Enable Windows Powershell to use MFA
We want to use Windows Powershell with MFA accounts for more security
Gordon Lamb
shared this idea
30 comments
-
Anonymous
commented
tldr to get this to work:
Office365 Powershell:
Install-Module MSOnline (first time only)
Import-Module MSOnline (first time only)
Connect-MsolScerviceExchange Online Powershell (EXOPS)
Install-Module ExchangeOnlineShell
Import-Module ExchangeOnlineShell
Connect-ExchangeOnlineShellWith MFA becoming more and more common these modules should really be added in by default.
-
Aleksey
commented
MFA for admin users in Powershell does not work if you have enable SSO and you are login from SSO enabled PC in domain. You need to use a workaround:
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
$Session=New-ExoPSSession
Import-PSSession $Session -Verbose -AllowClobber -
anonymous
commented
Why is there no way to pass the password via this new commandlet??
-
Chad Conrow
commented
I've also added an idea for MFA when crossing into administrative boundaries. Similar to "high value transaction" auth requests on other sites. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/31990114-force-mfa-when-trying-to-use-elevated-rights
-
Kristoffer Strom
commented
Most PowerShell modules have been updated to support modern auth (I.e MFA support), so is this still an issue? Please add details which module you're having issues with?
-
Lucian Frango
commented
Anyone know if the timeout can be increased for PS MFA access? Link to reference at all?
-
Rob Clarke
commented
After enabling MFA for all users have discovered this decrease in functionality. Used to use ISE fro all O365 PS tasks. This is a step backwards. ISE should be able to support EXOPS!!
-
Chris Chambers
commented
Works fine - I've written a guide for internal use if you want a copy
-
Richard Roddy
commented
BTW, I found the solution for loading the Exchange module into ISE.
The Microsoft Exchange Online PowerShell module app when it runs launches a PowerShell session and runs a script to load the necessary modules and functions into the current PowerShell execution to provide the cmdlet.
The files related to the app are loaded into a folder with a path similar to:
C:\Users\<username>\AppData\Local\Apps\2.0\LC7A9808.VWQ\TDNEY3XY.VWX\micr..tion_c3bce3770c238a49_0010.0000_213d7102fbbdf9baIf you open the properties of the shortcut created for the Microsoft Exchange Online Powershell Module app, go to the Details tab, click the Folder path to select it, press Ctrl-C to copy it and then put that into notepad or somewhere like that, you can get the path and then access it.
To successfully use the Connect-EXOPSSession cmdlet in the ISE, you need to execute the CreateExoPSSession.ps1 script found in that folder in your ISE execution. Once it runs, it loads the necessary modules and functions so that the Connect-EXOPSSession cmdlet is available and works to connect to Exchange Online with MFA enabled.
-
Anonymous
commented
http://www.365admin.com.au/2017/01/how-to-configure-your-desktop-pc-for.html
This tutorial steps you through configuring your PC for admin with MFA support.
-
Gert Kjerslev
commented
We need this to manage our Office 365 customers. This cannot be a hard one to fix. :-)
-
Roberth Strand
commented
This is needed. Tried importing the module manually but that didn't work. If we could at least get ISE version of the standalone MFA PowerShell client, I would be satisfied.
Of course, it's not that bad running a script you made in your regular ISE in the MFA PowerShell but having autocomplete reduced the risk of mistyping while creating the script.
-
Rob M.
commented
This is still a big problem.
I've tried the workaround below and it still fails for me.
-
George
commented
I've been trying to load this into ISE with no success. I tried the suggestion below (I tried Import-Module i:\powershell\Microsoft.Exchange.Management.ExoPowershellModule.dll after copying the dll as describled. Has anyone successfully loaded it into ISE? Code and error are below. Has anyone successfully loaded it into ISE? Is this possible?
PS C:\WINDOWS\system32> Import-Module I:\PowershellLocal\Microsoft.Exchange.Management.ExoPowershellModule.dll
PS C:\WINDOWS\system32> New-ExoPSSession
New-ExoPSSession : Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.16.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
At line:1 char:1
+ New-ExoPSSession
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-ExoPSSession], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.Exchange.Management.ExoPowershellSnapin.NewExoPSSession -
Anonymous
commented
You can connect to EXO Powershell with MFA now, https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
Install the module with IE, didn't install from FF or Opera.
Find the DLL file in C:\Users\%username%\AppData\Local\Apps\2.0\ subfolders, like
NZQ1NJZC.KDY\K1T2OE3P.WZP\micr..dule_31bf3856ad364e35_0010.0000_none_e092d310eab729ab
Microsoft.Exchange.Management.ExoPowershellModule.dll
Copy that DLL to someplace higher in the folder structure
Launch administrative powershell, run import the DLL as a module, Import-Module Microsoft.Exchange.Management.ExoPowershellModule.dll
New-EXOPSSession will get you connected.
You can script it if you want.
-
Jason Emery
commented
I agree, having MFA for global admin accounts is a great way to increase security. However, it is very hobbled in it's functionality. You need to be able to support it across the entire O365 environment. So many things have to be done via powershell that we find ourselves turning it on and off, or just leaving it off many times for global admins.
-
Anonymous
commented
We currently need the ability to auto-provision mailboxes using a script in which it pulls new accounts from oracle, auto-creates and AD account and then generates a mailbox in Exchange using a primary smtp address different than the username.
-
Bruce Reed
commented
Having MFA support for MSOL Azure admin is great, but for Office365 admins that need to use both MFA and support Exchange it is on no help. You still need to maintain a non-MFA global admin account to use PS, either for every admin or by using a common account. One way or the other there is a global admin account that can be compromised due to lack of MFA. Very disappointing and creates large exposure for O365 customers.
-
Bill Perrette
commented
For a complete solution we will need all of the core modules available, not just Azure and Exchange, otherwise we still need two accounts. Also, this will only address individual admins. We still need a solution for services accounts running scheduled tasks.
-
David Conradie
commented
Technote describing the public preview is here : https://technet.microsoft.com/library/mt775114.aspx