangeOnline -CertificateThumbPrint "012THISISADEMOTHUMBPRINT" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Also make sure you have setup the app in Azure correctly. All those steps in the docs that I linked earlier need to be followed

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkBabayev-6068 avatar image
0 Votes"
MarkBabayev-6068 answered MarkBabayev-6068 edited

After trying to connect with PFX certificate, I get this error:

 New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the following error message : Access
 is denied. For more information, see the about_Remote_Troubleshooting Help topic.
 At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\2.0.3\ExchangeOnlineManagement.psm1:481 char:30
 + ... PSSession = New-ExoPSSession -ExchangeEnvironmentName $ExchangeEnviro ...
 +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : ResourceUnavailable: (:) [New-ExoPSSession], PSRemotingTransportException
     + FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException,Microsoft.Exchang
    e.Management.ExoPowershellSnapin.NewExoPSSession
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

Ok, please see my previous response.
Dont use New-ExoPSSession


Per that doc:

Examples:


Connect-ExchangeOnline -CertificateFilePath "C:\Users\johndoe\Desktop\automation-cert.pfx" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Connect-ExchangeOnline -CertificateThumbPrint "012THISISADEMOTHUMBPRINT" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"

Also make sure you have setup the app in Azure correctly. All those steps in the docs that I linked earlier need to be followed
you will also need to supply the private key password of pfx as a secure string

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkBabayev-6068 avatar image
0 Votes"
MarkBabayev-6068 answered

I have a concern with section 5 of this document:
https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-a-role-to-the-application

I registered an app in my Azure AD. Now I want to silently run PS script for another remote customer's domain. I believe the remote admin should approve the admin consent screen (https://login.microsoftonline.com/common/adminconsent?...) with my client_id.
What actions he/she should do next at his own Exchange Server domain?
Where should I assign rules for the app (section 5)? In my Azure or in the remote customer's Azure?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

Hi @MarkBabayev-6068


Yes, if you are running this against another tenant, then an admin who has access to consent will need to allow that app. There is nothing required on the "Exchange" side. This is an Azure app which will have the same permissions as an Exchange Administrator Role in Office 365 and can manage as the Exchange admin


You assign the app in the tenant where its being used. You tenant doesnt have access to their Exchange objects.
Make sense?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkBabayev-6068 avatar image
0 Votes"
MarkBabayev-6068 answered AndyDavid commented

Hi,

I must repeat the last question to understand the Section 5:
https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-a-role-to-the-application

That means that for me, in order to run the PS script in the remote tenant the remote tenant admin must do some manual configuration at his side?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Correct. They have to set the app up and import the cert you are using following those directions in the doc.

0 Votes 0 ·
MarkBabayev-6068 avatar image
0 Votes"
MarkBabayev-6068 answered AndyDavid commented

Another question. Is there any HTTP link like this https://login.microsoftonline.com/common/adminconsent that will show to me the following consent popup window?
That popup appears by running Connect-EXOPSSession, I want to have it by running http GET request.
https://docs.microsoft.com/en-us/powershell/exchange/mfa-connect-to-exchange-online-powershell?redirectedfrom=MSDN&view=exchange-ps


14925-image.png




image.png (23.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, it would be:
https://login.microsoftonline.com/<tenantID>/adminConsent?client_id=<AppID>&redirect_uri=https://portal.azure.com/TokenAuthorize

You can also find the link by going to App under Enterprise Apps in the Portal and under permissions the consent button will take you to the link

That takes you to the consent window. Once the the app is consented however you dont logon there. The app itself logs on with the certificate, not a password.

0 Votes 0 ·

I think that I'll just ask from the user simply don't use 2FA, so I'm closing this issue.

0 Votes 0 ·

Ok, please mark any accepted answers so this can be closed up.

0 Votes 0 ·