How to: Connect to Office 365 Exchange Online with PowerShell

Summary

This comprehensive guide covers all modern methods for connecting to Microsoft Exchange Online using the Exchange Online PowerShell V3 module. All legacy authentication methods, including Basic Authentication and Remote PowerShell (RPS), have been deprecated and are no longer supported.

Installing the Exchange Online PowerShell Module

Step 1: Check for Existing Module

First, verify if the module is already installed:

Get-Module -ListAvailable -Name ExchangeOnlineManagement

Step 2: Install or Update the Module

To install the latest version of the Exchange Online Management module:

Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber

If the module is already installed, update it to the latest version:

Update-Module -Name ExchangeOnlineManagement

To install for the current user only (no administrator rights required):

Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force

Step 3: Verify Installation

Confirm the module is installed correctly:

Get-InstalledModule -Name ExchangeOnlineManagement

Step 4: Import the Module (Optional)

While the module loads automatically when you run connection commands, you can manually import it:

Import-Module ExchangeOnlineManagement

Connection Method 1: Interactive Authentication (with MFA Support)

This is the recommended method for manual administrative tasks. It supports multi-factor authentication and provides an interactive sign-in experience.

Basic Interactive Connection

Connect-ExchangeOnline -UserPrincipalName admin@365adviser.com

What happens:

1. A browser window or authentication prompt appears
2. Enter your password
3. Complete MFA verification if enabled (Microsoft Authenticator app, SMS code, etc.)
4. Upon success, you’re connected to Exchange Online PowerShell

Interactive Connection Without Showing Banner

To suppress the connection banner message:

Connect-ExchangeOnline -UserPrincipalName admin@365adviser.com -ShowBanner:$false

Connection with Specific Cmdlet Help Loading

To enable Get-Help for Exchange Online cmdlets (version 3.7.0 or later):

Connect-ExchangeOnline -UserPrincipalName admin@365adviser.com -LoadCmdletHelp

Complete Example Script

# Import the module
Import-Module ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@365adviser.com -ShowBanner:$false

# Verify connection
Get-ConnectionInformation

# Run Exchange Online commands
Get-Mailbox -ResultSize 10

# Disconnect when finished
Disconnect-ExchangeOnline -Confirm:$false

Connection Method 2: Non-Interactive Authentication (Stored Credentials)

This method allows connection without interactive prompts using stored credentials. Note: This method is less secure and should only be used in trusted environments. MFA must be disabled on the account.

Storing Credentials Securely

# Prompt for credentials and store them
$UserCredential = Get-Credential

# Connect using stored credentials
Connect-ExchangeOnline -Credential $UserCredential

Using Encrypted Password

# Convert password to secure string
$Password = ConvertTo-SecureString -String 'YourPassword' -AsPlainText -Force

# Create credential object
$Credential = New-Object System.Management.Automation.PSCredential ('admin@365adviser.com', $Password)

# Connect to Exchange Online
Connect-ExchangeOnline -Credential $Credential

Complete Script Example

# Define credentials
$Username = "admin@365adviser.com"
$Password = ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($Username, $Password)

# Connect to Exchange Online
Connect-ExchangeOnline -Credential $Credential -ShowBanner:$false

# Verify connection
Get-EXOMailbox -Identity admin@365adviser.com

# Disconnect
Disconnect-ExchangeOnline -Confirm:$false

Security Warning: Never hardcode passwords in scripts. Use Azure Key Vault or secure credential storage solutions for production environments.

Connection Method 3: Certificate-Based Authentication (App-Only for Automation)

Certificate-based authentication enables unattended scripts and automation scenarios without storing user credentials. This is the recommended approach for automated tasks, scheduled scripts, and CI/CD pipelines.

