Usually, admins use the stored credential for unattended PowerShell scripts. With the introduction of security defaults and basic authentication deprecation, it’s necessary to adopt MFA for authentication. Since MFA requires users’ interaction to create Exchange session, people started to use Conditional Access policy to bypass MFA. But Conditional Access requires Azure AD Premium license.
So, most admins wanted a way to execute their PowerShell script with Modern auth and unattended authentication.
After several months of waiting, Microsoft has released the EXO V2 preview module for non-interactive PowerShell scripts using Modern authentication.
Feb 2023 Update: Remote PowerShell (RPS) retirement in Exchange Online PowerShell
Due to RPS retirement, you can’t use EXO V1 and V2 modules to connect Exchange Online PowerShell. So admins must install/update to EXO V3 module to perform Exchange management tasks.
With the introduction of this new feature,
–You don’t need to exclude service accounts with Conditional Access policy.
–You don’t need to store credential in the local file
–You can easily automate script scheduler with Modern auth
To automate Exchange Online PowerShell login, you need EXO V2 PowerShell module version 2.0.3 preview or later version. This unattended script authentication uses Azure AD applications, certificates, and Modern authentication.
To install the EXO V2 module Preview release, run the below cmdlet.
1 |
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease |
To update from an earlier version of EXO V2 module, run the below cmdlet.
1 |
Update-Module -Name ExchangeOnlineManagement -AllowPrerelease |
How to use the EXO V2 Module for Unattended Scripts?
You can use Exchange Online PowerShell V2 module Preview to automate script scheduler with MFA/Modern authentication.
The following examples show how to use the Exchange Online PowerShell V2 module with app-only authentication.
Note: Administrators can create self-signed certificates and use them for internal and testing purposes, thereby avoiding the need for costly third-party Certificate Authority (CA) certificates
Connect to Exchange Online PowerShell using a local certificate:
You need to use Connect-ExchangeOnline with CertificateFilePath and other necessary parameters. This method supports non-interactive scripts via Remote PowerShell using Certificate–Based Authentication.
1 |
Connect-ExchangeOnline -CertificateFilePath "C:\Users\admin\Desktop\automation-cert.pfx" -AppID "Testing App" -Organization "contoso.onmicrosoft.com" |
Connect to Exchange Online PowerShell using certificate thumbprint:
To use certificate thumbprint, you need to use Connect-ExchangeOnline with CertificateThumbPrint paramter.
1 |
Connect-ExchangeOnline -CertificateThumbPrint "TESTINGTHUMBPRINT" -AppID "Testing Aoo" -Organization "contoso.onmicrosoft.com" |
When you use the CertificateThumbPrint parameter, the certificate needs to be installed on the computer where you are running the command. The certificate should be installed in the user certificate store.
Connect to Exchange Online PowerShell with existing service principal and client-secret:
To connect Exchange online with existing service principal and client-secret, you need to follow the steps below.
Step1: Get an OAuth access token using Active Directory Authentication Library (ADAL) PowerShell.
Step 2: Create PSCredential object
1 |
$AppCredential= New-Object System.Management.Automation.PSCredential(<UPN>,<Token>) |
Step3: Pass the PSCredential to the EXO V2 module.
1 |
Connect-ExchangeOnline -Credential $AppCredential |
To setup app-only authentication, you can follow this Microsoft doc.
This feature is a valuable addition to the EXO V2 PowerShell module. It helps users to create non-interactive PowerShell scripts and connect to Exchange Online PowerShell with app-only authentication. Have you started upgrading existing PowerShell scripts to adopt this new method? Please share your experience with other admins and us.