Exchange Online PowerShell Modern Auth

Hello,

Microsoft will end basic authentication for Exchange Online in second half of 2021 (edit, that changed). For interactive usage, Microsoft provide a great module, ExchangeOnlineManagement, that works great, and does not require to reconnect with credentials every hour or so.

Since a few years now, when we wanted to run a script on a regular basis, against Exchange Online, we used scheduled tasks with some stored credentials with:

• Credential manager
• XML file (Export-CliXml)
• Keepass
• the new module from Microsoft, PowerShell Secret

This method only perform basic authentication, that’s mean that in summer 2021, a lot of scripts won’t run anymore if you don’t act on it.

Modern authentication unattended

As of today, the only way to perform modern authentication unattended is to use an AzureAD application, a certificate and some delegation of permissions. The process is documented by Microsoft here.

The process looks like this (very similar of the one we used for GraphAPI):

{
     "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
     "resourceAccess": [
         {
             "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
             "type": "Role"
         }
     ]
 }

You can create a self signed certificate with:

$DisplayName = "ExchangeOnlineAutomation PowerShell Client Credentials"
 $NotAfter = $(Get-Date).AddYears(2)
 $cert = New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -DnsName ExchangeOnlineAutomation.microsoft.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $NotAfter -FriendlyName $DisplayName
 #Export .cer file
 Export-Certificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.cer"
 #Export .pfx file
 Export-PfxCertificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.pfx" -Password ("123+aze" | ConvertTo-SecureString -Force -AsPlainText)

Note: This certificate is only needed for its private key.

As of today (December 2020), the only supported delegation groups are:

• Global administrator
• Compliance administrator
• Security reader
• Security administrator
• Helpdesk administrator
• Exchange administrator
• Global Reader

I hope this will evolve rapidly, this is not very security friendly, the scopes are kind of wide.

All the prerequisites are in place, you can now use this application to connect to Exchange Online, without password, without MFA, but with modern authentication.

Exchange Online PowerShell Modern Auth

To be able to connect to the AzureAD application with PowerShell, you need:

• AzureAD application client ID (on the “overview” blade of the AzureAD application)
• Tenant name (blablabla.onmicrosoft.com)
• Certificate thumbprint (the one you added in the AzureAD application)

Translated into PowerShell it looks like this:

$ClientID = '0bd09ccf-0c77-47b5-a5b3-89430f7fc4d0'
$Organization = 'itfordummies.onmicrosoft.com'
$CertificateThmbprint = Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.Issuer -eq 'CN=ExchangeOnlineAutomation.microsoft.com'} | Select-Object -ExpandProperty Thumbprint

Connect-ExchangeOnline -CertificateThumbprint $CertificateThmbprint  -AppId $ClientID -Organization $Organization

This is totally unattended, you can use it in a schedule task, or any orchestrator of your choice.