Unattended Powershell scripts using Modern Authentication with Exchange Online

As you should already be aware of, Microsoft will be deprecating Basic Authentication for it’s Microsoft 365 services during the second half of 2021. If you’re not yet aware of these changes, I recommend you to read the following article and make sure you’ll be ready for these upcoming changes and don’t run into any surprises.


Unattended scripts

We all love Powershell and most of us have unattended scripts in place to automate things for us. Nowadays we use all sorts of scripts to create new user mailboxes, shared mailboxes, reporting and so on. These scripts use Basic Authentication but as Microsoft has announced, this will be no longer available to us as of second half 2021.

EXO V2 Powershell module to the rescue!

The Exchange Team recently announced the Public Preview availability of running unattended scripts using Modern Authentication leveraging the Exchange Online Powershell V2 Module. Their solution uses Azure AD Applications, certificates and Modern Authentication.

This is a great announcement as we can now edit our scripts to make sure it keeps working and uses the most modern and secure way possible to connect to Exchange Online.

Installing the EXO V2 Powershell Preview module

To install the EXO V2 Powershell Preview Module, please make sure the system you’re using is running on one of the following operating systems;

  • Windows Server 2012 or Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows 8.1
  • Windows 10

Windows Server 2008 R2 SP1 or Windows 7 SP1 with Windows Remote Management 5.1 and .NET Framework 4.6 is also supported. Because both operating systems are end-of-life, I will not be covering this.

Also make sure Basic Authentication is (temporarily) enabled for Windows RM (it is enabled by default). No username/password will be sent using Basic Authentication, it will only be used to transport the session’s oAuth token. To check if it’s enabled, please open a command prompt and run the following command;

winrm get winrm/config/client/auth

The return should contain a value “Basic = True”. If you get a warning “The client cannot connect (…)” please make sure the Windows Remote Management Service is running. If the value of Basic is set to false, please run the following command in a command prompt in order to enable it.

winrm set winrm/config/client/auth @{Basic=”true”}

Since the EXO V2 module is going to be installed using the PowerShellGet module, make sure it is installed or updated to the latest version.

Install-Module -Name PowerShellGet -Force

After all prerequisites are met, you can continue with installing the EXO V2 Preview module. Please make sure your Powershell execution policy is set to “Remote Signed”

Set-ExecutionPolicy RemoteSigned

Re-open your Powershell window after editing the execution policy and install the Preview version of the EXO V2 module.

Install-Module -Name ExchangeOnlineManagement -AllowPrerelease -Force
If you get an error that the “AllowPrerelease” parameter can’t be found, please make sure you’re running the latest version of the PowerShellGet Module.

Creating an Azure AD App Registration

In order to be able to use our script, we must first create an app registration in the Azure AD Admin Center.

Enter a recognizable name for the App Registration and click the Register button.

Navigate to the “API Permissions” pane and click “Add a premission”.

Assign the Exchange permission “Exchange.ManageAsApp”

Make sure to make the permission effective by clicking “Grant Admin Consent”.

Create a self signed certificate using the following Powershell script. The certificate will be created in the directory where you’re running the script from. Please make sure you know the password, since you’ll be needing this later.

.\Create-SelfSignedCertificate.ps1 -CommonName “MyCertificate” -StartDate 2020-08-09 -EndDate 2022-08-09

Go back to your Azure Admin Center, go to the App Registration, navigate to the Certificates & secrets pane and upload the certificate file.

Make sure to renew the certificate in time so your scripts will not stop working.

Assign the application with the required permissions by going to Roles and Administrator from within the Azure AD Admin Center.

In my example I will assign the Global Administrator role. Please create a custom role or assign a less privileged role according to your needs. Only assign permissions that you’ll actually need.

Please note that assigning permissions is not real time and it might take some time to become effective.

Connecting to Exchange Online using Modern Authentication

Now that you’ve created the app registration and assigned the permissions we need, we can now go ahead and connect to Exchange Online using Modern Authentication. Please make sure you have the Application Identifier of the application you’ve created noted.

Connect to Exchange Online using the Powershell command below, adjust the values accordingly.

Connect-ExchangeOnline -CertificateFilePath “<Certifcate.pfx>” -CertificatePassword (ConvertTo-SecureString -String “<MyPassword>” -AsPlainText -Force) -AppID “<MyAppID>” -Organization “<MyTenant.OnMicrosoft.com>”

Please make sure that you do not store your password as plain text in a production environment. The command above should only be used to test your connection to Exchange Online. Instead connect using the Certificate Thumbprint or use the password in a safe way. The Certificate should be in the Personal Store of the user that will be running the script.

Connect-ExchangeOnline -CertificateThumbPrint “<CertThumbprint>” -AppID “<MyAppId>” -Organization “<MyTenant.OnMicrosoft.com>”

Also be aware of the old and new Cmdlets that are available to you. Check the documentation if you need more information.

Happy scripting!

4 thoughts on “Unattended Powershell scripts using Modern Authentication with Exchange Online”

  1. Hi,

    The manuel is very good but I cannot do the last step. If I try to assign the app to the global admins it is not available.

    Any ideas?

    Thanks
    Christian

    Reply
    • Hi Christian,

      If you’ve followed it step-by-step, you should be able to do this.
      Please make sure you’re trying this from the “Roles and Administrators” page.
      Click on the role you’d like to use, navigate to “Assignments” and assign the application to the role.

      As mentioned in my blog, I would recommend you using a role that only has the permissions you need.
      Global Administrators might no be the best choice in your situation.

      Regards,

      Andrew

      Reply
  2. If Modern Authentication is enabled and MFA is not enabled is it still possible to use user/pass credentials in an unattended Powershell script, or is it always necessary to use an App registration when Modern Authentication is enabled ?

    Reply
    • Hi Jan,

      When running unattended, this would require you to save credentials locally which is not considered to be really secure.
      The identities that you use for running scripts, are mostly highly privileged that you want to have as secure as possible.
      If you currently do not have MFA enabled (using Conditional Access), I would highly recommend you doing this.

      Long story short; if you want to be using the most secure and modern way of running unattended scripts and want to be prepared towards the future, this is the way to go!

      Regards,

      Andrew

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.