Prerequisites for Certificate-Based Authentication

1. Azure AD app registration
2. Self-signed or CA-issued certificate
3. Exchange Administrator role assigned to the app
4. API permissions configured

Step 1: Create a Self-Signed Certificate

Generate a self-signed certificate using PowerShell:

# Define certificate parameters
$CertificateName = "ExchangeOnlineAutomation"
$CertificateSubject = "CN=$CertificateName"
$ExpirationYears = 2

# Create the certificate
$Certificate = New-SelfSignedCertificate `
    -Subject $CertificateSubject `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -KeyExportPolicy Exportable `
    -KeySpec Signature `
    -KeyLength 2048 `
    -KeyAlgorithm RSA `
    -HashAlgorithm SHA256 `
    -NotAfter (Get-Date).AddYears($ExpirationYears)

# Display certificate thumbprint (save this for later)
Write-Host "Certificate Thumbprint: $($Certificate.Thumbprint)" -ForegroundColor Green

Step 2: Export the Certificate

Export the certificate for upload to Azure AD:

# Export certificate to .cer format (public key only)
$CertificatePath = "C:\Certificates\ExchangeOnlineAutomation.cer"
Export-Certificate -Cert $Certificate -FilePath $CertificatePath

# Export certificate with private key to .pfx format (for backup or other machines)
$PfxPassword = ConvertTo-SecureString -String "SecurePassword123!" -AsPlainText -Force
$PfxPath = "C:\Certificates\ExchangeOnlineAutomation.pfx"
Export-PfxCertificate -Cert $Certificate -FilePath $PfxPath -Password $PfxPassword

Step 3: Register an Application in Azure AD

1. Navigate to Azure Portal > Azure Active Directory > App registrations
2. Click New registration
3. Provide an application name (e.g., “Exchange Online PowerShell Automation”)
4. Select Accounts in this organizational directory only
5. Click Register
6. Copy and save the Application (client) ID and Directory (tenant) ID

Step 4: Upload Certificate to the Application

1. In your app registration, go to Certificates & secrets
2. Click Upload certificate
3. Upload the .cer file created in Step 2
4. Note the certificate Thumbprint displayed

Step 5: Configure API Permissions

1. In your app registration, go to API permissions
2. Click Add a permission
3. Select APIs my organization uses
4. Search for and select Office 365 Exchange Online
5. Select Application permissions
6. Expand Exchange and select Exchange.ManageAsApp
7. Click Add permissions
8. Click Grant admin consent for [your organization]
9. Click Yes to confirm

Step 6: Assign Azure AD Role to the Application

The application needs the Exchange Administrator role:

Option A: Using Azure Portal

1. Navigate to Azure Active Directory > Roles and administrators
2. Search for and select Exchange Administrator
3. Click Add assignments
4. Search for your application name
5. Select it and click Add

Option B: Using PowerShell

# Install Microsoft Graph module if not already installed
Install-Module Microsoft.Graph -Scope CurrentUser -Force

# Connect to Microsoft Graph
Connect-MgGraph -Scopes RoleManagement.ReadWrite.Directory

# Get the service principal for your app
$AppId = "YOUR-APP-ID-HERE"
$ServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '$AppId'"

# Get the Exchange Administrator role definition
$RoleDefinition = Get-MgRoleManagementDirectoryRoleDefinition `
    -Filter "DisplayName eq 'Exchange Administrator'"

# Assign the role to the service principal
New-MgRoleManagementDirectoryRoleAssignment `
    -PrincipalId $ServicePrincipal.Id `
    -RoleDefinitionId $RoleDefinition.Id `
    -DirectoryScopeId "/"

Write-Host "Exchange Administrator role assigned successfully" -ForegroundColor Green

Step 7: Connect Using Certificate-Based Authentication

Using Certificate Thumbprint

# Define connection parameters
$AppId = "12345678-1234-1234-1234-123456789012"
$CertificateThumbprint = "1234567890ABCDEF1234567890ABCDEF12345678"
$Organization = "contoso.onmicrosoft.com"

# Connect to Exchange Online
Connect-ExchangeOnline `
    -AppId $AppId `
    -CertificateThumbprint $CertificateThumbprint `
    -Organization $Organization `
    -ShowBanner:$false

# Verify connection
Get-EXOMailbox -ResultSize 5

# Disconnect
Disconnect-ExchangeOnline -Confirm:$false

Using Certificate File Path

# Define connection parameters
$AppId = "12345678-1234-1234-1234-123456789012"
$CertificatePath = "C:\Certificates\ExchangeOnlineAutomation.pfx"
$CertificatePassword = ConvertTo-SecureString -String "SecurePassword123!" -AsPlainText -Force
$Organization = "365adviser.com"

