Connect to Exchange Online tenants with remote Windows PowerShell for Delegated Access Permissions (DAP) partners

Summary: Use remote Windows PowerShell to connect to Exchange Online by using the DelegatedOrg parameter.

Remote Windows PowerShell lets you manage your Exchange Online settings from the command line. You use Windows PowerShell on your local computer to create a remote session to Exchange Online. It's a three-step process where you enter your Exchange Online credentials, provide the required connection settings, and then import the Exchange Online cmdlets into your local Windows PowerShell session so that you can use them.

What do you need to know before you begin?


This procedure is only for Delegated Access Permission (DAP) partners. If you are not a DAP partner, do not use this procedure.

DAP partners are Syndication and Cloud Solution Providers (CSP) partners. They are frequently network or telecom providers to other companies. They bundle subscriptions into their service offerings to their customers. They own a partner tenancy that is automatically granted Administer On Behalf Of (AOBO) permissions to their Office 365customer tenancies so they can administer and report on all of their customer tenancies.

Connect to Exchange Online

  1. On your local computer, open Windows PowerShell and run the following command.

    $UserCredential = Get-Credential

    In the Windows PowerShell Credential Request dialog box, enter your DAP administrator user name and password, and then click OK.

  2. Run the following command, replacing with the name of the tenant domain that you want to connect to.

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection

    The key step in this command is specifying which customer to access for the reporting information. You do this in the ConnectionURI parameter, where you provide the FQDN of the initial domain name as the value to the DelegatedOrg parameter. This tells remote Windows PowerShell for Exchange Online PowerShell remote Windows PowerShell the endpoint to connect to. remote Windows PowerShell must connect to Office 365 reporting in the context of a specific customer each time a report is run. After this customer is specified, all of the following commands are run in the context of that customer. This lets the partner to access all the available reports for this customer.

  3. Run the following command.

    Import-PSSession $Session


There is a limit of three simultaneous sessions that can run under one account. Be sure to disconnect the remote Windows PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you can use up all the remote Windows PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote Windows PowerShell session, run the following command. > Remove-PSSession $Session

How do you know this worked?

After Step 3, the Exchange Online cmdlets are imported into your local Windows PowerShell session as tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run an Exchange Online cmdlet—for example, Get-Mailbox —and see the results.

If you receive errors, check the following requirements:

  • A common problem is an incorrect password. Run the three steps again and pay close attention to the user name and password you enter in Step 1.

  • To help prevent denial-of-service (DoS) attacks, you're limited to three open remote Windows PowerShell connections to your Exchange Online organization.

  • Windows PowerShell needs to be configured to run scripts. You need to configure this setting only once on your computer, not every time you connect. To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you opened by selecting Run as administrator).

    Set-ExecutionPolicy RemoteSigned
  • The account you use to connect to Exchange Online must be enabled for remote Windows PowerShell. For more information, see Manage Remote PowerShell Access in Exchange Online.

  • TCP port 80 traffic needs to be open between your local computer and Exchange Online. It's probably open, but it's something to consider if your organization has a restrictive Internet access policy.

Call the cmdlet directly with Invoke-Command

Importing a remote Windows PowerShell session can be a lengthy process because it brings in all Exchange Online cmdlets. This can be an issue in batch processing—for example, when you are running reports or making bulk changes for different tenants. As an alternative to using Import-PSSession, you can call cmdlets you want to use directly with Invoke-Command. For example, to call the get-mailbox cmdlet, substitute this syntax for Import-PSSession $Session.

Invoke-Command -Session $Session -ScriptBlock {Get-Mailbox}

More reporting cmdlets

The cmdlets that you used in this topic are Windows PowerShell cmdlets. For more information about these cmdlets, see the following topics: