Connect to Exchange Online PowerShell without Basic Authentication

Most admins rely on PowerShell to manage and audit their Office 365 organization. As an admin, you might have heard about Microsoft deprecating Basic Authentication in Exchange Online by Oct 31, 2020.

So, how will you easily connect to Exchange Online PowerShell without Basic Authentication? It’s SIMPLE!! By using Modern Authentication. Now I can hear your query: How can I quickly connect to Exchange Online PowerShell with Modern Authentication? Don’t worry! I have a solution. You’re gonna love me forever for what I’m about to share with you! 

  1. Have you ever wanted to use the single cmdlet to connect Exchange Online with both MFA and non-MFA account?
  2. Are you trying to find an alternative method to connect Exchange Online PowerShell Without Basic Authentication?
  3. Have you ever wanted to install Exchange Online PowerShell module from PowerShell Gallery? 
  4. Whether your script takes hours to complete? Or data retrieval interrupted due to session expiry/disconnect?

All your question has single answer: Use the Exchange Online PowerShell V2 Module 

 

Advantage of using Exchange Online PowerShell V2 Module: 

  • EXO V2 module uses Modern Authentication. i.e, you can connect to Exchange Online PowerShell with Modern Authentication.
  • You can download EXO V2 module easily from PowerShell gallery. 
  • Single cmdlet ‘Connect-ExchangeOnline’ let you connect to Exchange Online PowerShell with MFA and non-MFA account. 
  • EXO V2 cmdlets are REST API-based cmdlets that are much faster and more reliable.
  • EXO V2 module contains new cmdlets like Get-EXOMailbox, Get-EXOMailboxStatistics, Get-EXOMailboxFolderPermission that are optimized for bulk data retrieval. 
  • The older cmdlets like Get-Mailbox, Get-MailboxStatistics, Get-MailboxFolderPermission are still available in the EXO V2 module for backward compatibility. 

 

Install Exchange Online PowerShell V2 Module: 

Exchange Online PowerShell V2 module allows you to connect Exchange Online PowerShell with Modern Authentication. To install EXO V2 module, follow the below steps.

Step 1: Start Windows PowerShell with the “Run as administrator” option. 

Step 2: Install PowerShellGet Module. To install the ExchangeOnlineManagement module, you need PowerShellGet 2.0 or later version. Else, you end up with an error. 

Step 3: After installing PowerShellGet module, close the console, and reopen it with admin privilege(elevated). 

Step 4: Run below cmdlet to install Exchange Online PowerShell V2 Module (ExchangeOnlineManagement) 

 

After successful installation of ExchangeOnlineManagement module, EXO V2 cmdlets are imported into your Windows PowerShell session. After installing the EXO V2 module, you can only see new cmdlets in the module. Once you create session to Exchange Online environment, you can see the older remote PowerShell cmdlets. 

Note: To ease your installation and connection to Exchange Online PowerShell, we have documented Connect-ExchangeOnline troubleshooting tips at the bottom. 

 

Connect to Exchange Online PowerShell With Modern Authentication: 

Connect-ExchangeOnline cmdlet allows you to connect Exchange Online PowerShell without Basic Authentication. This cmdlet only available in EXO V2 module. 

You can use Connect-ExchangeOnline cmdlet for both MFA and non-MFA account to connect Exchange Online PowerShell.  

Run below cmdlet to connect Exchange Online PowerShell with/without MFA 

It will prompt for username and password. After entering credential, if you don’t receive any error means you successfully connected to Exchange Online. Yes! you have connected to Exchange Online PowerShell without basic authentication!

The successfully connected screen looks similar to the below screenshot. 

Connect to Exchange Online without Basic Authentication

To check the connectivity, you can run Get-EXOMailbox cmdlet and see results. 

Note: You can also use Exchange Online Remote PowerShell module to connect Exchange Online PowerShell with modern authentication.

 

Additional Usecases for Connect-ExchangeOnline: 

1.Passing credential in Connect-ExchangeOnline

If you are using a non-MFA account to connect Exchange Online PowerShell, you can pass the credential in the Connect-ExchangeOnline cmdlet. This can be achieved by running below cmdlets. 

 

2.Passing username in Connect-ExchangeOnline 

If you are connecting Exchange Online PowerShell with multi-factor authentication, you can’t pass the credential as it requires verification code. Still, you can pass your username in the Connect-ExchangeOnline cmdlet. 

Note: To disconnect Exchange Online PowerShell session, You can use Disconnect-ExchangeOnline which is equivalent of Get-PSSession | Remove-PSSession.

 

Update EXO V2 Module:

If EXO V2 module is already installed on your computer, you can upgrade using Update-Module cmdlet.

To check the version of currently installed module, run the following commands.

 

To update the EXO V2 module to latest version that’s available in the PowerShell Gallery.

 

June 2020 Update: General Availability (GA) version of EXO V2 Module (Version 1.0.1) is announced. Now, It’s stable and ready for use in production environments.

 

How to use EXO V2 Module in Unattended Script?

To create non-interactive scripts, you need EXO V2 PowerShell module version 2.0.3 preview or later version. It uses Azure AD applications, certificates, and Modern authentication. To know module installation and connection cmd-lets, you can check our dedicated blog on Unattended access to Exchange Online using MFA account.

 

ExchangeOnlineManagement: Troubleshooting Tips

1. PowerShellGet version:  

In order to install Exchange Online PowerShell V2 module, PowerShellGet version must be 2.0 or later. Else you will have following error message. 

WARNING: The specified module 'ExchangeOnlineManagement' with PowerShellGetFormatVersion '2.0' is not supported by the current version of PowerShellGet. Get the latest version of the PowerShellGet module to install this module, 'ExchangeOnlineManagement '.

 ExchangeOnlineManagement

Solution: To install or update PowerShellGet latest version, run the below cmdlet. 

 

2. Set execution policy: 

Windows PowerShell needs to be configured to run scripts, and by default, it isn’t. In that case, you will get the following error. 

Files cannot be loaded because running scripts is disabled on this system. Provide a valid certificate with which to sign the files.

Connect to Exchange Online PowerShell Modern Authentication

Solution: To resolve this error, you need to run the below cmdlet. 

 

3. Connect-ExchangeOnline with MFA enabled account: 

When you pass MFA enabled account’s credential using Get-Credential, you will get below error (because Get-Credential cmdlet doesn’t support MFA enabled accounts). 

New-ExoPSSession : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access.

Connect Exchnage Online PowerShell with Modern Authentication

Solution: To Connect-ExchangeOnline with MFA enabled account, run the below cmdlet. It will prompt for credential and verification code. 

 

4.Basic Auth still needs to be enabled on your local machine:

The EXO V2 module uses Modern auth to create a session that allows you to use 9 REST-based cmdlets(starts with -EXO*). EXO V2 module has backward compatibility to access 700+ older Remote PowerShell cmdlets, but establishing RPS session requires WinRM Basic Auth to be enabled. However, the client machine uses Modern auth for authentication, but it requires WinRM Basic Auth to transport modern auth token.

If WinRM Basic Auth disabled on the client machine, you can access 9 EXO* cmdlets, but you can’t access older RPS cmdlet. If you try to access, you will get the below error.

WARNING: Please note that you can only use above 9 new EXO cmdlets (the one with *-EXO* naming pattern).You can't use other cmdlets as we couldn't establish a Remote PowerShell session as basic auth is disabled in your client machine.

 

5.Enable basic authentication on the WinRM Service:
Connect-ExchangeOnline supports Modern authentication in Office 365 end. However, in the local machine side, they still need basic authentication.
Legacy authentication can be disabled using conditional access policy in Azure to disable Basic authentication in Office 365 end. If the basic authentication is disabled in local machine, you’ll get below error when you try to connect: 

New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the following error message : The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration.

Note: Connect-ExchangeOnline don’t send the username and password combination here, but the Basic authentication header is required to transport the session’s OAuth token, since the client-side WinRM implementation has no support for OAuth.

To check whether the basic authentication is enabled, run below command in command prompt.

If Basic= true not set, you need to run below command to enable basic authentication.

After executing above command, the output looks similar to below screenshot.

Connect-ExchangeOnline: Enable basic authentication on WinRM service

 

 

 

 

 

 

 

6. ‘Connect-ExchangeOnline‘ is not recognized as the name of a cmdlet:

In order to run Connect-ExchangeOnline cmdlet, you must install Exchange Online PowerShell V2 module. Else, you will get error during connection. 

Connect-ExchangeOnline : The term 'Connect-ExchangeOnline' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Connect-ExchangeOnline : The term ‘Connect-ExchangeOnline‘ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. 

Connect-ExchangeOnline

Solution: Install EXO V2 module. 

 

7.Using EXO V2 module in PowerShell scripts:

If you are using both Connect-ExchangeOnline and Connect-MsolService in your PowerShell script, you might face the below issue.

Get-EXOMailbox: Failed to acquire token silently as no token was found in the cache. Call method AcquireToken.

This issue occurs because of loading Azure MsOnline module after loading the EXO V2 module. I hope this issue will be resolved soon by Microsoft.

ExchangeOnlineManagement

Solution: You can connect to the EXO V2 module after connecting to Connect-MsolService as a workaround.

 

8.Using EXO V2 cmdlets in Exchange Online Remote PowerShell Module: 

When you trying to run EXO V2 cmdlets like Get-EXOMailbox,GetEXOMailboxFolderPermissions, Get-EXOReciepientetc in Exchange Online Remote PowerShell Module, you will endup with following error. 

Get-EXOMailbox : No valid token was found in the cache, please run Connect-ExchangeOnline.
 Connect-ExchangeOnline ExchangeOnlineManagement

Solution: To run EXO V2 cmdlets, you need to install ExchangeOnlineManagement module. 

We have documented EXO V2 cmdlets and their equivalent older cmdlets below. 

 

EXO V2 Cmdlets and Their Equivalent Older Cmdlets: 

EXO V2 cmdlets REST API-based cmdlets that are faster and more reliable when compare to older Exchange Online cmdlets. Still, EXO V2 Module supports older cmdlets for backward compatibility.    

Old Cmdlets  EXO V2 Cmdlets 
Get-Mailbox    Get-EXOMailbox   
Get-MailboxFolderPermission  Get-EXOMailboxFolderPermission 
Get-CASMailbox  Get-EXOCASMailbox 
Get-MailboxFolderStatistics    Get-EXOMailboxFolderStatistics   
Get-MailboxPermission            Get-EXOMailboxPermission          
Get-MobileDeviceStatistics  Get-EXOMobileDeviceStatistics 
Get-Recipient  Get-EXORecipient 
Get-RecipientPermission  Get-EXORecipientPermission 

Microsoft is planning to upgrade the remaining cmdlets too. Soon you can expect more Exchange Online REST-based Powershell cmdlets.

Have you tried these fast REST-cmdlets in your script? How quick data retrieval happened? You can share your test result with other admins and us through the comment section.

 

Connect to Exchange Online PowerShell without Basic Authentication – Conclusion:

The ExchangeOnlineManagement module is a valuable addition to the PowerShell gallery. It helps admins to connect Exchange Online PowerShell (both MFA and non-MFA accounts) with a single cmdlet. Using New-PSSession with Basic Authentication is going to be deprecated soon, you can start using EXO V2 module. Happy scripting!