How to manage Exchange Online via Powershell with 2FA enabled (and a bit about AppLocker too)

2FA is a great upgrade to security and everyone should use it. Once you get over the slight inconvenience of having to pull out your phone every time you log in it is not really that big of an issue.

I did however find an issue when i needed to administer our Exchange Online instance on Office 365 via powershell. When you try to connect using the normal method as per the Microsoft Docs with 2FA enabled

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

You get an access denied error similar to the following:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12


$Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
~~~~~~~~~~~~~~
CategoryInfo : OpenError: System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

The reason for the access denied message is because the normal method has not got a way to pass the 2nd stage of authentication onto to the user and service.

So how do you manage to connect with 2FA enabled?

There are a few things you can do:

  1. See if you can do the action using the GUI – This is not always possible and doesn’t help if you want to create something more automated. Also, this is a bit of a cop out!
  2. Turn off 2FA – No! No! No! No!
  3. Use the Exchange Online Remote PowerShell Module – This is what we are going to do.

The Exchange Online Remote PowerShell Module knows about 2FA and will allow you to connect whilst keeping the added benefits of 2FA.

Downloading and Installing the Exchange Online Remote PowerShell Module

Annoyingly (or not depending on how you look at it) there is no direct download link to the tool. Instead it is served by a streaming installer from Microsoft which ensures that you will only ever install the latest version. This does mean that there is no need to remember links and such as the f

To download and install the file, you simply need to log into the Exchange Online Admin Center and go to the Hybrid section in the Side Menu.

Once there you should see an option to “configure” below the text “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.” Click the configure button the start the download and install of the software.

Click configure on the second box to start the download and install

After a brief moment an installer window should appear and prompt you to install. Click Install.

If all has worked correctly the module should launch and you will be presented with a nice new powershell window.

Connect to the Exchange Online by typing:

Connect-EXOPSSession -UserPrincipalName <enter your 365 admin UPN here>

A sign in box will appear asking you to provide your 2FA credentials. Go through this as normal, and once authenticated, you will see the module pulldown the commands and then drop you back down to the prompt.

You can now administer Exchange online via Powershell with 2FA enabled!

Now that you have gone through all that once, you don’t have to do that again the next time you want to connect, simply go to your start menu and find the newly installed module.

The AppLocker bit

If you have AppLocker enabled on your system, depending on your rules, you will probably fail at the installing part of this guide. This is most likely as the installer is not in the exe whitelist.

To add it to the list, you need to locate the file and then read the certificate information to add it to the whitelist.

Simply fire up Event Viewer and navigate to “Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL” In the list you should see an Error Entry for your the file Microsoft.Online.CSE.PSModule.Client.exe – make a note of this path (mine was “%localappdata%\Apps\2.0\9WG1O0DO.5E4\Y6BPMV80.E4N\micr..tion_1975b8453054a2b5_0010.0000_10d85008035862c6\Microsoft.Online.CSE.PSModule.Client.exe”) and then within Group policy Management, find the policy that controls AppLocker and add an exception for the exe.

Run a GPUpdate /Force and then give it another go!

First steps for troubleshooting Group Policy Errors

gpo

Group policy can be a bit of a pain to troubleshoot.
Here are a few pointers to get you going in the right direction when trying to fix errors:

  • Make sure you are running on a fast link. Preferably an Ethernet cable
  • Group policy might simply have not updated. At a command prompt run gpupdate /force
  • Running a Group Policy Results report can show you what policies have been applied. At a command prompt type gpresult /h path/to/file.html
  • Take a look at the event log to see if anything jumps out

Following these quick tips should get you on the right path to finding the problem.

How to fix the “Could not connect to Group Policy Client service” Error

Recently a few of our Windows Vista machines have experienced a problem after removing Script Logic Desktop Authority from them, causing non-admin users to not be able to log into the machine.

GP-Client-service-error-large

The message that appears is
“Could not connect to Group Policy Client service. Please consult your system administrator.”
but strangely sometimes manifests as
“Windows could not connect to the system event notification service . Please consult your system administrator.”

After seeing this message, a normal user is dropped back to the Ctrl-Alt-Del logon screen.

This is how you can solve the problem if you are experiencing a similar problem

1. Log on to the machine as administrator
2. click start and into the search box type “Event Viewer” and press enter
3. Look in the Windows Logs under System for any Warnings or Errors. The error message will be something like Windows cannot process Group Policy Client Side Extension (Daci). Exception (in my case it was daci which is part of the script logic desktop authority program)
4. On the details tab, take a note of the GUID for the faulty client side extension
5. click start and into the search box type “regedit” and press enter
6. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions and then click on the string that represents your faulty GP Extension.
7. click on the file menu and choose export and save a backup of the file.
8. Once the registry is backed up you can delete the folder that corresponds to the GUID
9. Do a restart and log on as a normal user.

Problem solved!