Summary
Securely connect to your Office 365 organization and Azure AD using PowerShell and MFA with up-to-date modules to perform administration tasks from the command line.
The Problem
This blog post will document the steps of how to securely connect to Office 365 services, with a focus on Exchange Online, using the most up to date PowerShell modules. Official Microsoft technet, support and docs documentation is a bit confusing as Microsoft is deprecating modules while releasing new modules and cmdlets, without removing old articles. Also, this blog will not cover scenarios that include programmatic access with Access Token and Certificates. A second post will document Azure Multi-Factor Authentication for Admins and use Azure AD Privileged Identity Management, which is an Azure AD Premium P2 / EMS E5 feature.
Keep in mind, not all scenarios support Azure MFA. Here’s an overview of the main modules that DO support Azure MFA today.
- Exchange Online PowerShell supports Azure MFA with Connect-EXOPSSession.
- Microsoft Teams PowerShell supports Azure MFA with Connect-MicrosoftTeams
- Skype for Business Online PowerShell supports Azure MFA with New-CsOnlineSession
- SharePoint Online PowerShell. Supports Azure MFA with Connect-SPOService.
- Azure AD v2 (for Graph) PowerShell. Supports Azure MFA with Connect-AzureAD.
- Azure Resource Manager PowerShell. Supports Azure MFA with Login-AzureRMAccount.
- Azure Rights Management Service PowerShell. Supports Azure MFA with Connect-AadrmService.
Get Started By Installing the Updates
Step 1: Install the Azure AD V2 module. Required for new cmdlets and authentication libraries (ADAL) to support modern authentication.
Step 2: Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).
Step 3: In the Administrator: Windows PowerShell command window, run this command:
Get-Module -Name AzureAD -list | Select-Object Name,Version,Path
Step 4: Verify the module version number for “AzureAD”
Step 5: As of this writing, you should have version 2.0.2.31 or greater.
Step 6: Run the command: Install-Module -Name AzureAD, if you need a more recent version
Step 7: If prompted about installing a module from an untrusted repository, type Y and press ENTER.
Step 8: Verify connectivity by running the command: Connect-AzureAD
Step 9: The following steps will be to install the new Exchange Online Remote PowerShell Module called ExoPowershellModule.
Step 10: Verify that Windows Remote Management (WinRM) on your computer has basic authentication set to True.
Step 11: Launch the command prompt as an administrator and run the command:
winrm get winrm/config/client/auth
Step 12: If basic is not set to True, run the command:
winrm set winrm/config/client/auth @{Basic=”true”}
Step 13: Launch Internet Explorer only.
Step 14: Log into the Office 365 portal at https://portal.office.com
Step 15: Inside the Office 365 Admin Center, Open the Exchange admin center (EAC) for your Exchange Online organization.
Step 16: In the EAC, go to Hybrid.
Step 17: Click the Configure button with the text that reads, “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.”
Step 18: This will launch an application install dialog box. In the Application Install window that opens, click Install.
Step 19: After the install, verify that a new desktop shortcut called Microsoft Exchange Online PowerShell module has been created.
Step 20: Launch the new Exchange Online PowerShell shortcut , run the command Get-Module to verify that the new ExoPowerShellModule has been installed.
Step 21: Choose which PowerShell console to use between the new Active Directory V2 or the new Exchange Online PowerShell console.
Enable MFA For Office 365 Licensed Users
Step 1: Go to the Office 365 admin center.
Step 2: Navigate to Users > Active users
Step 3: In the Office 365 admin center, click More > Setup Azure multi-factor auth
Step 4: Find the admin account who you want to enable for MFA.
Step 5: Check the check box next to the users you want to enable.
Step 6: On the right user info pane, under quick steps you’ll see Enable and Manage user settings. Choose Enable.
Step 7: In the dialog box that opens, click enable multi-factor auth.
Option 1) Use the Windows Azure Active Directory V2 Powershell Module to connect to Exchange Online Securely
Step 1: Open the console labelled, Windows Azure Active Directory Module for Windows Powershell
Step 2: Run the command, Get-Module
Step 3: Verify if the modules AzureAD or ExoPowershellModule are already listed.
Step 4: If the Exchange Online module is not listed, then we will load it by running the following commands:
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
$EXOSession = New-ExoPSSession
Import-PSSession $EXOSession
Step 5: Verify the module is loaded by running, Get-Module
Step 6: Connect to the Exchange Online organization by running the command, Connect-EXOPSSession
Option 2) Use the new Microsoft Exchange Online Module to connect to Exchange Online Securely
Step 1: Run the command, Connect-EXOPSSession -UserPrincipalName or simply Connect-EXOPSSession
Step 2: Sign-in to Office 365 when prompted with an administrator username and password, along with the Microsoft Authenticator app.
Step 3: Run the command, Import-Module AzureAD
Step 4: Verify by running the command, Get-Mailbox & Get-User
References
- Install and configure Azure PowerShell
- Connect to Exchange Online PowerShell using multi-factor authentication
- Enable or disable modern authentication in Exchange Online
- Set up multi-factor authentication for Office 365 users
- Connect to Office 365 PowerShell
- Azure Active Directory PowerShell for Graph
- How to get Azure Multi-Factor Authentication
- Azure Active Directory PowerShell for Graph – General Availability Release
- Modern Authentication for the Skype for Business Online Windows PowerShell Module
- Skype for Business Online, Windows Powershell Module Download
- Install Microsoft Teams Powershell Module
Leave a Reply
Want to join the discussion?Feel free to contribute!
Aslo this happens:
PS C:\Users\anonymouse> winrm set winrm/config/client/auth @{Basic=”true”}
Error: Invalid use of command line. Type “winrm -?” for help.
Looks like it needs single quotes according to this author’s blog http://blucorenetizen.blogspot.com/2011/09/invalid-use-of-command-line-winrmerror.html