Exchange Online PowerShell with Modern Authentication and Azure MFA available!

A while back I wrote a blog post on how you could use Azure AD Privileged Identity Management to indirectly require MFA for Office 365 Administrator Roles activation before they connected to Exchange online via Remote PowerShell. See https://gotoguy.blog/2016/09/09/how-to-enable-azure-mfa-for-online-powershell-modules-that-dont-support-mfa/.

In december a new Exchange Online Remote PowerShell Module was released (in preview), https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160), that uses Modern Authentication and that supports Azure Multi-Factor Authentication. Lets try it out:

First you need to verify that Modern Authentication is enabled in your Exchange Online organization, as this is not enabled by default: https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662?ui=en-US&rs=en-US&ad=US

In my Exchange Online organization I verify that Modern Authentication is enabled:

image

Next logon to your Exchange Online Admin Center, and go to Hybrid to download and configure the Exchange Online PowerShell Module:

image

The configure button activates a click once install:

image

After installation I’m ready to connect:

image

Lets try it out on a MFA enabled admin user:

image

And as expected, I’m prompted to provide my verification code:

image

And after verification I can administer Exchange Online:

image

So with that we are finally able to log in to Exchange Online PowerShell more securely with Azure Multi-Factor Authentication as long as Modern Authentication is enabled for your organization!

13 thoughts on “Exchange Online PowerShell with Modern Authentication and Azure MFA available!

  1. Pingback: How to enable Azure MFA for Online PowerShell Modules that don’t support MFA? | GoToGuy Blog

  2. Michael Frank

    In our Exchange Online deployment we are using MFA with Symantec VIP for the multi factor authentication. We have deployed ADFS and do not require MFA when connecting from our local environment. I have tried using the PowerShell module and when it tries to authenticate it there is a popup up with an error saying “An error occurred.” It says Relaying party: Microsoft Office 365 Identity Platform so there seems to be an issue with the Modern Authentication configuration. Normal Office 365 access works find but the PowerShell module does not. Do you have any experience with this and ADFS? Thanks.

    Reply
  3. Pingback: Office 365 – 2 wekelijks overzicht – deel 9 | SP&C NL

  4. Pingback: Office 365 – Bi-weekly Summary – Part 9 – Sjoukje Zaal

  5. Alex P.

    Hi,
    Thanks for this article, helped a lot!

    I have one question, not sure if you might be able to help: I want to use this “module” but I can’t seem to be able to load it into a regular Powershell window.

    I’d need to be able to write a script, using this “module”, in ISE, but can’t seem to figure out how, or even if it’s possible.

    Would you have any insight for me on this ?

    Thank you!

    Reply
      1. Alex P.

        After some partial Google Translate, managed to figure out his script and it works fine.
        Thank you very much for your help, that’ll save me a ton of time 🙂

  6. iwifia

    I am getting failures when I run the installer

    PLATFORM VERSION INFO
    Windows : 10.0.14393.0 (Win32NT)
    Common Language Runtime : 4.0.30319.42000
    System.Deployment.dll : 4.6.1586.0 built by: NETFXREL2
    clr.dll : 4.6.1586.0 built by: NETFXREL2
    dfdll.dll : 4.6.1586.0 built by: NETFXREL2
    dfshim.dll : 10.0.14393.0 (rs1_release.160715-1616)

    SOURCES
    Deployment url : file:///C:/temp/Microsoft.Online.CSE.PSModule.Client.application

    IDENTITIES
    Deployment Identity : Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.1559.0, Culture=neutral, PublicKeyToken=c3bce3770c238a49, processorArchitecture=msil

    APPLICATION SUMMARY
    * Installable application.
    * Trust url parameter is set.
    ERROR SUMMARY
    Below is a summary of the errors, details of these errors are listed later in the log.
    * Activation of C:\temp\Microsoft.Online.CSE.PSModule.Client.application resulted in exception. Following failure messages were detected:
    + Deployment and application do not have matching security zones.

    COMPONENT STORE TRANSACTION FAILURE SUMMARY
    No transaction error was detected.

    WARNINGS
    There were no warnings during this operation.

    OPERATION PROGRESS STATUS
    * [2/21/2017 5:28:43 PM] : Activation of C:\temp\Microsoft.Online.CSE.PSModule.Client.application has started.
    * [2/21/2017 5:28:43 PM] : Processing of deployment manifest has successfully completed.
    * [2/21/2017 5:28:43 PM] : Installation of the application has started.

    ERROR DETAILS
    Following errors were detected during this operation.
    * [2/21/2017 5:28:43 PM] System.Deployment.Application.InvalidDeploymentException (Zone)
    – Deployment and application do not have matching security zones.
    – Source: System.Deployment
    – Stack trace:
    at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
    at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
    at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
    at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
    at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

    COMPONENT STORE TRANSACTION DETAILS
    No transaction information is available.

    Reply
    1. Jan Vidar Elven Post author

      Haven’t experienced that,
      looks like an environmental error. Try downloading and install from another browser if possible.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s