Feedback by UserVoice

How can we improve the tenant admin features O365?

Enable Windows Powershell to use MFA

We want to use Windows Powershell with MFA accounts for more security

652 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Gordon Lamb shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    30 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        tldr to get this to work:

        Office365 Powershell:
        Install-Module MSOnline (first time only)
        Import-Module MSOnline (first time only)
        Connect-MsolScervice

        Exchange Online Powershell (EXOPS)
        Install-Module ExchangeOnlineShell
        Import-Module ExchangeOnlineShell
        Connect-ExchangeOnlineShell

        With MFA becoming more and more common these modules should really be added in by default.

      • Aleksey commented  ·   ·  Flag as inappropriate

        MFA for admin users in Powershell does not work if you have enable SSO and you are login from SSO enabled PC in domain. You need to use a workaround:

        Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
        $Session=New-ExoPSSession
        Import-PSSession $Session -Verbose -AllowClobber

      • Kristoffer Strom commented  ·   ·  Flag as inappropriate

        Most PowerShell modules have been updated to support modern auth (I.e MFA support), so is this still an issue? Please add details which module you're having issues with?

      • Rob Clarke commented  ·   ·  Flag as inappropriate

        After enabling MFA for all users have discovered this decrease in functionality. Used to use ISE fro all O365 PS tasks. This is a step backwards. ISE should be able to support EXOPS!!

      • Richard Roddy commented  ·   ·  Flag as inappropriate

        BTW, I found the solution for loading the Exchange module into ISE.

        The Microsoft Exchange Online PowerShell module app when it runs launches a PowerShell session and runs a script to load the necessary modules and functions into the current PowerShell execution to provide the cmdlet.

        The files related to the app are loaded into a folder with a path similar to:
        C:\Users\<username>\AppData\Local\Apps\2.0\LC7A9808.VWQ\TDNEY3XY.VWX\micr..tion_c3bce3770c238a49_0010.0000_213d7102fbbdf9ba

        If you open the properties of the shortcut created for the Microsoft Exchange Online Powershell Module app, go to the Details tab, click the Folder path to select it, press Ctrl-C to copy it and then put that into notepad or somewhere like that, you can get the path and then access it.

        To successfully use the Connect-EXOPSSession cmdlet in the ISE, you need to execute the CreateExoPSSession.ps1 script found in that folder in your ISE execution. Once it runs, it loads the necessary modules and functions so that the Connect-EXOPSSession cmdlet is available and works to connect to Exchange Online with MFA enabled.

      • Roberth Strand commented  ·   ·  Flag as inappropriate

        This is needed. Tried importing the module manually but that didn't work. If we could at least get ISE version of the standalone MFA PowerShell client, I would be satisfied.

        Of course, it's not that bad running a script you made in your regular ISE in the MFA PowerShell but having autocomplete reduced the risk of mistyping while creating the script.

      • Rob M. commented  ·   ·  Flag as inappropriate

        This is still a big problem.

        I've tried the workaround below and it still fails for me.

      • George commented  ·   ·  Flag as inappropriate

        I've been trying to load this into ISE with no success. I tried the suggestion below (I tried Import-Module i:\powershell\Microsoft.Exchange.Management.ExoPowershellModule.dll after copying the dll as describled. Has anyone successfully loaded it into ISE? Code and error are below. Has anyone successfully loaded it into ISE? Is this possible?

        PS C:\WINDOWS\system32> Import-Module I:\PowershellLocal\Microsoft.Exchange.Management.ExoPowershellModule.dll

        PS C:\WINDOWS\system32> New-ExoPSSession
        New-ExoPSSession : Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.16.0.0, Culture=neutral,
        PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
        At line:1 char:1
        + New-ExoPSSession
        + ~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [New-ExoPSSession], FileNotFoundException
        + FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.Exchange.Management.ExoPowershellSnapin.NewExoPSSession

      • Anonymous commented  ·   ·  Flag as inappropriate

        You can connect to EXO Powershell with MFA now, https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

        Install the module with IE, didn't install from FF or Opera.

        Find the DLL file in C:\Users\%username%\AppData\Local\Apps\2.0\ subfolders, like

        NZQ1NJZC.KDY\K1T2OE3P.WZP\micr..dule_31bf3856ad364e35_0010.0000_none_e092d310eab729ab

        Microsoft.Exchange.Management.ExoPowershellModule.dll

        Copy that DLL to someplace higher in the folder structure

        Launch administrative powershell, run import the DLL as a module, Import-Module Microsoft.Exchange.Management.ExoPowershellModule.dll

        New-EXOPSSession will get you connected.

        You can script it if you want.

      • Jason Emery commented  ·   ·  Flag as inappropriate

        I agree, having MFA for global admin accounts is a great way to increase security. However, it is very hobbled in it's functionality. You need to be able to support it across the entire O365 environment. So many things have to be done via powershell that we find ourselves turning it on and off, or just leaving it off many times for global admins.

      • Anonymous commented  ·   ·  Flag as inappropriate

        We currently need the ability to auto-provision mailboxes using a script in which it pulls new accounts from oracle, auto-creates and AD account and then generates a mailbox in Exchange using a primary smtp address different than the username.

      • Bruce Reed commented  ·   ·  Flag as inappropriate

        Having MFA support for MSOL Azure admin is great, but for Office365 admins that need to use both MFA and support Exchange it is on no help. You still need to maintain a non-MFA global admin account to use PS, either for every admin or by using a common account. One way or the other there is a global admin account that can be compromised due to lack of MFA. Very disappointing and creates large exposure for O365 customers.

      • Bill Perrette commented  ·   ·  Flag as inappropriate

        For a complete solution we will need all of the core modules available, not just Azure and Exchange, otherwise we still need two accounts. Also, this will only address individual admins. We still need a solution for services accounts running scheduled tasks.

      ← Previous 1

      Feedback and Knowledge Base