# Connect to Exchange Online
Connect-ExchangeOnline `
    -AppId $AppId `
    -CertificateFilePath $CertificatePath `
    -CertificatePassword $CertificatePassword `
    -Organization $Organization `
    -ShowBanner:$false

Complete Automation Script Example

<#
.SYNOPSIS
    Exchange Online automation script using certificate-based authentication

.DESCRIPTION
    This script connects to Exchange Online using app-only authentication
    and performs automated mailbox management tasks
#>

# Import required module
Import-Module ExchangeOnlineManagement

# Define connection parameters
$AppId = "12345678-1234-1234-1234-123456789012"
$CertificateThumbprint = "1234567890ABCDEF1234567890ABCDEF12345678"
$Organization = "contoso.onmicrosoft.com"
try {
    # Connect to Exchange Online
    Write-Host "Connecting to Exchange Online..." -ForegroundColor Cyan
    Connect-ExchangeOnline `
        -AppId $AppId `
        -CertificateThumbprint $CertificateThumbprint `
        -Organization $Organization `
        -ShowBanner:$false `
        -ErrorAction Stop
   
    Write-Host "Connected successfully!" -ForegroundColor Green
    
    # Perform automated tasks
    Write-Host "Retrieving mailbox statistics..." -ForegroundColor Cyan
    $Mailboxes = Get-EXOMailbox -ResultSize Unlimited
    $MailboxStats = $Mailboxes | ForEach-Object {
        Get-EXOMailboxStatistics -Identity $_.UserPrincipalName
    }
    
    # Export results
    $MailboxStats | Export-Csv -Path "C:\Reports\MailboxStats_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
    Write-Host "Report generated successfully!" -ForegroundColor Green   
} catch {
    Write-Error "An error occurred: $_"
} finally {
    # Disconnect from Exchange Online
    Write-Host "Disconnecting from Exchange Online..." -ForegroundColor Cyan
    Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
    Write-Host "Disconnected" -ForegroundColor Green
}

Connection Method 4: Managed Identity Authentication (Azure Resources)

Managed identities provide an identity for Azure resources to use when connecting to Exchange Online, eliminating the need to manage credentials. This method is ideal for Azure Automation, Azure Functions, and Azure Virtual Machines.

Prerequisites

• Azure resource with managed identity enabled (Automation Account, VM, or Function App)
• Exchange Administrator role assigned to the managed identity
• Exchange.ManageAsApp API permission granted

Step 1: Enable Managed Identity on Azure Resource

For Azure Automation Account

# Connect to Azure
Connect-AzAccount

# Define parameters
$ResourceGroupName = "rg-ExchangeAutomation"
$AutomationAccountName = "aa-ExchangeOnline"
$Location = "East US"

# Create resource group if it doesn't exist
New-AzResourceGroup -Name $ResourceGroupName -Location $Location -Force

# Create Automation Account with system-assigned managed identity
New-AzAutomationAccount `
    -ResourceGroupName $ResourceGroupName `
    -Name $AutomationAccountName `
    -Location $Location `
    -AssignSystemIdentity

# Or enable managed identity on existing account
Set-AzAutomationAccount `
    -ResourceGroupName $ResourceGroupName `
    -Name $AutomationAccountName `
    -AssignSystemIdentity

For Azure VM

# Enable system-assigned managed identity on VM
$VM = Get-AzVM -ResourceGroupName "YourResourceGroup" -Name "YourVMName"
Update-AzVM -ResourceGroupName "YourResourceGroup" -VM $VM -IdentityType SystemAssigned

Step 2: Get Managed Identity Principal ID

# For Automation Account
$AutomationAccount = Get-AzAutomationAccount `
    -ResourceGroupName $ResourceGroupName `
    -Name $AutomationAccountName
$PrincipalId = $AutomationAccount.Identity.PrincipalId
Write-Host "Managed Identity Principal ID: $PrincipalId" -ForegroundColor Green

Step 3: Assign API Permissions to Managed Identity

# Connect to Microsoft Graph
Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All

# Get the service principal for Exchange Online
$ExoServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'"

# Get the Exchange.ManageAsApp permission
$AppRole = $ExoServicePrincipal.AppRoles | Where-Object {$_.Value -eq "Exchange.ManageAsApp"}

