Exchange Online PowerShell with Modern Authentication and Azure MFA available!

A while back I wrote a blog post on how you could use Azure AD Privileged Identity Management to indirectly require MFA for Office 365 Administrator Roles activation before they connected to Exchange online via Remote PowerShell. See

In december a new Exchange Online Remote PowerShell Module was released (in preview),, that uses Modern Authentication and that supports Azure Multi-Factor Authentication. Lets try it out:

First you need to verify that Modern Authentication is enabled in your Exchange Online organization, as this is not enabled by default:

In my Exchange Online organization I verify that Modern Authentication is enabled:


Next logon to your Exchange Online Admin Center, and go to Hybrid to download and configure the Exchange Online PowerShell Module:


The configure button activates a click once install:


After installation I’m ready to connect:


Lets try it out on a MFA enabled admin user:


And as expected, I’m prompted to provide my verification code:


And after verification I can administer Exchange Online:


So with that we are finally able to log in to Exchange Online PowerShell more securely with Azure Multi-Factor Authentication as long as Modern Authentication is enabled for your organization!

13 thoughts on “Exchange Online PowerShell with Modern Authentication and Azure MFA available!

  1. Pingback: How to enable Azure MFA for Online PowerShell Modules that don’t support MFA? | GoToGuy Blog

  2. Michael Frank

    In our Exchange Online deployment we are using MFA with Symantec VIP for the multi factor authentication. We have deployed ADFS and do not require MFA when connecting from our local environment. I have tried using the PowerShell module and when it tries to authenticate it there is a popup up with an error saying “An error occurred.” It says Relaying party: Microsoft Office 365 Identity Platform so there seems to be an issue with the Modern Authentication configuration. Normal Office 365 access works find but the PowerShell module does not. Do you have any experience with this and ADFS? Thanks.

  3. Pingback: Office 365 – 2 wekelijks overzicht – deel 9 | SP&C NL

  4. Pingback: Office 365 – Bi-weekly Summary – Part 9 – Sjoukje Zaal

  5. Alex P.

    Thanks for this article, helped a lot!

    I have one question, not sure if you might be able to help: I want to use this “module” but I can’t seem to be able to load it into a regular Powershell window.

    I’d need to be able to write a script, using this “module”, in ISE, but can’t seem to figure out how, or even if it’s possible.

    Would you have any insight for me on this ?

    Thank you!

      1. Alex P.

        After some partial Google Translate, managed to figure out his script and it works fine.
        Thank you very much for your help, that’ll save me a ton of time 🙂

  6. iwifia

    I am getting failures when I run the installer

    Windows : 10.0.14393.0 (Win32NT)
    Common Language Runtime : 4.0.30319.42000
    System.Deployment.dll : 4.6.1586.0 built by: NETFXREL2
    clr.dll : 4.6.1586.0 built by: NETFXREL2
    dfdll.dll : 4.6.1586.0 built by: NETFXREL2
    dfshim.dll : 10.0.14393.0 (rs1_release.160715-1616)

    Deployment url : file:///C:/temp/Microsoft.Online.CSE.PSModule.Client.application

    Deployment Identity : Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.1559.0, Culture=neutral, PublicKeyToken=c3bce3770c238a49, processorArchitecture=msil

    * Installable application.
    * Trust url parameter is set.
    Below is a summary of the errors, details of these errors are listed later in the log.
    * Activation of C:\temp\Microsoft.Online.CSE.PSModule.Client.application resulted in exception. Following failure messages were detected:
    + Deployment and application do not have matching security zones.

    No transaction error was detected.

    There were no warnings during this operation.

    * [2/21/2017 5:28:43 PM] : Activation of C:\temp\Microsoft.Online.CSE.PSModule.Client.application has started.
    * [2/21/2017 5:28:43 PM] : Processing of deployment manifest has successfully completed.
    * [2/21/2017 5:28:43 PM] : Installation of the application has started.

    Following errors were detected during this operation.
    * [2/21/2017 5:28:43 PM] System.Deployment.Application.InvalidDeploymentException (Zone)
    – Deployment and application do not have matching security zones.
    – Source: System.Deployment
    – Stack trace:
    at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
    at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
    at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
    at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
    at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

    No transaction information is available.

    1. Jan Vidar Elven Post author

      Haven’t experienced that,
      looks like an environmental error. Try downloading and install from another browser if possible.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s