Connect to Office 365 Security & Compliance Center PowerShell using multi-factor authentication

If your account uses multi-factor authentication (MFA) or federated authentication, you can't use the instructions at Connect to Office 365 Security & Compliance Center PowerShell to use remote PowerShell to connect to the Office 365 Security & Compliance Center. Instead, you need to install the Exchange Online Remote PowerShell Module, and use the Connect-IPPSSession cmdlet to connect to Security & Compliance Center PowerShell.

Note

• You can't use the Exchange Online Remote PowerShell Module to connect to Exchange Online PowerShell and Security & Compliance Center PowerShell in the same session (window). You need to use separate sessions of the Exchange Online Remote PowerShell Module.
• Delegated Access Permission (DAP) partners can't use the procedures in this topic to connect to their customer tenant organizations in Security & Compliance Center PowerShell. MFA and the Exchange Online Remote PowerShell Module don't work with delegated authentication.

What do you need to know before you begin?

  • Estimated time to complete: 5 minutes

  • You can use the following versions of Windows:

  • The Exchange Online Remote PowerShell Module needs to be installed on your computer. If your installed version of the Exchange Online Remote PowerShell Module doesn't have the Connect-IPPSSession cmdlet, you need to install the latest version of the module:

    1. In Internet Explorer or Edge, open the Exchange admin center (EAC) for your Exchange Online organization. For instructions, see Exchange Admin Center in Exchange Online.

      Note: Internet Explorer or Edge is required because the download in the next step uses ClickOnce, so Google Chrome or Mozilla Firefox won't work.

    2. In the EAC, go to Hybrid > Setup and click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.

      Download the Exchange Online PowerShell Module from the Hybrid tab in the EAC

    3. In the Application Install window that opens, click Install.

      Click Install in the Exchange Online PowerShell Module window

  • Windows Remote Management (WinRM) on your computer needs to allow basic authentication (it's enabled by default). To verify that basic authentication is enabled, run this command in a Command Prompt:

    winrm get winrm/config/client/auth
    

    If you don't see the value Basic = true, you need to run this command from an elevated Command Prompt (a Command Prompt window you open by selecting Run as administrator) to enable basic authentication for WinRM:

    winrm set winrm/config/client/auth @{Basic="true"}
    

    If basic authentication is disabled, you'll get this error when you try to connect:

    The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Connect to Security & Compliance Center PowerShell by using MFA or federated authentication

  1. On your local computer, open the Exchange Online Remote PowerShell Module (Microsoft Corporation > Microsoft Exchange Online Remote PowerShell Module).

  2. The command that you need to run uses the following syntax:

    Connect-IPPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
    
    • <UPN> is your Office 365 work or school account.

    • The <ConnectionUri> and <AzureADUri> values depend on the location of your Office 365 organization as described in the following table:

      Office 365 offering ConnectionUri parameter value AzureADAuthorizationEndPointUri parameter value
      Office 365 Not used Not used
      Office 365 Germany https://ps.compliance.protection.outlook.de/PowerShell-LiveID https://login.microsoftonline.de/common

      This example connects to the Security & Compliance Center in Office 365 using the account chris@contoso.com.

      Connect-IPPSSession -UserPrincipalName chris@contoso.com
      

      This example connects to the Security & Compliance Center in Office 365 Germany using the account lukas@fabrikam.com.

      Connect-IPPSSession -UserPrincipalName lukas@fabrikam.com -ConnectionUri https://ps.compliance.protection.outlook.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.de/common
      
  3. In the sign-in window that opens, enter your password, and then click Sign in.

    Enter your password in the Exchange Online Remote PowerShell window

    For MFA, a verification code is generated and delivered based on the verification response option that's configured for your account (for example, a text message or the Azure Authenticator app on your mobile phone).

  4. (MFA only): In the verification window that opens, enter the verification code, and then click Sign in.

    Enter your verification code in the Exchange Online Remote PowerShell window

How do you know this worked?

After you sign in, the Security & Compliance Center cmdlets are imported into your Exchange Online Remote PowerShell Module session and tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run an Security & Compliance Center cmdlet, for example, Get-RetentionCompliancePolicy, and see the results.

If you receive errors, check the following requirements:

  • To help prevent denial-of-service (DoS) attacks, you're limited to three open remote PowerShell connections to the Security & Compliance Center.

  • The account you use to connect to the Security & Compliance Center must be enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.

  • TCP port 80 traffic needs to be open between your local computer and Office 365. It's probably open, but it's something to consider if your organization has a restrictive Internet access policy.

  • The Connect-IPPSSession command (Step 2) might fail to connect if your client IP address changes during the connection request. This can happen if your organization uses a source network address translation (SNAT) pool that contains multiple IP addresses. The connection error looks like this:

    The request for the Windows Remote Shell with ShellId <ID> failed because the shell was not found on the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the correct ShellId or create a new shell and retry the operation.

    To fix the issue, use an SNAT pool that contains a single IP address, or force the use of a specific IP address for connections to the Security & Compliance PowerShell endpoint.