# Get the managed identity service principal
$ManagedIdentitySP = Get-MgServicePrincipal -Filter "Id eq '$PrincipalId'"

# Assign the permission
New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $ManagedIdentitySP.Id `
    -PrincipalId $ManagedIdentitySP.Id `
    -ResourceId $ExoServicePrincipal.Id `
    -AppRoleId $AppRole.Id
Write-Host "Exchange.ManageAsApp permission granted" -ForegroundColor Green

Step 4: Assign Exchange Administrator Role

# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes RoleManagement.ReadWrite.Directory

# Get the Exchange Administrator role
$RoleDefinition = Get-MgRoleManagementDirectoryRoleDefinition `
    -Filter "DisplayName eq 'Exchange Administrator'"

# Assign the role to the managed identity
New-MgRoleManagementDirectoryRoleAssignment `
    -PrincipalId $PrincipalId `
    -RoleDefinitionId $RoleDefinition.Id `
    -DirectoryScopeId "/"
Write-Host "Exchange Administrator role assigned" -ForegroundColor Green

Step 5: Install Exchange Online Module on Azure Resource

For Azure Automation

1. Navigate to Azure Portal > Automation Account > Modules
2. Click Browse gallery
3. Install modules in this order:
   • PackageManagement
   • PowerShellGet
   • ExchangeOnlineManagement (version 3.0 or later)

PowerShell Alternative

# Install required modules to Automation Account
$Modules = @("PackageManagement", "PowerShellGet", "ExchangeOnlineManagement")
foreach ($Module in $Modules) {
    New-AzAutomationModule `
        -ResourceGroupName $ResourceGroupName `
        -AutomationAccountName $AutomationAccountName `
        -Name $Module `
        -ContentLink "https://www.powershellgallery.com/api/v2/package/$Module"
    
    Write-Host "Installing $Module..." -ForegroundColor Cyan
    Start-Sleep -Seconds 30  # Wait between installs
}

Step 6: Connect Using System-Assigned Managed Identity

In Azure Automation Runbook

# Azure Automation runbook script
# Runtime: PowerShell 5.1
Import-Module ExchangeOnlineManagement

# Connect using system-assigned managed identity
$Organization = "contoso.onmicrosoft.com"
try {
    Write-Output "Connecting to Exchange Online with Managed Identity..."
    Connect-ExchangeOnline `
        -ManagedIdentity `
        -Organization $Organization `
        -ShowBanner:$false `
        -ErrorAction Stop
   
    Write-Output "Connected successfully!"
   
    # Perform Exchange Online operations
    $Mailboxes = Get-EXOMailbox -ResultSize 10
    Write-Output "Retrieved $($Mailboxes.Count) mailboxes"
    
    # Example: Get mailbox statistics
    foreach ($Mailbox in $Mailboxes) {
        $Stats = Get-EXOMailboxStatistics -Identity $Mailbox.UserPrincipalName
        Write-Output "$($Mailbox.DisplayName): $([math]::Round($Stats.TotalItemSize.Value.ToMB(),2)) MB"
    }
    
} catch {
    Write-Error "Connection failed: $_"
    throw
} finally {
    Write-Output "Disconnecting..."
    Disconnect-ExchangeOnline -Confirm:$false
}

In Azure VM

# Script to run on Azure VM with managed identity
Import-Module ExchangeOnlineManagement

# Connect using the VM's managed identity
Connect-ExchangeOnline `
    -ManagedIdentity `
    -Organization "contoso.onmicrosoft.com"

# Run Exchange commands
Get-Mailbox -ResultSize 10

# Disconnect
Disconnect-ExchangeOnline -Confirm:$false

Step 7: Connect Using User-Assigned Managed Identity

# If using user-assigned managed identity
$ManagedIdentityAccountId = "12345678-1234-1234-1234-123456789012"
$Organization = "contoso.onmicrosoft.com"
Connect-ExchangeOnline `
    -ManagedIdentity `
    -ManagedIdentityAccountId $ManagedIdentityAccountId `
    -Organization $Organization

Complete Azure Automation Example

<#
.SYNOPSIS
    Azure Automation runbook for Exchange Online management

.DESCRIPTION
    This runbook connects to Exchange Online using managed identity
    and performs scheduled maintenance tasks

.NOTES
    Runtime: PowerShell 5.1
    Required Modules: ExchangeOnlineManagement 3.0+
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$Organization
)

# Import module
Import-Module ExchangeOnlineManagement

# Connect using managed identity
try {
    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Connecting to Exchange Online..."
   
