Introduction

Microsoft 365 and Azure administrators rely heavily on PowerShell for managing, automating, and reporting on their cloud environments. However, the landscape of PowerShell connectivity to these services has evolved significantly over the past few years, with Microsoft placing a stronger emphasis on security, modern authentication, and consolidation of management tools.

This article provides an updated guide on how to securely connect to Microsoft 365 and Azure using PowerShell with Multi-Factor Authentication (MFA) support. Microsoft is implementing mandatory MFA enforcement in phases, with MFA becoming required for the Microsoft 365 admin center beginning in February 2025, and for Azure CLI, PowerShell, and REST API endpoints starting July 1, 2025. Understanding these changes and implementing secure connection methods is critical for all administrators.

Problem Definition

Administrators face several challenges when connecting to Microsoft 365 and Azure services through PowerShell:

  1. Module Deprecation: As of March 30, 2024, the Azure AD and MSOnline PowerShell modules are officially deprecated, with limited support only for migration assistance to Microsoft Graph PowerShell SDK and security fixes until March 30, 2025.  This means many organizations need to migrate their scripts and processes to newer modules.
  2. Multi-Factor Authentication Requirements: Implementing MFA for administrative accounts is no longer optional but a mandatory security practice. Many legacy connection methods don’t support MFA natively.
  3. Authentication Method Changes: Remote PowerShell Protocol (RPS) has been blocked for Exchange Online, requiring administrators to use the Exchange Online PowerShell V3 module which uses REST API connections rather than Basic authentication.
  4. Script Automation Challenges: Running automated scripts becomes challenging when interactive MFA prompts are required. Organizations need secure, non-interactive authentication methods that still comply with strong security practices.
  5. Permission Management: Ensuring scripts use the least permissions necessary can be difficult, especially with the Microsoft Graph PowerShell SDK where permissions can accumulate over time in the service principal.

Solution Options

1. Microsoft Graph PowerShell SDK

The Microsoft Graph PowerShell SDK is now the primary tool for managing Microsoft 365 and Azure resources, providing a unified interface to interact with all Microsoft cloud services.

Installation and Basic Connection

powershell
# Install the Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect with MFA (interactive)
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"

When connecting with the Microsoft Graph PowerShell SDK, you need to specify the permission scopes required for the operations you’ll perform. Each API in Microsoft Graph is protected by one or more permission scopes, and the user must consent to these scopes during authentication.

For finding required permissions:

powershell
# Find permissions needed for a specific command
Find-MgGraphCommand -Command Get-MgUser | Select-Object -ExpandProperty Permissions

2. Exchange Online PowerShell V3 Module

The Exchange Online PowerShell V3 module uses modern authentication and REST APIs instead of the deprecated Remote PowerShell connections. This module is required for managing Exchange Online.

Installation and Connection

powershell
# Install the module
Install-Module -Name ExchangeOnlineManagement

# Connect with MFA
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

3. Microsoft Teams PowerShell Module

The Microsoft Teams PowerShell module requires Windows PowerShell 5.1 or PowerShell 7.5 or later, and can be installed from the PowerShell Gallery.

Installation and Connection

powershell
# Install the module
Install-Module -Name MicrosoftTeams -Force -AllowClobber

# Connect with MFA
Connect-MicrosoftTeams

4. SharePoint Online and PnP PowerShell

For SharePoint Online management, administrators can use either the SharePoint Online Management Shell or the more comprehensive PnP PowerShell module.

PnP PowerShell is a cross-platform PowerShell Module providing over 750 cmdlets for working with Microsoft 365 environments including SharePoint Online, Microsoft Teams, Microsoft Project, Security & Compliance, and more.

Installation and Connection

powershell
# Install SharePoint Online Management Shell
Install-Module -Name Microsoft.Online.SharePoint.PowerShell

# Connect with MFA
Connect-SPOService -Url https://contoso-admin.sharepoint.com

# Install PnP PowerShell (cross-platform)
Install-Module -Name PnP.PowerShell

# Connect with MFA
Connect-PnPOnline -Url https://contoso.sharepoint.com -Interactive

5. Security & Compliance PowerShell

The Exchange Online PowerShell module is also used to connect to Security & Compliance PowerShell using modern authentication and MFA.

powershell
# Install the module (if not already installed)
Install-Module -Name ExchangeOnlineManagement

# Connect to Security & Compliance PowerShell
Connect-IPPSSession -UserPrincipalName admin@yourdomain.com

Automating Management with Certificate-Based Authentication

For unattended scripts and automation, certificate-based authentication (CBA) provides a secure method without requiring interactive sign-in or storing credentials.

Certificate-Based Authentication (CBA) provides a secure way to automate PowerShell sessions without storing credentials, which is particularly important since Basic Authentication has been deprecated in Exchange Online.

