How do I write MultiFactor Powershell scripts for Exchange Online

1
votes

I have a powershell script that MS provided and I have edited. True to form MS has provided a script using old code. Since we have MFA enabled, I can no longer use Get-Credential to authenticate as we use Modern Auth instead of Basic. How can I edit the code to support MFA? We do not use Auzer MFA we use Duo.

Old Code:

$adminCredential = Get-Credential

    Write-Output "Connecting to Exchange Online Remote Powershell Service"
    $ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $adminCredential -Authentication Basic -AllowRedirection
    if ($null -ne $ExoSession) { 
        Import-PSSession $ExoSession -AllowClobber
    } else {
        Write-Output "  No EXO service set up for this account"
    }

    Write-Output "Connecting to EOP Powershell Service"
    $EopSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $adminCredential -Authentication Basic -AllowRedirection
    if ($null -ne $EopSession) { 
        Import-PSSession $EopSession -AllowClobber
    } else {
        Write-Output "  No EOP service set up for this account"
    }

The new commands should be Connect-IPPSSession instead of New-PSSession but I have to somehow change Get-Credential to pass the credentials and MFA I just have no idea how to do this.

4
powershellexchange-servermulti-factor-authentication

4 Answers

1
votes

If you want to use OAuth authentication, you need to have Access Token

Once the application has an access token, it may use the token to access the user's account via the API, limited to the scope of access, until the token expires or is revoked.

Here is an example of an API request, using curl. Note that it includes the access token:

curl -X POST -H "Authorization: Bearer ACCESS_TOKEN""https://api.digitalocean.com/v2/$OBJECT"

You can Authenticate Against OAuth refer the below link:

Using PowerShell to Authenticate Against OAuth

1
votes

Full disclosure, neither I nor any the customers I support use Duo.

That being said, there are no docs from MS regarding PowerShell and MFA using DUO as the source for O365.

As per MS...

Connect to Office 365 services with multifactor authentication (MFA) and PowerShell

Connect to Exchange Online PowerShell using multi-factor authentication

You can't use the Exchange Online Remote PowerShell Module to connect to Exchange Online PowerShell and Security & Compliance Center PowerShell in the same session (window). You need to use separate sessions of the Exchange Online Remote PowerShell Module.

If you want to use multi-factor authentication (MFA) to connect to Exchange Online PowerShell, you can't use the instructions at Connect to Exchange Online PowerShell

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

to use remote PowerShell to connect to Exchange Online.

MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-EXOPSSession cmdlet to connect.

Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]

Multi-Factor Authentication (MFA) Setup and End-User Experience with Office 365 and PowerShell

See also, if you have not already.

How do I change the username format sent to Duo?

0
votes

Upon reading the answers I realize that I did not structure my question in a detailed enough manner for the answer I need. I am leaving the question live and marking one of the answers as the answer because it does answer the question I asked, just not what I was hoping to learn.

0
votes

The Connect-ExchangeOnline supports login with 2FA. You can run it as is without any arguments.