    Connect-ExchangeOnline `
        -ManagedIdentity `
        -Organization $Organization `
        -ShowBanner:$false `
        -ErrorAction Stop
   
    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Connected successfully!"
   
    # Example task: Find and report on inactive mailboxes
    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Checking for inactive mailboxes..."
    
    $InactiveDate = (Get-Date).AddDays(-90)
    $AllMailboxes = Get-EXOMailbox -ResultSize Unlimited -Properties WhenChanged
   
    $InactiveMailboxes = $AllMailboxes | Where-Object {
        $_.WhenChanged -lt $InactiveDate
    } | Select-Object DisplayName, UserPrincipalName, WhenChanged
    
    if ($InactiveMailboxes) {
        Write-Output "Found $($InactiveMailboxes.Count) inactive mailboxes:"
        $InactiveMailboxes | ForEach-Object {
            Write-Output "  - $($_.DisplayName) ($($_.UserPrincipalName)) - Last changed: $($_.WhenChanged)"
        }
    } else {
        Write-Output "No inactive mailboxes found"
    }
   
    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Task completed successfully" 
} catch {
    Write-Error "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Error occurred: $_"
    throw
} finally {
    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Disconnecting..."
    Disconnect-ExchangeOnline -Confirm:$false
}

Connection Method 5: Delegated Organization Access (CSP/GDAP)

This method is for Microsoft Partners who need to manage customer Exchange Online environments using Cloud Solution Provider (CSP) or Granular Delegated Admin Privileges (GDAP).

Prerequisites

• Partner admin account with delegated access
• Appropriate GDAP or CSP relationship with customer tenant

Connect to Customer Organization

# Partner admin credentials
$PartnerAdmin = "admin@partner.onmicrosoft.com"
$CustomerTenant = "customer.onmicrosoft.com"

# Connect with delegated access
Connect-ExchangeOnline `
    -UserPrincipalName $PartnerAdmin `
    -DelegatedOrganization $CustomerTenant `
    -ShowBanner:$false

# Verify connection to customer tenant
Get-OrganizationConfig | Select-Object Name, Identity

# Perform customer management tasks
Get-Mailbox -ResultSize 10

# Disconnect
Disconnect-ExchangeOnline -Confirm:$false

Connect to Multiple Customer Tenants

# Define partner admin and customer list
$PartnerAdmin = "admin@partner.onmicrosoft.com"
$Customers = @(
    "customer1.onmicrosoft.com",
    "customer2.onmicrosoft.com",
    "customer3.onmicrosoft.com"
)

# Loop through customers
foreach ($Customer in $Customers) {
    try {
        Write-Host "Connecting to $Customer..." -ForegroundColor Cyan
        
        Connect-ExchangeOnline `
            -UserPrincipalName $PartnerAdmin `
            -DelegatedOrganization $Customer `
            -ShowBanner:$false
        
        # Perform tasks for this customer
        $MailboxCount = (Get-EXOMailbox -ResultSize Unlimited).Count
        Write-Host "$Customer has $MailboxCount mailboxes" -ForegroundColor Green
        
        # Disconnect before moving to next customer
        Disconnect-ExchangeOnline -Confirm:$false
        
    } catch {
        Write-Warning "Failed to connect to ${Customer}: $_"
    }
}

Verifying and Managing Connections

Check Current Connection Status

# Get information about current Exchange Online connections
Get-ConnectionInformation

# Output includes:
# - ConnectionId
# - OrganizationName
# - UserPrincipalName (if applicable)
# - ConnectionUri
# - TokenStatus

Multiple Simultaneous Connections

You can maintain multiple Exchange Online connections simultaneously:

# Connect to primary tenant
Connect-ExchangeOnline -UserPrincipalName admin@primary.onmicrosoft.com -Prefix Primary

# Connect to secondary tenant (with different prefix)
Connect-ExchangeOnline -UserPrincipalName admin@secondary.onmicrosoft.com -Prefix Secondary

