Connect to Exchange Online PowerShell Using MFA (Multi Factor Authentication)

If you want to connect Exchange Online PowerShell using MFA, you need to use a special PowerShell tool offered by Microsoft “Exchange Online PowerShell Module” (EXO). You can install Exchange Online PowerShell Module manually or you can use dedicated script that install the module and connects Exchange Online PowerShell using MFA. Let’s check both methods in detail.

To ease your work, we have documented common troubleshooting tips at the bottom.

 

Automated Method: PowerShell Script to Connect Exchange Online PowerShell with MFA

Unfortunately, connecting Exchange Online PowerShell using MFA is somewhat tricky, so newbies can get lost quickly. No worries! We are here to help admins. We have written a user-friendly PowerShell script to connect Exchange Online PowerShell with MFA which does following things.

  • Downloads Exchange Online Remote PowerShell Module
  • Installs Exchange Online PowerShell Module
  • Connects Exchange Online PowerShell using MFA

You can Download PowerShell script from TechNet Gallery

 

Manual Method: Setup Everything by Yourself

The script mentioned above can create a connection in simple steps, but if you are an advanced user and want to know everything in detail, please read further. In short, first, you need to install the Exchange Online PowerShell module, which is the one time process. And then you need to create EXOPSSession to connect Exchange Online PowerShell using MFA.

 

Step1: Install Exchange Online PowerShell Module for MFA

The first thing you need to do is download the Exchange Online Remote PowerShell module.To download Exchange Online PowerShell Module directly, you can use this quick link: https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application 

Alternatively, to download the Exchange Online MFA module through Microsoft, follow the below steps.

1.Login to Exchange Admin Center using Internet Explorer or Edge. 

2.In the EAC, go to Hybrid and click the Configure button (as mentioned in below image) to download the Exchange Online PowerShell Module for MFA.

Exchange Online Powershell module supports MFA

Note: A browser that uses ClickOnce to download (like IE or Edge) is needed to download otherwise you will get an error during installation. Click Connect-ExoPSSession troubleshooting tips for more troubleshooting tips.

 

3.Click Install.

Exchange Online Remote PowerShell installation

 

Step2: Connect Exchange Online PowerShell Using MFA

1.Connect-EXOPSSession used to connect to Exchange Online with MFA. You can’t use Connect-EXOPSSession in standard Windows PowerShell. You need to launch Exchange Online Remote PowerShell module. When you launch the Exchange Online Remote PowerShell module, a tip about the usage is shown.

Exchange online Remote PowerShell Module

 

2.Connect-EXOPSSession has a parameter UserPrincipalName. You can use Connect-EXOPSSession, with or without UserPrincipalName. For eg,

 

3.Enter the password in the sign-in window and then click Sign in.

Microsoft Exchange Online Remote PowerShell login

4. A verification code generated and delivered based on MFA configured for your account. Enter the verification code in the verification window and then click Sign in.

Microsoft Exchange Online Powershell login with MFA

5. After step 4, the Exchange online cmdlets are imported into Exchange Online remote PowerShell Module session. If you don’t receive any errors, you connected successfully as shown in the below figure.

Connect Exchange online using MFA

 

If you want to connect all Office 365 Services PowerShell with a single cmdlet, please refer: Connect to all Office 365 Services using PowerShell (Supports MFA too)

 

Connect-EXOPSSession – Trouble Shooting Tips:

Most people encounters numerous challenges when they try to use Connect-EXOPSSession cmdlet. To ensure hassle-free installation and execution, we have documented the common errors and their troubleshooting tips in this blog. If you want to get a list of MFA enabled users in your tenant, you can refer Export Office 365 users’ MFA status report.

 

1.You can’t use Standard Windows PowerShell to Connect Exchange Online With MFA:

 If you use standard Windows PowerShell to connect Exchange Online using MFA enabled account, you will get the following error. 

New-PSSession : outlook.office365.com Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed


Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Provide a valid value for the argument, and then try running the command again. + Import-PSSession $Session -CommandName Get-Mailbox,Get-MailboxPermi ...
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands. ImportPSSessionCommand

Connect Exchange Online With MFA

If you want to connect Exchange Online PowerShell with MFA, you need to install “Exchange Online PowerShell Module” (EXO).

 

2.How to Import MFA Enabled Exchange Online Powershell Module in ISE?

Instead of using Exchange Online PowerShell console, you can import Exchange Online PowerShell module in Windows PowerShell ISE. To successfully use the Connect-EXOPPSSession cmdlet in the ISE, you need to run the below code in ISE.

 

Now, you can use PowerShell ISE to Connect Exchange Online with MFA.

Connect-EXOPSSession

Note: Before using these code, you should install Exchange Remote Online PowerShell module.

 

3.Unable to Install Exchange Online PowerShell Module- Cannot start application:

If you didn’t use IE or Edge to download Exchange Online PowerShell Module, you will face error during installation.

Unable to install Exchange Online PowerShell module

 

4.Enable basic authentication on the WinRM Service:

Windows Remote Management (WinRM) needs to allow basic authentication (It is enabled by default) to create ExoPSSession. If basic authentication is disabled, you’ll get below error when you try to connect: 

The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

To check whether the basic authentication is enabled, run below command in command prompt.

If Basic= true not set, you need to run below command to enable basic authentication.

After executing above command, the output looks similar to below screenshot.

Enable basic authentication on WinRM service

 

5.Start WinRM service:

In order to enable basic authentication in WinRM, WinRM service must be in running state. Otherwise, you will get following error: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.

The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests

To start WinRM service, launch command prompt as administrator and run following command

When the cmd prompt displays Make these changes [y/n]?, type y.

If configuration is successful, WinRM service started output will be displayed.

 

6.Where do I find the Exchange Online Remote PowerShell Module?

You won’t be able to find the Exchange Online Remote PowerShell module, using the Get-Module cmdlet. When you install ClickOnce application, it will be installed in the below directory.

%UserProfile%\AppData\Local\Apps\2.0

You can use the desktop shortcut, to launch the Exchange Online Remote PowerShell module.

 

7.Disconnect the remote PowerShell session:

Make sure to disconnect the remote PowerShell session when you’re finished. Else you ended up using all remote PowerShell sessions available to you and you will get the following error. 

New-ExoPSSession : Processing data from remote server outlook.office365.com failed with the following error message: [AuthZRequestId=068a9813-8420-43f0-9f20-692228962287] [FailureCategory=AuthZ-AuthorizationException] Fail to create a runspace because you have exceeded the maximum number of connections allowed: 10

To disconnect all PowerShell session in the current window, you can use below command.

 

Connect-ExoPSSession without Basic Authentication:

Recently, Microsoft announced the deprecation of Basic Authentication in Exchange Online.

Now, probably you may have this question: Is it possible to connect Exchange Online using MFA without Basic Authentication? The answer is YES! You can use Azure Cloud Shell to connect Exchange Online as it supports multi-factor authentication.

Note: You need an Azure subscription to use Azure Cloud Shell.

 

I will post a full blog on How to connect Exchange Online through Azure Cloud Shell soon.

 

I hope that the post above was helpful! Do you have any different approach to use MFA in scripts? Share with other Admins and us in the comments.