How to manage Exchange Online via Powershell with 2FA enabled (and a bit about AppLocker too)

2FA is a great upgrade to security and everyone should use it. Once you get over the slight inconvenience of having to pull out your phone every time you log in it is not really that big of an issue.

I did however find an issue when i needed to administer our Exchange Online instance on Office 365 via powershell. When you try to connect using the normal method as per the Microsoft Docs with 2FA enabled

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

You get an access denied error similar to the following:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12


$Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
~~~~~~~~~~~~~~
CategoryInfo : OpenError: System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

The reason for the access denied message is because the normal method has not got a way to pass the 2nd stage of authentication onto to the user and service.

So how do you manage to connect with 2FA enabled?

There are a few things you can do:

  1. See if you can do the action using the GUI – This is not always possible and doesn’t help if you want to create something more automated. Also, this is a bit of a cop out!
  2. Turn off 2FA – No! No! No! No!
  3. Use the Exchange Online Remote PowerShell Module – This is what we are going to do.

The Exchange Online Remote PowerShell Module knows about 2FA and will allow you to connect whilst keeping the added benefits of 2FA.

Downloading and Installing the Exchange Online Remote PowerShell Module

Annoyingly (or not depending on how you look at it) there is no direct download link to the tool. Instead it is served by a streaming installer from Microsoft which ensures that you will only ever install the latest version. This does mean that there is no need to remember links and such as the f

To download and install the file, you simply need to log into the Exchange Online Admin Center and go to the Hybrid section in the Side Menu.

Once there you should see an option to “configure” below the text “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.” Click the configure button the start the download and install of the software.

Click configure on the second box to start the download and install

After a brief moment an installer window should appear and prompt you to install. Click Install.

If all has worked correctly the module should launch and you will be presented with a nice new powershell window.

Connect to the Exchange Online by typing:

Connect-EXOPSSession -UserPrincipalName <enter your 365 admin UPN here>

A sign in box will appear asking you to provide your 2FA credentials. Go through this as normal, and once authenticated, you will see the module pulldown the commands and then drop you back down to the prompt.

You can now administer Exchange online via Powershell with 2FA enabled!

Now that you have gone through all that once, you don’t have to do that again the next time you want to connect, simply go to your start menu and find the newly installed module.

The AppLocker bit

If you have AppLocker enabled on your system, depending on your rules, you will probably fail at the installing part of this guide. This is most likely as the installer is not in the exe whitelist.

To add it to the list, you need to locate the file and then read the certificate information to add it to the whitelist.

Simply fire up Event Viewer and navigate to “Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL” In the list you should see an Error Entry for your the file Microsoft.Online.CSE.PSModule.Client.exe – make a note of this path (mine was “%localappdata%\Apps\2.0\9WG1O0DO.5E4\Y6BPMV80.E4N\micr..tion_1975b8453054a2b5_0010.0000_10d85008035862c6\Microsoft.Online.CSE.PSModule.Client.exe”) and then within Group policy Management, find the policy that controls AppLocker and add an exception for the exe.

Run a GPUpdate /Force and then give it another go!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.