Connect to Security & Compliance Center PowerShell

The Exchange Online PowerShell V2 module (abbreviated as the EXO V2 module) uses modern authentication and works with multi-factor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell. For more information about the EXO V2 module, see About the Exchange Online PowerShell V2 module.

This topic contains instructions for how to connect to Security & Compliance Center PowerShell using the EXO V2 module with or without MFA.

To use the older, less secure remote PowerShell connection instructions that will eventually be deprecated, see Basic auth - Connect to Security & Compliance Center PowerShell.

To use the older Exchange Online Remote PowerShell Module to connect to Security & Compliance Center PowerShell using MFA, see V1 module - Connect to Security & Compliance Center PowerShell using MFA. Note that this older version of the module will eventually be retired.

What do you need to know before you begin?

  • The requirements for installing and using the EXO V2 module are described in Install and maintain the EXO V2 module. The rest of the instructions in the topic assume that you've already installed the module.

Connect to Security & Compliance PowerShell using MFA

If your account uses multi-factor authentication, use the steps in this section. Otherwise, skip to the Connect to Security & Compliance Center PowerShell without using MFA section.

  1. In a Windows PowerShell window, load the EXO V2 module by running the following command:

    Import-Module ExchangeOnlineManagement
    

    Note: If you've already installed the EXO V2 module, the previous command will work as written.

  2. The command that you need to run uses the following syntax:

    Connect-IPPSSession -UserPrincipalName <UPN> [-ConnectionUri <URL>] [-PSSessionOption $ProxyOptions]
    
    • <UPN> is your account in user principal name format (for example, navin@contoso.com).
    • The required ConnectionUri value depends on the nature of your Microsoft 365 organization. For more information, see the parameter description in Connect-IPPSSession.
    • When you use the UserPrincipalName parameter, you don't need to use the AzureADAuthorizationEndpointUri parameter in environments that would otherwise require it.
    • If you're behind a proxy server, run this command first: $ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where <Value> is IEConfig, WinHttpConfig, or AutoDetect. Then, use the PSSessionOption parameter with the value $ProxyOptions. For more information, see New-PSSessionOption.

    This example connects to Security & Compliance Center PowerShell in a Microsoft 365 or Microsoft 365 GCC organization.

    Connect-IPPSSession -UserPrincipalName navin@contoso.com
    

    This example connects to Security & Compliance Center PowerShell in an Office 365 Germany organization.

    Connect-IPPSSession -UserPrincipalName lukas@fabrikam.de -ConnectionUri https://ps.compliance.protection.outlook.de/PowerShell-LiveID
    

    This example connects to Security & Compliance Center PowerShell in a Microsoft GCC High organization.

    Connect-IPPSSession -UserPrincipalName -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/
    

    This example connects to Security & Compliance Center PowerShell in a Microsoft 365 DoD organization.

    Connect-IPPSSession -UserPrincipalName -ConnectionUri https://l5.ps.compliance.protection.office365.us/powershell-liveid/
    

For detailed syntax and parameter information, see Connect-IPPSSession.

Note

Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

Disconnect-ExchangeOnline

Connect to Security & Compliance Center PowerShell without using MFA

If your account doesn't use multi-factor authentication, use the steps in this section.

  1. In a Windows PowerShell window, load the EXO V2 module by running the following command:

    Import-Module ExchangeOnlineManagement
    

    Note: If you've already installed the EXO V2 module, the previous command will work as written.

  2. Run the following command:

    $UserCredential = Get-Credential
    

    In the Windows PowerShell Credential Request dialog box that appears, type your work or school account and password, and then click OK.

  3. The command that you need to run uses the following syntax:

    Connect-IPPSSession -Credential $UserCredential [-ConnectionUri <URL>] [-AzureADAuthorizationEndpointUri <URL>] [-PSSessionOption $ProxyOptions]
    
    • The required ConnectionUri and AzureADAuthorizationEndPointUrl values depend on the nature of your Microsoft 365 organization. For more information, see the parameter descriptions in Connect-IPPSSession.
    • If you're behind a proxy server, run this command first: $ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where <Value> is IEConfig, WinHttpConfig, or AutoDetect. Then, use the PSSessionOption parameter with the value $ProxyOptions. For more information, see New-PSSessionOption.

    This example connects to Security & Compliance Center PowerShell in a Microsoft 365 or Microsoft 365 GCC organization.

    Connect-IPPSSession -Credential $UserCredential
    

    This example connects to Security & Compliance Center PowerShell in an Office 365 Germany organization.

    Connect-IPPSSession -Credential $UserCredential -ConnectionUri https://ps.compliance.protection.outlook.de/ -AzureADAuthorizationEndpointUri https://login.microsoftonline.de/common
    

    This example connects to Security & Compliance Center PowerShell in a Microsoft GCC High organization.

    Connect-IPPSSession -Credential $UserCredential -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/ -AzureADAuthorizationEndpointUri https://login.microsoftonline.us/common
    

    This example connects to Security & Compliance Center PowerShell in a Microsoft 365 DoD organization.

    Connect-IPPSSession -Credential $UserCredential -ConnectionUri https://l5.ps.compliance.protection.office365.us/powershell-liveid/ -AzureADAuthorizationEndpointUri https://login.microsoftonline.us/common
    

For detailed syntax and parameter information, see Connect-IPPSSession.

Note

Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

Disconnect-ExchangeOnline

How do you know this worked?

The Security & Compliance Center cmdlets are imported into your local Windows PowerShell session and tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run a Security & Compliance Center cmdlet, for example, Get-RetentionCompliancePolicy, and see the results.

If you receive errors, check the following requirements:

  • A common problem is an incorrect password. Run the three steps again and pay close attention to the user name and password you enter in Step 1.

  • To help prevent denial-of-service (DoS) attacks, you're limited to three open remote PowerShell connections to your Exchange Online organization.

  • The account you use to connect must be enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.

  • TCP port 80 traffic needs to be open between your local computer and Microsoft 365. It's probably open, but it's something to consider if your organization has a restrictive internet access policy.

  • You might fail to connect if your client IP address changes during the connection request. This can happen if your organization uses a source network address translation (SNAT) pool that contains multiple IP addresses. The connection error looks like this:

    The request for the Windows Remote Shell with ShellId <ID> failed because the shell was not found on the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the correct ShellId or create a new shell and retry the operation.

    To fix the issue, use an SNAT pool that contains a single IP address, or force the use of a specific IP address for connections to the Security & Compliance PowerShell endpoint.