Exchange Online PowerShell Modern Auth

Exchange Online PowerShell Modern Auth

Hello,

Microsoft will end basic authentication for Exchange Online in second half of 2021. For interactive usage, Microsoft provide a great module, ExchangeOnlineManagement, that works great, and does not require to reconnect with credentials every hour or so.

Since a few years now, when we wanted to run a script on a regular basis, against Exchange Online, we used scheduled tasks with some stored credentials with:

This method only perform basic authentication, that’s mean that in summer 2021, a lot of scripts won’t run anymore if you don’t act on it.

Modern authentication unattended

As of today, the only way to perform modern authentication unattended is to use an AzureAD application, a certificate and some delegation of permissions. The process is documented by Microsoft here.

The process looks like this (very similar of the one we used for GraphAPI):

Register AzureAD Application
Register AzureAD Application
Name the AzureAD Application.
Name the AzureAD Application.
Edit the manifest with this section
Edit the manifest with this section
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
}
Give admin consent
Give admin consent
Upload certificate for authentication
Upload certificate for authentication

You can create a self signed certificate with:

$DisplayName = "ExchangeOnlineAutomation PowerShell Client Credentials"
$NotAfter = $(Get-Date).AddYears(2)
$cert = New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -DnsName ExchangeOnlineAutomation.microsoft.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $NotAfter -FriendlyName $DisplayName
#Export .cer file
Export-Certificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.cer"
#Export .pfx file
Export-PfxCertificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.pfx" -Password ("123+aze" | ConvertTo-SecureString -Force -AsPlainText)

Note: This certificate is only needed for its private key.

Assign permissions
Assign permissions

As of today (December 2020), the only supported delegation groups are:

  • Global administrator
  • Compliance administrator
  • Security reader
  • Security administrator
  • Helpdesk administrator
  • Exchange administrator
  • Global Reader

I hope this will evolve rapidly, this is not very security friendly, the scopes are kind of wide.

Add AzureAD application as member of the delegation group
Add AzureAD application as member of the delegation group

All the prerequisites are in place, you can now use this application to connect to Exchange Online, without password, without MFA, but with modern authentication.

Exchange Online PowerShell Modern Auth

To be able to connect to the AzureAD application with PowerShell, you need:

  • AzureAD application client ID (on the “overview” blade of the AzureAD application)
  • Tenant name (blablabla.onmicrosoft.com)
  • Certificate thumbprint (the one you added in the AzureAD application)

Translated into PowerShell it looks like this:

$ClientID = '0bd09ccf-0c77-47b5-a5b3-89430f7fc4d0'
$Organization = 'itfordummies.onmicrosoft.com'
$CertificateThmbprint = Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.Issuer -eq 'CN=ExchangeOnlineAutomation.microsoft.com'} | Select-Object -ExpandProperty Thumbprint

Connect-ExchangeOnline -CertificateThumbprint $CertificateThmbprint -AppId $ClientID -Organization $Organization
Exchange Online PowerShell Modern Auth
Exchange Online PowerShell Modern Auth

This is totally unattended, you can use it in a schedule task, or any orchestrator of your choice.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.