Connect to Exchange Online PowerShell Using MFA (Multi Factor Authentication)

What is MFA?

As an organization continues to move towards cloud infrastructure, there are more challenges in securing and protecting data. Here, Multi-factor Authentication (MFA) plays an important role in securing user accounts. As the name suggests, it uses multiple methods to identify an authorized user.

How MFA works?

As a user, you need to acknowledge an OTP ( through phone call or text message), pass code through mobile app or anything else other than just the username and password. This can prevent hackers from taking over even if they know account’s password. This way MFA provides additional security to accounts rather than basic authentication. 

Need of MFA in Office 365

The administrative accounts you use to administer your Office 365 or Microsoft 365 environment include elevated privileges. These are valuable targets for hackers and cyber criminals. Be sure admin accounts are set up for multi-factor authentication. You can enable MFA for all Office 365 users that will better protect your network and email system from attacks. Using MFA, you can protect your account from Email phishing, Brute force attacks, Key Logging and many more hacking attempts.

To get list of MFA enabled/disabled users in your tenant, you can use Export Office 365 users MFA status report.

 

How can I execute a PowerShell script with MFA?

As an office 365 administrator, you need to monitor and report the health of your organization. For ex, managing mailboxes, tracking group memberships, monitoring logon activities can be done through Exchange Admin Center (EAC). Perhaps if you are looking for a few Mailboxes, EAC would be easy; however, it is not scalable when you have multiple mailboxes because you need to click each mailbox to view its details. For multiple mailboxes, your best option would be PowerShell.   

First you need to ensure you have the modules for PowerShellFor example, if you use standard Windows PowerShell to connect Exchange Online using MFA enabled account, you will get the following error. 

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed


Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Provide a valid value for the argument, and then try running the command again. + Import-PSSession $Session -CommandName Get-Mailbox,Get-MailboxPermi ...
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands. ImportPSSessionCommand

Connect Exchange Online With MFA

 

If you want to connect Exchange Online PowerShell using MFA, you need to use special PowerShell tool offered by Microsoft “Exchange Online PowerShell Module” (EXO). It requires you to do following things.

1.Install the Exchange Online PowerShell Module on your computer (One time process)

2.Connect to Exchange Online PowerShell using MFA enabled account

 

How to install Exchange Online PowerShell Module for MFA?

1.Login to Exchange Admin Center using Internet Explorer or Edge. 

2.In the EAC, go to Hybrid and click the Configure button (as mentioned in below image) to download the Exchange Online PowerShell Module for MFA.

Exchange Online Powershell module supports MFA

Note: A browser that uses ClickOnce to download (like IE or Edge) is needed to download otherwise you will get an error during installation. For ref, see below image.

 

3.Click Install.

Exchange Online Remote PowerShell installation

You can Install Exchange Online PowerShell Module directly by opening below link in IE or Edge.

https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application

Troubleshooting tip:
  • Enable basic authentication on the WinRM service: Windows Remote Management (WinRM) needs to allow basic authentication (It is enabled by default) to create ExoPSSession. If basic authentication is disabled, you’ll get below error when you try to connect: 

The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

To check whether the basic authentication is enabled, run below command in command prompt.

If Basic= true not set, you need to run below command to enable basic authentication.

After executing above command, the output looks similar to below screenshot.

Enable basic authentication on WinRM service

  • Start WinRM service: In order to enable basic authentication in WinRM, WinRM service must be in running state. Otherwise, you will get following error: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.

The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests

To start WinRM service, launch command prompt as administrator and run following command

When the cmd prompt displays Make these changes [y/n]?, type y.

If configuration is successful, WinRM service started output will be displayed.

Now, you can use Exchange Online Remote PowerShell to connect to Exchange Online using MFA.

 

Where do I find the Exchange Online Remote PowerShell Module?

You won’t be able to find the Exchange Online Remote PowerShell module, using the Get-Module cmdlet. When you install ClickOnce application, it will be installed in the below directory.

%UserProfile%\AppData\Local\Apps\2.0

You can use the desktop shortcut, to launch the Exchange Online Remote PowerShell module.

 

How to Connect Exchange Online Using MFA ?

1.Connect-EXOPSSession used to connect to Exchange Online with MFA. When you launch the Exchange Online Remote PowerShell module, a tip about the usage is shown.

Exchange online Remote PowerShell Module

 

2.Connect-EXOPSSession has a parameter UserPrincipalName. You can use Connect-EXOPSSession, with or without UserPrincipalName. For eg,

 

3.Enter the password in the sign-in window and then click Sign in.

Microsoft Exchange Online Remote PowerShell login

4. A verification code generated and delivered based on MFA configured for your account. Enter the verification code in the verification window and then click Sign in.

Microsoft Exchange Online Powershell login with MFA

5. After step 4, the Exchange online cmdlets are imported into Exchange Online remote PowerShell Module session. If you don’t receive any errors, you connected successfully as shown in the below figure.

Connect Exchange online using MFA

 

To disconnect all PowerShell session in the current window, you can use below command.

Note:  Make sure to disconnect the remote PowerShell session when you’re finished. Else you ended up using all remote PowerShell sessions available to you and you will get the following error. 

New-ExoPSSession : Processing data from remote server outlook.office365.com failed with the following error message: [AuthZRequestId=068a9813-8420-43f0-9f20-692228962287] [FailureCategory=AuthZ-AuthorizationException] Fail to create a runspace because you have exceeded the maximum number of connections allowed: 10

 

So the question now is, “Would you like to import MFA compatible Exchange Online PowerShell Module to windows PowerShell ISE?” If your answer is yes, follow the below simple steps.

 

How to Import MFA Enabled Exchange Online Powershell Module in ISE?

Instead of using Exchange Online PowerShell console, you can import Exchange Online PowerShell module in Windows PowerShell ISE. To successfully use the Connect-EXOPPSSession cmdlet in the ISE, you need to run the below code in ISE.

Now, you can use PowerShell ISE to Connect Exchange Online with MFA.

 

I hope that the post above was helpful! Do you have any different approach to use MFA in scripts? Share with other Admins and us in the comments.