Silently connect to 2FA enabled Exchange Server by remote Powershell

Question

I can silently (without using UI and popups) connect to a Exchange Server by remote Powershell with a Basic authentication:

$Password = ConvertTo-SecureString -AsPlainText "xxxxx" -Force                                                                                            
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList "xxxxxxx@xxx.com", $Password  
Connect-ExchangeOnline -Credential $Creds  

But here I receive an error because there is enabled 2FA. If I just execute "Connect-ExchangeOnline", it will show popup that I cannot afford because this script should run at the server side. I also tried to connect using JWT access_tokens from device-login authentication:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/71c8293a-e5d1-4498-a9da-873a7dc8c946

but it also doesn't work:

$Password = ConvertTo-SecureString -AsPlainText "Bearer DEVICE_TOKEN" -Force  
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList "xxxxxxx@xxx.com", $Password  
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $Creds -Authentication Basic -AllowRedirection  

Answer 1

I'd look at the new Cert-based auth capabilities of the Exch PS module instead of using a service account and password

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/

Answer 2

After trying to connect with PFX certificate, I get this error:

New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the following error message : Access
is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\2.0.3\ExchangeOnlineManagement.psm1:481 char:30
+ ... PSSession = New-ExoPSSession -ExchangeEnvironmentName $ExchangeEnviro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [New-ExoPSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException,Microsoft.Exchang
   e.Management.ExoPowershellSnapin.NewExoPSSession

Answer 3

I have a concern with section 5 of this document:
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-a-role-to-the-application

I registered an app in my Azure AD. Now I want to silently run PS script for another remote customer's domain. I believe the remote admin should approve the admin consent screen (https://login.microsoftonline.com/common/adminconsent?...) with my client_id.
What actions he/she should do next at his own Exchange Server domain?
Where should I assign rules for the app (section 5)? In my Azure or in the remote customer's Azure?

Answer 4

Hi,

I must repeat the last question to understand the Section 5:
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-a-role-to-the-application

That means that for me, in order to run the PS script in the remote tenant the remote tenant admin must do some manual configuration at his side?

Answer 5

Another question. Is there any HTTP link like this https://login.microsoftonline.com/common/adminconsent that will show to me the following consent popup window?
That popup appears by running Connect-EXOPSSession, I want to have it by running http GET request.
https://learn.microsoft.com/en-us/powershell/exchange/mfa-connect-to-exchange-online-powershell?redirectedfrom=MSDN&view=exchange-ps