Enable Windows Powershell to use MFA
We want to use Windows Powershell with MFA accounts for more security
Gordon Lamb
shared this idea
34 comments
-
Anonymous
commented
It's not about EXO module. SPO module doens't work with MFA. MFA is becoming the default mechanism for authenticaiton. Please update not only SPO module, but also any other modules which don't have MFA support for MS Cloud services
-
Anonymous
commented
I can connect using connect-sposervice with an account that has MFA enabled
-
Albert
commented
Yes please, I wonder if this is possible in this year 2020 :-)
-
Embry Fedora
commented
Microsoft recently added Exchange Online PowerShell V2 (EXO V2) module in PowerShell gallery.
- Single cmdlet supports both MFA and non-MFA accounts
- EXO V2 has REST-based cmdlets which are much faster and more reliable. This will be useful for large organization
- Can be download from PowerShell gallery
- EXO V2 cmdlets supports Modern authFor more info: https://o365reports.com/2019/12/11/connect-exchange-online-powershell-without-basic-authentication/
-
Anonymous
commented
tldr to get this to work:
Office365 Powershell:
Install-Module MSOnline (first time only)
Import-Module MSOnline (first time only)
Connect-MsolScerviceExchange Online Powershell (EXOPS)
Install-Module ExchangeOnlineShell
Import-Module ExchangeOnlineShell
Connect-ExchangeOnlineShellWith MFA becoming more and more common these modules should really be added in by default.
-
Aleksey
commented
MFA for admin users in Powershell does not work if you have enable SSO and you are login from SSO enabled PC in domain. You need to use a workaround:
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)
$Session=New-ExoPSSession
Import-PSSession $Session -Verbose -AllowClobber -
anonymous
commented
Why is there no way to pass the password via this new commandlet??
-
Chad Conrow
commented
I've also added an idea for MFA when crossing into administrative boundaries. Similar to "high value transaction" auth requests on other sites. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/31990114-force-mfa-when-trying-to-use-elevated-rights
-
Kristoffer Strom
commented
Most PowerShell modules have been updated to support modern auth (I.e MFA support), so is this still an issue? Please add details which module you're having issues with?
-
Lucian Frango
commented
Anyone know if the timeout can be increased for PS MFA access? Link to reference at all?
-
Rob Clarke
commented
After enabling MFA for all users have discovered this decrease in functionality. Used to use ISE fro all O365 PS tasks. This is a step backwards. ISE should be able to support EXOPS!!
-
Chris Chambers
commented
Works fine - I've written a guide for internal use if you want a copy
-
Richard Roddy
commented
BTW, I found the solution for loading the Exchange module into ISE.
The Microsoft Exchange Online PowerShell module app when it runs launches a PowerShell session and runs a script to load the necessary modules and functions into the current PowerShell execution to provide the cmdlet.
The files related to the app are loaded into a folder with a path similar to:
C:\Users\<username>\AppData\Local\Apps\2.0\LC7A9808.VWQ\TDNEY3XY.VWX\micr..tion_c3bce3770c238a49_0010.0000_213d7102fbbdf9baIf you open the properties of the shortcut created for the Microsoft Exchange Online Powershell Module app, go to the Details tab, click the Folder path to select it, press Ctrl-C to copy it and then put that into notepad or somewhere like that, you can get the path and then access it.
To successfully use the Connect-EXOPSSession cmdlet in the ISE, you need to execute the CreateExoPSSession.ps1 script found in that folder in your ISE execution. Once it runs, it loads the necessary modules and functions so that the Connect-EXOPSSession cmdlet is available and works to connect to Exchange Online with MFA enabled.
-
Anonymous
commented
http://www.365admin.com.au/2017/01/how-to-configure-your-desktop-pc-for.html
This tutorial steps you through configuring your PC for admin with MFA support.
-
Gert Kjerslev
commented
We need this to manage our Office 365 customers. This cannot be a hard one to fix. :-)
-
Roberth Strand
commented
This is needed. Tried importing the module manually but that didn't work. If we could at least get ISE version of the standalone MFA PowerShell client, I would be satisfied.
Of course, it's not that bad running a script you made in your regular ISE in the MFA PowerShell but having autocomplete reduced the risk of mistyping while creating the script.
-
Rob M.
commented
This is still a big problem.
I've tried the workaround below and it still fails for me.
-
George
commented
I've been trying to load this into ISE with no success. I tried the suggestion below (I tried Import-Module i:\powershell\Microsoft.Exchange.Management.ExoPowershellModule.dll after copying the dll as describled. Has anyone successfully loaded it into ISE? Code and error are below. Has anyone successfully loaded it into ISE? Is this possible?
PS C:\WINDOWS\system32> Import-Module I:\PowershellLocal\Microsoft.Exchange.Management.ExoPowershellModule.dll
PS C:\WINDOWS\system32> New-ExoPSSession
New-ExoPSSession : Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.16.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
At line:1 char:1
+ New-ExoPSSession
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-ExoPSSession], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.Exchange.Management.ExoPowershellSnapin.NewExoPSSession -
Anonymous
commented
You can connect to EXO Powershell with MFA now, https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
Install the module with IE, didn't install from FF or Opera.
Find the DLL file in C:\Users\%username%\AppData\Local\Apps\2.0\ subfolders, like
NZQ1NJZC.KDY\K1T2OE3P.WZP\micr..dule_31bf3856ad364e35_0010.0000_none_e092d310eab729ab
Microsoft.Exchange.Management.ExoPowershellModule.dll
Copy that DLL to someplace higher in the folder structure
Launch administrative powershell, run import the DLL as a module, Import-Module Microsoft.Exchange.Management.ExoPowershellModule.dll
New-EXOPSSession will get you connected.
You can script it if you want.
-
Jason Emery
commented
I agree, having MFA for global admin accounts is a great way to increase security. However, it is very hobbled in it's functionality. You need to be able to support it across the entire O365 environment. So many things have to be done via powershell that we find ourselves turning it on and off, or just leaving it off many times for global admins.