How to manage Exchange Online via Powershell with 2FA enabled (and a bit about AppLocker too)

2FA is a great upgrade to security and everyone should use it. Once you get over the slight inconvenience of having to pull out your phone every time you log in it is not really that big of an issue.

I did however find an issue when i needed to administer our Exchange Online instance on Office 365 via powershell. When you try to connect using the normal method as per the Microsoft Docs with 2FA enabled

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

You get an access denied error similar to the following:

New-PSSession : [] Connecting to remote server failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
CategoryInfo : OpenError: System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

The reason for the access denied message is because the normal method has not got a way to pass the 2nd stage of authentication onto to the user and service.

So how do you manage to connect with 2FA enabled?

There are a few things you can do:

  1. See if you can do the action using the GUI – This is not always possible and doesn’t help if you want to create something more automated. Also, this is a bit of a cop out!
  2. Turn off 2FA – No! No! No! No!
  3. Use the Exchange Online Remote PowerShell Module – This is what we are going to do.

The Exchange Online Remote PowerShell Module knows about 2FA and will allow you to connect whilst keeping the added benefits of 2FA.

Downloading and Installing the Exchange Online Remote PowerShell Module

Annoyingly (or not depending on how you look at it) there is no direct download link to the tool. Instead it is served by a streaming installer from Microsoft which ensures that you will only ever install the latest version. This does mean that there is no need to remember links and such as the f

To download and install the file, you simply need to log into the Exchange Online Admin Center and go to the Hybrid section in the Side Menu.

Once there you should see an option to “configure” below the text “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.” Click the configure button the start the download and install of the software.

Click configure on the second box to start the download and install

After a brief moment an installer window should appear and prompt you to install. Click Install.

If all has worked correctly the module should launch and you will be presented with a nice new powershell window.

Connect to the Exchange Online by typing:

Connect-EXOPSSession -UserPrincipalName <enter your 365 admin UPN here>

A sign in box will appear asking you to provide your 2FA credentials. Go through this as normal, and once authenticated, you will see the module pulldown the commands and then drop you back down to the prompt.

You can now administer Exchange online via Powershell with 2FA enabled!

Now that you have gone through all that once, you don’t have to do that again the next time you want to connect, simply go to your start menu and find the newly installed module.

The AppLocker bit

If you have AppLocker enabled on your system, depending on your rules, you will probably fail at the installing part of this guide. This is most likely as the installer is not in the exe whitelist.

To add it to the list, you need to locate the file and then read the certificate information to add it to the whitelist.

Simply fire up Event Viewer and navigate to “Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL” In the list you should see an Error Entry for your the file Microsoft.Online.CSE.PSModule.Client.exe – make a note of this path (mine was “%localappdata%\Apps\2.0\9WG1O0DO.5E4\Y6BPMV80.E4N\micr..tion_1975b8453054a2b5_0010.0000_10d85008035862c6\Microsoft.Online.CSE.PSModule.Client.exe”) and then within Group policy Management, find the policy that controls AppLocker and add an exception for the exe.

Run a GPUpdate /Force and then give it another go!

Microsoft OneDrive for Business now offers 1 terabyte of cloud storage per user!

Taken from ZDNet Article

The Microsoft OneDrive for Business team is adding additional incentives meant to attract business users to its cloud-storage offering.

In an April 28 post entitled “Thinking outside the box” (which seems to be a reference to Microsoft competitors Box and/or Dropbox), the OneDrive for Business team announced the following:

  • An increase in OneDrive for Business default storage from 25GB to 1TB per user
  • The inclusion of 1TB of OneDrive for Business storage per user as part of Office 365 ProPlus subscriptions
  • New OneDrive for Business migration assistance from Microsoft (The blog post didn’t elaborate on specifically what Microsoft is offering on this front. But a spokesperson said those interested should contact their Microsoft account managers or partner for details.)

In March 2014, Microsoft officials announced that OneDrive for Business (formerly known as SkyDrive Pro) would be available both as part of a number of existing Office 365 plans, as well as for purchase as a standalone service — something that wasn’t the case with SkyDrive Pro. The standalone version provided business users with 25 GB of storage per employee, with an option to purchase additional storage, offline sync and access from multiple devices. Now that default storage threshold is 1 TB.

Microsoft officials announced during earnings last week that Office 365 is currently on a $2.5 billion annual run rate.

“The cloud is about breaking down walls between people and information. Not building a new set of islands in the sky. Make sure you bet on a file sync and share solution that helps you embrace that,” said Corporate Vice President John Case in the conclusion of today’s blog post.

All Office 365 plans that include OneDrive for Business will see the increase to 1 TB. This includes:

  • All O365 E plans (E1, E3, E4)
  • O365 Small Business
  • O365 Small Business Premium
  • O365 Midsize Business
  • All SharePoint Online plans (SharePoint Online Plan 1 & Plan 2)
  • OneDrive for Business (standalone) with Office Online

As to when new and existing customers will see the 1TB bump, a Microsoft spokesperson said: “Customer eligibility is effective today, but as with service updates roll-out of these features will happen over the next few months.”