Usually, admins use the stored credential for unattended PowerShell scripts. With the introduction of security defaults and basic authentication deprecation, it’s necessary to adopt MFA for authentication. Since MFA requires users’ interaction to create Exchange session, people started to use Conditional Access policy to bypass MFA. But Conditional Access requires Azure AD Premium license.
So, most admins wanted a way to execute their PowerShell script with Modern auth and unattended authentication.
After several months of waiting, Microsoft has released the EXO V2 preview module for non-interactive PowerShell scripts using Modern authentication.
Feb 2023 Update: Remote PowerShell (RPS) retirement in Exchange Online PowerShell
Due to RPS retirement, you can’t use EXO V1 and V2 modules to connect Exchange Online PowerShell. So admins must install/update to EXO V3 module to perform Exchange management tasks.
With the introduction of this new feature,
- You don’t need to exclude service accounts with Conditional Access policy.
- You don’t need to store credential in the local file
- You can easily automate script scheduler with Modern auth
This unattended script authentication uses Azure AD applications, certificates, and Modern authentication.
To install the EXO module Preview release, run the below cmdlet.
|
1 |
Install-Module -Name ExchangeOnlineManagement |
To update from an earlier version of EXO module, run the below cmdlet.
|
1 |
Update-Module -Name ExchangeOnlineManagement |
How to use the EXO Module for Unattended Scripts?
The following examples show how to use the Exchange Online PowerShell module with app-only authentication.
Note:
Administrators can create self-signed certificates and use them for internal and testing purposes, thereby avoiding the need for costly third-party Certificate Authority (CA) certificates
Connect to Exchange Online PowerShell using a local certificate:
You need to use Connect-ExchangeOnline with CertificateFilePath and other necessary parameters. This method supports non-interactive scripts via Remote PowerShell using Certificate–Based Authentication.
|
1 |
Connect-ExchangeOnline -CertificateFilePath "C:\Users\admin\Desktop\automation-cert.pfx" -AppID "Testing App" -Organization "contoso.onmicrosoft.com" |
Connect to Exchange Online PowerShell using certificate thumbprint:
To use certificate thumbprint, you need to use Connect-ExchangeOnline with CertificateThumbPrint paramter.
|
1 |
Connect-ExchangeOnline -CertificateThumbPrint "TESTINGTHUMBPRINT" -AppID "Testing Aoo" -Organization "contoso.onmicrosoft.com" |
When you use the CertificateThumbPrint parameter, the certificate needs to be installed on the computer where you are running the command. The certificate should be installed in the user certificate store.
Connect to Exchange Online PowerShell with existing service principal and client-secret:
To connect Exchange online with existing service principal and client-secret, you need to follow the steps below.
- Get an access token using MSAL (Microsoft Authentication Library).
- Create PSCredential object
$AppCredential= New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
- Pass the PSCredential to the EXO V2 module.
Connect-ExchangeOnline -Credential $AppCredential
You can also schedule the unattended scripts using Task scheduler or Azure Automation.
This feature is a valuable addition to the EXO PowerShell module. It helps users to create non-interactive PowerShell scripts and connect to Exchange Online PowerShell with app-only authentication. Have you started upgrading existing PowerShell scripts to adopt this new method? Please share your experience with other admins and us.