Setting Up Certificate-Based Authentication

1. Create a Self-Signed Certificate

powershell
# Create a self-signed certificate valid for 2 years
$certName = "PowerShellAutomation"
$cert = New-SelfSignedCertificate -Subject "CN=$certName" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(2)

# Export the certificate for uploading to Azure AD
Export-Certificate -Cert $cert -FilePath "$env:USERPROFILE\$certName.cer"

2. Register an Application in Microsoft Entra ID

  1. Go to the Microsoft Entra admin center (previously Azure AD portal)
  2. Navigate to App registrations > New registration
  3. Provide a name for your application
  4. Select “Accounts in this organizational directory only”
  5. Register the application
  6. Upload the certificate (.cer file) under Certificates & secrets
  7. Add API permissions based on the operations your script will perform
  8. Grant admin consent for the required permissions

3. Connect Using Certificate Authentication

For Microsoft Graph:

powershell
# Connect to Microsoft Graph using certificate
Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -CertificateThumbprint $cert.Thumbprint

For Exchange Online:

powershell
# Connect to Exchange Online using certificate
Connect-ExchangeOnline -AppId "YOUR_APP_ID" -CertificateThumbprint $cert.Thumbprint -Organization "yourdomain.onmicrosoft.com"

Using Azure Managed Identities for Automation

For scripts running in Azure resources, managed identities provide an even more secure approach by eliminating the need to manage credentials altogether.

powershell
# Connect using managed identity
Connect-MgGraph -Identity

Consolidating PowerShell Connections

Instead of having multiple PowerShell sessions open for different services, you can connect to all Microsoft 365 services in a single PowerShell window. This approach simplifies administration and allows for easier data exchange between services.

Here’s an example script to connect to multiple services in a single session:

powershell
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"

# Connect to Exchange Online
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -ShowProgress $true

# Connect to SharePoint Online
$orgName = "contoso" # Your tenant name (e.g., contoso for contoso.onmicrosoft.com)
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url "https://$orgName-admin.sharepoint.com"

# Connect to Teams
Import-Module MicrosoftTeams
Connect-MicrosoftTeams

# Connect to Security & Compliance Center
Connect-IPPSSession

Security Best Practices

1. Using Least-Privileged Permissions

When connecting to Microsoft Graph, the level of access is controlled by the scopes you request. Request only the specific permissions needed for your task rather than broad administrative permissions.

2. Custom Applications for Controlled Access

Instead of using the default Microsoft Graph PowerShell SDK enterprise app, which can accumulate many permissions over time, create custom registered apps with limited, specific permissions for different administrative tasks.

3. Secure Storage of Certificates and Secrets

Never hardcode secrets or certificate thumbprints in scripts. Use secure storage solutions like:

  • Azure Key Vault
  • Secure environment variables
  • Managed identities when running in Azure

4. Regular Rotation of Certificates and Secrets

Set a schedule to regularly rotate certificates and client secrets to limit the impact if they’re ever compromised.

5. Implement Conditional Access Policies

Use Conditional Access policies to restrict PowerShell connections to specific networks, devices, or conditions.

Conclusion

The landscape of PowerShell connectivity to Microsoft 365 and Azure has evolved significantly, with a strong emphasis on security, modern authentication, and consolidation of management tools. With the deprecation of older modules like MSOnline and AzureAD scheduled for March 2025, it’s essential for administrators to migrate to the Microsoft Graph PowerShell SDK and other modern modules.

Multi-Factor Authentication is no longer optional but a requirement for secure administration. Microsoft’s phased enforcement of mandatory MFA for administrative portals starting in February 2025 and extending to PowerShell and other endpoints by July 2025 means organizations must adapt their administrative practices.

Certificate-Based Authentication provides a secure method for automating administrative tasks without compromising security. By following the practices outlined in this article, administrators can ensure their PowerShell connections to Microsoft 365 and Azure are both secure and efficient.

We Can Help

  1. Audit your existing PowerShell scripts for deprecated modules (MSOnline and AzureAD) and start migrating them to the Microsoft Graph PowerShell SDK.
  2. Implement Certificate-Based Authentication for all automated scripts to eliminate the need for stored credentials.
  3. Review the permissions assigned to your PowerShell connections and apply the principle of least privilege.
  4. Set up a regular schedule for rotating certificates and secrets used in your PowerShell scripts.
  5. Contact us for personalized guidance on implementing these security practices in your environment.

References

  1. Microsoft Graph PowerShell SDK Documentation
  2. Exchange Online PowerShell V3 Module Documentation
  3. App-only Authentication Documentation
  4. Microsoft Entra Certificate-based Authentication
  5. Mandatory MFA for Microsoft 365
  6. PnP PowerShell Documentation
  7. Microsoft Teams PowerShell Documentation
The last comment and 1 other comment(s) need to be approved.
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply