How to: Securely connect to Office 365 and Azure AD using PowerShell & MFA

, , ,

Securely connect to your Office 365 organization and Azure AD using PowerShell and MFA with up-to-date modules to perform administration tasks from the command line. There are multiple PowerShell console options with two common scenarios when using either the Azure Active Directory PowerShell console or the Exchange Online PowerShell console.

The Problem
Official Microsoft technet, support and docs documentation is a bit confusing as Microsoft is deprecating modules while releasing new modules and cmdlets, without removing old articles. This article will document the steps to securely connect to Office 365 services, with a focus on Exchange Online, using the most up to date PowerShell modules. Also, the content below will not cover scenarios that include programmatic access with Access Token and Certificates. An additional post will document Azure Multi-Factor Authentication for Admins and use Azure AD Privileged Identity Management, which is an Azure AD Premium P2 / EMS E5 feature. Licensed Office 365 users include Azure MFA, therefore no additional purchases are required to complete the following steps.

Keep in mind, not all scenarios support Azure MFA natively. Here’s an overview of the main modules that DO support Azure MFA today.

  • Exchange Online PowerShell supports Azure MFA with Connect-EXOPSSession.
  • Skype for Business Online PowerShell supports Azure MFA with New-CsOnlineSession
  • SharePoint Online PowerShell. Supports Azure MFA with Connect-SPOService.
  • Azure AD v2 (for Graph) PowerShell. Supports Azure MFA with Connect-AzureAD.
  • Azure Resource Manager PowerShell. Supports Azure MFA with Login-AzureRMAccount.
  • Azure Rights Management Service PowerShell. Supports Azure MFA with Connect-AADrmService.


Get Started By Installing the Software Updates

Step 1: We start by installing the Azure AD V2 module (This is required for new the cmdlets and ADAL authentication libraries to support modern authentication.)
Step 2: Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).
Step 3: In the Administrator: Windows PowerShell command window, run this command: Get-Module -Name AzureAD -list | Select-Object Name,Version,Path or just Get-Module
Step 4: Check the module version number for “AzureAD” and the file path.
Step 5: As of this writing, you should have version or greater.
Step 6: Run the command: Install-Module -Name AzureAD, if you need a more recent version
Step 7: If prompted about installing a module from an untrusted repository, type Y and press ENTER.
Step 8: Verify connectivity by running the command: Connect-AzureAD

Step 9: The following steps will be to install the new Exchange Online Remote PowerShell Module called ExoPowershellModule.
Step 10: Verify that Windows Remote Management (WinRM) on your computer has basic authentication set to True.
Step 11: Launch the command prompt as an administrator and run the command: winrm get winrm/config/client/auth
Step 12: If basic is not set to True, run the command: winrm set winrm/config/client/auth @{Basic=”true”}
Step 13: Launch Internet Explorer only.
Step 14: Log into the Office 365 portal at
Step 15: Inside the Office 365 Admin Center, Open the Exchange admin center (EAC) for your Exchange Online organization.
Step 16: In the EAC, go to Hybrid.
Step 17: Click the Configure button with the text that reads, “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.”
Step 18: This will launch an application install dialog box. In the Application Install window that opens, click Install.
Step 19: After the install, verify that a new desktop shortcut called Microsoft Exchange Online PowerShell module has been created.
Step 20: Launch the new Exchange Online PowerShell shortcut , run the command Get-Module to verify that the new ExoPowerShellModule has been installed.
Step 21: Choose which PowerShell console to use between the new Active Directory V2 or the new Exchange Online PowerShell console


Enable MFA For Office 365 Licensed Users

Step 1: Go to the Office 365 admin center.
Step 2: Navigate to Users > Active users
Step 3: In the Office 365 admin center, click More > Setup Azure multi-factor auth
Step 4: Find the admin account who you want to enable for MFA.
Step 5: Check the check box next to the users you want to enable.
Step 6: On the right user info pane, under quick steps you’ll see Enable and Manage user settings. Choose Enable.
Step 7: In the dialog box that opens, click enable multi-factor auth.


Option 1) Use the Windows Azure Active Directory V2 Powershell Module to connect to Exchange Online Securely
Step 1: Open the console labelled, Windows Azure Active Directory Module for Windows Powershell
Step 2: Run the command, Get-Module
Step 3: Verify if the modules AzureAD or ExoPowershellModule are already listed.
Step 4: If the Exchange Online module is not listed, then we will load it by running the following commands:

  1. Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+”\Apps\2.0\”) -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch “_none_”}|select -First 1)
  2. $EXOSession = New-ExoPSSession
  3. Import-PSSession $EXOSession

Step 5: Verify the module is loaded by running, Get-Module
Step 6: Connect to the Exchange Online organization by running the command, Connect-EXOPSSession


Option 2) Use the new Microsoft Exchange Online Module to connect to Exchange Online Securely
Step 1: Run the command, Connect-EXOPSSession -UserPrincipalName or simply Connect-EXOPSSession
Step 2: Sign-in to Office 365 when prompted with an administrator username and password, along with the Microsoft Authenticator app.
Step 3: Run the command, Import-Module AzureAD
Step 4: Verify by running the command, Get-Mailbox & Get-User