Feedback by UserVoice

How can we improve the tenant admin features O365?

Enable Windows Powershell to use MFA

We want to use Windows Powershell with MFA accounts for more security

675 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Gordon Lamb shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

31 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    tldr to get this to work:

    Office365 Powershell:
    Install-Module MSOnline (first time only)
    Import-Module MSOnline (first time only)
    Connect-MsolScervice

    Exchange Online Powershell (EXOPS)
    Install-Module ExchangeOnlineShell
    Import-Module ExchangeOnlineShell
    Connect-ExchangeOnlineShell

    With MFA becoming more and more common these modules should really be added in by default.

  • Aleksey commented  ·   ·  Flag as inappropriate

    MFA for admin users in Powershell does not work if you have enable SSO and you are login from SSO enabled PC in domain. You need to use a workaround:

    Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
    $Session=New-ExoPSSession
    Import-PSSession $Session -Verbose -AllowClobber

  • Kristoffer Strom commented  ·   ·  Flag as inappropriate

    Most PowerShell modules have been updated to support modern auth (I.e MFA support), so is this still an issue? Please add details which module you're having issues with?

  • Lucian Frango commented  ·   ·  Flag as inappropriate

    Anyone know if the timeout can be increased for PS MFA access? Link to reference at all?

  • Rob Clarke commented  ·   ·  Flag as inappropriate

    After enabling MFA for all users have discovered this decrease in functionality. Used to use ISE fro all O365 PS tasks. This is a step backwards. ISE should be able to support EXOPS!!

  • Richard Roddy commented  ·   ·  Flag as inappropriate

    BTW, I found the solution for loading the Exchange module into ISE.

    The Microsoft Exchange Online PowerShell module app when it runs launches a PowerShell session and runs a script to load the necessary modules and functions into the current PowerShell execution to provide the cmdlet.

    The files related to the app are loaded into a folder with a path similar to:
    C:\Users\<username>\AppData\Local\Apps\2.0\LC7A9808.VWQ\TDNEY3XY.VWX\micr..tion_c3bce3770c238a49_0010.0000_213d7102fbbdf9ba

    If you open the properties of the shortcut created for the Microsoft Exchange Online Powershell Module app, go to the Details tab, click the Folder path to select it, press Ctrl-C to copy it and then put that into notepad or somewhere like that, you can get the path and then access it.

    To successfully use the Connect-EXOPSSession cmdlet in the ISE, you need to execute the CreateExoPSSession.ps1 script found in that folder in your ISE execution. Once it runs, it loads the necessary modules and functions so that the Connect-EXOPSSession cmdlet is available and works to connect to Exchange Online with MFA enabled.

  • Roberth Strand commented  ·   ·  Flag as inappropriate

    This is needed. Tried importing the module manually but that didn't work. If we could at least get ISE version of the standalone MFA PowerShell client, I would be satisfied.

    Of course, it's not that bad running a script you made in your regular ISE in the MFA PowerShell but having autocomplete reduced the risk of mistyping while creating the script.

  • Rob M. commented  ·   ·  Flag as inappropriate

    This is still a big problem.

    I've tried the workaround below and it still fails for me.

  • George commented  ·   ·  Flag as inappropriate

    I've been trying to load this into ISE with no success. I tried the suggestion below (I tried Import-Module i:\powershell\Microsoft.Exchange.Management.ExoPowershellModule.dll after copying the dll as describled. Has anyone successfully loaded it into ISE? Code and error are below. Has anyone successfully loaded it into ISE? Is this possible?

    PS C:\WINDOWS\system32> Import-Module I:\PowershellLocal\Microsoft.Exchange.Management.ExoPowershellModule.dll

    PS C:\WINDOWS\system32> New-ExoPSSession
    New-ExoPSSession : Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.16.0.0, Culture=neutral,
    PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
    At line:1 char:1
    + New-ExoPSSession
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-ExoPSSession], FileNotFoundException
    + FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.Exchange.Management.ExoPowershellSnapin.NewExoPSSession

  • Anonymous commented  ·   ·  Flag as inappropriate

    You can connect to EXO Powershell with MFA now, https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

    Install the module with IE, didn't install from FF or Opera.

    Find the DLL file in C:\Users\%username%\AppData\Local\Apps\2.0\ subfolders, like

    NZQ1NJZC.KDY\K1T2OE3P.WZP\micr..dule_31bf3856ad364e35_0010.0000_none_e092d310eab729ab

    Microsoft.Exchange.Management.ExoPowershellModule.dll

    Copy that DLL to someplace higher in the folder structure

    Launch administrative powershell, run import the DLL as a module, Import-Module Microsoft.Exchange.Management.ExoPowershellModule.dll

    New-EXOPSSession will get you connected.

    You can script it if you want.

  • Jason Emery commented  ·   ·  Flag as inappropriate

    I agree, having MFA for global admin accounts is a great way to increase security. However, it is very hobbled in it's functionality. You need to be able to support it across the entire O365 environment. So many things have to be done via powershell that we find ourselves turning it on and off, or just leaving it off many times for global admins.

  • Anonymous commented  ·   ·  Flag as inappropriate

    We currently need the ability to auto-provision mailboxes using a script in which it pulls new accounts from oracle, auto-creates and AD account and then generates a mailbox in Exchange using a primary smtp address different than the username.

  • Bruce Reed commented  ·   ·  Flag as inappropriate

    Having MFA support for MSOL Azure admin is great, but for Office365 admins that need to use both MFA and support Exchange it is on no help. You still need to maintain a non-MFA global admin account to use PS, either for every admin or by using a common account. One way or the other there is a global admin account that can be compromised due to lack of MFA. Very disappointing and creates large exposure for O365 customers.

  • Bill Perrette commented  ·   ·  Flag as inappropriate

    For a complete solution we will need all of the core modules available, not just Azure and Exchange, otherwise we still need two accounts. Also, this will only address individual admins. We still need a solution for services accounts running scheduled tasks.

← Previous 1

Feedback and Knowledge Base