Connect to Exchange Online PowerShell with MFA enabled account

in #office3657 years ago

Connecting to Exchange Online was only possible with an account that did not have MFA enabled because it only can handle basic authentication.
This is an issue because Microsoft advises us to have accounts that can do administrative tasks to have MFA enabled. Now we must choose between an account that has no MFA and a possible security breach and an account that cannot connect to Exchange Online.

To solve this, we had an account that was disabled by default and when we had to do Exchange tasks we enabled it. This is a solution but not a great one.

A coworker of my discovered a way to connect to Exchange Online with an MFA enabled account. He found and Exchange Online Module in the hybrid settings of Exchange.
This module can be found in the admin portal of Exchange Online on the Hybrid tab.
ConnectToEchangeOnlinePowerShellWithMFAEnabledAccount01.png
By clicking on “Configure” it will install the “Microsoft Exchange Online PowerShell Module”.
After installing it, there is an icon in the start menu called “Microsoft Exchange Online PowerShell Module” and this will launch a PowerShell window and loads the correct module.
This icon is just a small console app that loads the file “CreateExoPSSession.ps1” from the installed directory.

Connecting to Exchange Online with this module can be done with the command “Connect-EXPOPSSession”.

After a quick look in the dll files, I noticed that is uses an Azure AD application to authenticate. With this they authenticate thru OAuth and rebuild login URL with the OAuth token to get to the basic authentication that Exchange Online needs.

More info about the module can be found here: https://technet.microsoft.com/library/mt775114.aspx

This is a repost from my company blog