A while back I wrote a blog post on how you could use Azure AD Privileged Identity Management to indirectly require MFA for Office 365 Administrator Roles activation before they connected to Exchange online via Remote PowerShell. See https://gotoguy.blog/2016/09/09/how-to-enable-azure-mfa-for-online-powershell-modules-that-dont-support-mfa/.
In december a new Exchange Online Remote PowerShell Module was released (in preview), https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160), that uses Modern Authentication and that supports Azure Multi-Factor Authentication. Lets try it out:
First you need to verify that Modern Authentication is enabled in your Exchange Online organization, as this is not enabled by default: https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662?ui=en-US&rs=en-US&ad=US
In my Exchange Online organization I verify that Modern Authentication is enabled:
Next logon to your Exchange Online Admin Center, and go to Hybrid to download and configure the Exchange Online PowerShell Module:
The configure button activates a click once install:
After installation I’m ready to connect:
Lets try it out on a MFA enabled admin user:
And as expected, I’m prompted to provide my verification code:
And after verification I can administer Exchange Online:
So with that we are finally able to log in to Exchange Online PowerShell more securely with Azure Multi-Factor Authentication as long as Modern Authentication is enabled for your organization!
Pingback: How to enable Azure MFA for Online PowerShell Modules that don’t support MFA? | GoToGuy Blog
In our Exchange Online deployment we are using MFA with Symantec VIP for the multi factor authentication. We have deployed ADFS and do not require MFA when connecting from our local environment. I have tried using the PowerShell module and when it tries to authenticate it there is a popup up with an error saying “An error occurred.” It says Relaying party: Microsoft Office 365 Identity Platform so there seems to be an issue with the Modern Authentication configuration. Normal Office 365 access works find but the PowerShell module does not. Do you have any experience with this and ADFS? Thanks.
Hi, did you enable Modern Authentication as well for Exchange Online?
Pingback: Office 365 – 2 wekelijks overzicht – deel 9 | SP&C NL
Pingback: Office 365 – Bi-weekly Summary – Part 9 – Sjoukje Zaal
Hi,
Thanks for this article, helped a lot!
I have one question, not sure if you might be able to help: I want to use this “module” but I can’t seem to be able to load it into a regular Powershell window.
I’d need to be able to write a script, using this “module”, in ISE, but can’t seem to figure out how, or even if it’s possible.
Would you have any insight for me on this ?
Thank you!
Thanks for your feedback, this module is installed as a ClickOnce installation in local app data. This guy seems to have figured it out, http://blog.zomputer.hu/content/exchange-online-powershell-toebbfaktoros-azonositassal-mfa
After some partial Google Translate, managed to figure out his script and it works fine.
Thank you very much for your help, that’ll save me a ton of time 🙂
Happy to help!
I am getting failures when I run the installer
PLATFORM VERSION INFO
Windows : 10.0.14393.0 (Win32NT)
Common Language Runtime : 4.0.30319.42000
System.Deployment.dll : 4.6.1586.0 built by: NETFXREL2
clr.dll : 4.6.1586.0 built by: NETFXREL2
dfdll.dll : 4.6.1586.0 built by: NETFXREL2
dfshim.dll : 10.0.14393.0 (rs1_release.160715-1616)
SOURCES
Deployment url : file:///C:/temp/Microsoft.Online.CSE.PSModule.Client.application
IDENTITIES
Deployment Identity : Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.1559.0, Culture=neutral, PublicKeyToken=c3bce3770c238a49, processorArchitecture=msil
APPLICATION SUMMARY
* Installable application.
* Trust url parameter is set.
ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation of C:\temp\Microsoft.Online.CSE.PSModule.Client.application resulted in exception. Following failure messages were detected:
+ Deployment and application do not have matching security zones.
COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.
WARNINGS
There were no warnings during this operation.
OPERATION PROGRESS STATUS
* [2/21/2017 5:28:43 PM] : Activation of C:\temp\Microsoft.Online.CSE.PSModule.Client.application has started.
* [2/21/2017 5:28:43 PM] : Processing of deployment manifest has successfully completed.
* [2/21/2017 5:28:43 PM] : Installation of the application has started.
ERROR DETAILS
Following errors were detected during this operation.
* [2/21/2017 5:28:43 PM] System.Deployment.Application.InvalidDeploymentException (Zone)
– Deployment and application do not have matching security zones.
– Source: System.Deployment
– Stack trace:
at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
COMPONENT STORE TRANSACTION DETAILS
No transaction information is available.
Haven’t experienced that,
looks like an environmental error. Try downloading and install from another browser if possible.
Try Windows explorer
I think Rauf meant “internet explorer” -> that was my issue …
Pingback: Bi-weekly Azure Summary – Part 9 – Sjoukje Zaal