Allow winrm authentication other than basic when connecting via powershell
Please provide an option for creating a new powershell session with Office 365 with an authentication method other than basic. Due to hardening policies in place, when I attempt $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
It fails because basic authentication is currently disabled in the client configuration (due to group policy settings we implemented).
From comments here: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-february-2021-update/bc-p/2118379/emcs_t/S2h8ZW1haWx8bWVudGlvbl9zdWJzY3JpcHRpb258S0tYMk9XODFFSjA3SFh8MjExODM3OXxBVF9NRU5USU9OU3xoSw#M29487
Is there any update on for patching WinRM client so that it is no longer necessary to enable WinRM basic authentication to send the Oauth header for the ExchangeOnline PS Module v2 commands?
Because of this continued issue, we have to make company wide changes to our intune policies for WinRM to allow basic authentication just for a couple of Exchange admins.
Is this even on MS roadmap? Is MS working of a solution to this issue?
No, this is currently not on the roadmap. There are discussions about it, but nothing is currently committed.
It is best, though, to keep that separate from the subject at hand, because that particular problem is not related to the Basic auth disablement (as you pointed out, OAUTH is used to authenticate to the service in that scenario, it is a local machine requirement).
@Nino Bilic thanks very much for the response. At least I know now!
The reason for raising it here is i don't think it is a totally separate issue. my limited understanding was the Exchange Powershell module v2 WinRM workaround was primary necessary to enable the use of the old commands which still used Exchange PowerShell while enabling modern auth for connection?
Other modules like AzureAD and the MSgraph new EXO commands seem to deal just fine without it. So I would infer its a problem caused by Modern Auth and not having full MS graph PowerShell commands for Exchange?
I assume it is going to be fixed at some point by either patching WinRM or moving all Exchange commands to MSgraph? I assume either is a big headache and can't be done overnight.
I am aware that Basic Auth isn't really used for Auth, and the WinRM basic auth is only required to send the Oauth header. However, as the WinRM setting is contained in intune templates, the solution does mean lessening the orgs security for this setting. Lowering the organization security in one place so it can be improved somewhere else is not an ideal solution. I know some orgs that will not even permit it.
However, the point i was trying to make was that there isn't a great deal of visibility around what path MS is taking to solve the issue long term or what the timescales might be.
Given that Microsoft has recommended WINRM Authentication -Basic to be turned off, it seems really counter to security that it is required for Powershell to function.
C H commented
Microsoft is ending Basic Auth support this year. Microsoft has stated that they follow the new CCPA legislation, which utilizes CIS benchmarks for security. All benchmarks require Basic auth to be disabled. Powershell, for some reason, requires basic auth to be enabled. Which is it? Do you all want to support secure infrastructure, or force everyone to send plain text credentials?
What is the point of these forums if nobody from Microsoft ever replies ?
Any update on this yet?
With security becomming more and more important and Microsoft stating to end Basic Auth for EWS by 2020 it would be nice to have a solution for this please.
We will also implement a GPO to block Basic Auth and this is still a problem.
According to Microsoft the solution is to use Exchange Online Remote PowerShell Module, and use the Connect-EXOPSSession cmdlet to connect.
However the "solution" to not use Bacis Auth requires you to enable Basic Auth...?
Please fix MS, this is becomming more important by the day.
Please help Microsoft! This is still an issue a year and a half later. I still have to use a Windows 7 machine because of this and there's less than one year before Windows 7 is EOL.
Tim Malo commented
Our security team has just implemented a new GPO blocking basic authentication. This needs to be addressed