# Use prefixed cmdlets to target specific tenant
Get-PrimaryMailbox -Identity user@primary.com

Get-SecondaryMailbox -Identity user@secondary.com
# View all connections
Get-ConnectionInformation

# Disconnect specific connection
Disconnect-ExchangeOnline -ConnectionId "connection-guid-here"

# Disconnect all connections
Get-ConnectionInformation | ForEach-Object {
    Disconnect-ExchangeOnline -ConnectionId $_.ConnectionId -Confirm:$false
}

Disconnect from Exchange Online

# Disconnect with confirmation prompt
Disconnect-ExchangeOnline

# Disconnect without confirmation
Disconnect-ExchangeOnline -Confirm:$false

# Disconnect specific connection by ID
$ConnectionId = (Get-ConnectionInformation)[0].ConnectionId

Disconnect-ExchangeOnline -ConnectionId $ConnectionId -Confirm:$false

Optimized Cmdlets for Better Performance

The Exchange Online PowerShell V3 module includes optimized Get-EXO* cmdlets that use REST API for faster data retrieval. Use these cmdlets for large-scale operations:

Standard vs. Optimized Cmdlets

Standard Cmdlet	Optimized EXO Cmdlet	Performance Benefit
Get-Mailbox	Get-EXOMailbox	5-10x faster for bulk operations
Get-Recipient	Get-EXORecipient	Optimized for large result sets
Get-MailboxStatistics	Get-EXOMailboxStatistics	Reduced memory footprint
Get-CasMailbox	Get-EXOCasMailbox	REST API-based retrieval
Get-MailboxFolderStatistics	Get-EXOMailboxFolderStatistics	Faster folder enumeration
Get-MailboxFolderPermission	Get-EXOMailboxFolderPermission	Improved for large mailboxes
Get-MobileDeviceStatistics	Get-EXOMobileDeviceStatistics	Enhanced mobile device data

Example: Using Optimized Cmdlets

# Standard cmdlet (slower for large datasets)
$Mailboxes = Get-Mailbox -ResultSize Unlimited

# Optimized EXO cmdlet (recommended)
$Mailboxes = Get-EXOMailbox -ResultSize Unlimited

# Using property sets for even better performance
$Mailboxes = Get-EXOMailbox -PropertySets All -ResultSize Unlimited

# Retrieve specific properties only
$Mailboxes = Get-EXOMailbox -Properties DisplayName, UserPrincipalName, ProhibitSendQuota

Troubleshooting Common Issues

Issue 1: Module Import Errors

Problem: “The term ‘Connect-ExchangeOnline’ is not recognized”

Solution:

# Verify module is installed
Get-Module -ListAvailable -Name ExchangeOnlineManagement

# If not found, install it
Install-Module -Name ExchangeOnlineManagement -Force

# Import module manually
Import-Module ExchangeOnlineManagement -Force

Issue 2: Authentication Failures

Problem: “Authorization_RequestDenied” or “Access Denied” errors

Solution:

# Verify account has Exchange admin rights
# Check Azure AD role assignments
# Ensure MFA is not blocking automated connections
# For app-only: Verify API permissions and admin consent

Issue 3: Certificate Authentication Failures

Problem: “Certificate not found” or “The role assigned to application isn’t supported”

Solution:

# Verify certificate is installed
Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Thumbprint -eq "YourThumbprint"}
# Verify Exchange Administrator role is assigned to app
# Check Exchange.ManageAsApp API permission is granted and consented

Issue 4: Managed Identity Connection Failures

Problem: “UnAuthorized” when using -ManagedIdentity

Solution:

# Verify managed identity is enabled on the resource
# Confirm Exchange.ManageAsApp permission is granted
# Verify Exchange Administrator role is assigned
# Wait 5-10 minutes after role assignment for propagation

Issue 5: Connection Timeout

Problem: Connection hangs or times out

Solution:

# Verify network connectivity
Test-NetConnection outlook.office365.com -Port 443

# Check proxy settings if behind corporate firewall
# Clear cached tokens
[Microsoft.Exchange.Management.ExoPowershellSnapin.ConnectionManager]::DisconnectAllConnections()

Best Practices

Security Best Practices

1. Use certificate-based authentication for all automation scenarios
2. Enable MFA on all interactive admin accounts
3. Apply principle of least privilege – assign only necessary permissions
4. Rotate certificates regularly (recommend 1-2 year expiration)
5. Store credentials securely using Azure Key Vault or similar solutions
6. Never hardcode passwords in scripts or source code
7. Use managed identities for Azure resources instead of service principals when possible
8. Monitor and audit all Exchange Online PowerShell connections
9. Implement conditional access policies for admin accounts
10. Regularly review API permissions and role assignments

Performance Best Practices

1. Use Get-EXO* cmdlets for large-scale data retrieval operations
2. Limit result sets with -ResultSize parameter to avoid memory issues
3. Use property sets to retrieve only needed properties
4. Disconnect sessions when finished to free resources
5. Avoid running Get-Mailbox -ResultSize Unlimited unless absolutely necessary
6. Batch operations in automation scenarios to reduce API calls
7. Implement error handling with try-catch blocks
8. Use -ShowBanner:$false to reduce output in automated scripts

Scripting Best Practices

<#
.SYNOPSIS
    Template for Exchange Online PowerShell scripts

.DESCRIPTION
    Best practice template with error handling and logging
#>

# Import required module
Import-Module ExchangeOnlineManagement -ErrorAction Stop

# Define parameters
$AppId = "YOUR-APP-ID"
$CertificateThumbprint = "YOUR-THUMBPRINT"
$Organization = "contoso.onmicrosoft.com"
$LogFile = "C:\Logs\ExchangeScript_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"

# Function for logging
function Write-Log {
    param([string]$Message)
    $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $LogMessage = "[$Timestamp] $Message"
    Write-Output $LogMessage
    Add-Content -Path $LogFile -Value $LogMessage
}
try {
    Write-Log "Script started"
    
    # Connect
    Write-Log "Connecting to Exchange Online..."
    Connect-ExchangeOnline `
        -AppId $AppId `
        -CertificateThumbprint $CertificateThumbprint `
        -Organization $Organization `
        -ShowBanner:$false `
        -ErrorAction Stop
    
    Write-Log "Connected successfully"
    
    # Perform operations
    Write-Log "Performing Exchange operations..."
    
    # Your code here
    Write-Log "Operations completed successfully"    
} catch {
    Write-Log "ERROR: $_"
    Write-Error $_
    exit 1
} finally {
    # Always disconnect
    Write-Log "Disconnecting from Exchange Online..."
    Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
    Write-Log "Script completed"
}

Prerequisites

Before connecting to Exchange Online PowerShell, ensure the following requirements are met:

System Requirements

• PowerShell Version: Windows PowerShell 5.1 or PowerShell 7.x (or later)
• Operating Systems: Windows, macOS, or Linux
• Network: TCP port 80 open between your computer and Microsoft 365
• Modules: PowerShellGet and PackageManagement modules (required for REST API connections)

Administrative Requirements

• Exchange Online administrator credentials or appropriate RBAC role
• Account must be enabled for PowerShell access
• For MFA scenarios: Multi-factor authentication configured on the account
• For automation scenarios: Azure AD app registration with appropriate permissions

Execution Policy

Set your PowerShell execution policy to allow script execution:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Additional Resources

Microsoft Official Documentation

• Exchange Online PowerShell Module Overview
• Connect to Exchange Online PowerShell
• App-Only Authentication Guide
• Managed Identity Authentication
• Exchange Online PowerShell Module Release Notes

PowerShell Gallery

• ExchangeOnlineManagement Module

Community Resources

• Microsoft Tech Community – Exchange
• PowerShell Community on GitHub

Version History

Current Module Version: 3.9.0 (as of September 2025)

Key Updates in V3:

• REST API-based cmdlets (no WinRM Basic Authentication required)
• Managed identity support for Azure resources
• Certificate-based authentication improvements
• Enhanced performance with optimized Get-EXO* cmdlets
• Cross-platform support (Windows, macOS, Linux)
• PowerShell 7.x compatibility

Deprecated Features:

• Basic Authentication (permanently disabled October 2022)
• Remote PowerShell (RPS) protocol
• MSOnline V1 module (use Microsoft Graph PowerShell instead)
• New-PSSession method for Exchange Online