How to manage Exchange Online via Powershell with 2FA enabled (and a bit about AppLocker too)

2FA is a great upgrade to security and everyone should use it. Once you get over the slight inconvenience of having to pull out your phone every time you log in it is not really that big of an issue.

I did however find an issue when i needed to administer our Exchange Online instance on Office 365 via powershell. When you try to connect using the normal method as per the Microsoft Docs with 2FA enabled

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

You get an access denied error similar to the following:

New-PSSession : [] Connecting to remote server failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
CategoryInfo : OpenError: System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

The reason for the access denied message is because the normal method has not got a way to pass the 2nd stage of authentication onto to the user and service.

So how do you manage to connect with 2FA enabled?

There are a few things you can do:

  1. See if you can do the action using the GUI – This is not always possible and doesn’t help if you want to create something more automated. Also, this is a bit of a cop out!
  2. Turn off 2FA – No! No! No! No!
  3. Use the Exchange Online Remote PowerShell Module – This is what we are going to do.

The Exchange Online Remote PowerShell Module knows about 2FA and will allow you to connect whilst keeping the added benefits of 2FA.

Downloading and Installing the Exchange Online Remote PowerShell Module

Annoyingly (or not depending on how you look at it) there is no direct download link to the tool. Instead it is served by a streaming installer from Microsoft which ensures that you will only ever install the latest version. This does mean that there is no need to remember links and such as the f

To download and install the file, you simply need to log into the Exchange Online Admin Center and go to the Hybrid section in the Side Menu.

Once there you should see an option to “configure” below the text “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.” Click the configure button the start the download and install of the software.

Click configure on the second box to start the download and install

After a brief moment an installer window should appear and prompt you to install. Click Install.

If all has worked correctly the module should launch and you will be presented with a nice new powershell window.

Connect to the Exchange Online by typing:

Connect-EXOPSSession -UserPrincipalName <enter your 365 admin UPN here>

A sign in box will appear asking you to provide your 2FA credentials. Go through this as normal, and once authenticated, you will see the module pulldown the commands and then drop you back down to the prompt.

You can now administer Exchange online via Powershell with 2FA enabled!

Now that you have gone through all that once, you don’t have to do that again the next time you want to connect, simply go to your start menu and find the newly installed module.

The AppLocker bit

If you have AppLocker enabled on your system, depending on your rules, you will probably fail at the installing part of this guide. This is most likely as the installer is not in the exe whitelist.

To add it to the list, you need to locate the file and then read the certificate information to add it to the whitelist.

Simply fire up Event Viewer and navigate to “Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL” In the list you should see an Error Entry for your the file Microsoft.Online.CSE.PSModule.Client.exe – make a note of this path (mine was “%localappdata%\Apps\2.0\9WG1O0DO.5E4\Y6BPMV80.E4N\micr..tion_1975b8453054a2b5_0010.0000_10d85008035862c6\Microsoft.Online.CSE.PSModule.Client.exe”) and then within Group policy Management, find the policy that controls AppLocker and add an exception for the exe.

Run a GPUpdate /Force and then give it another go!

Exchange Version and Build numbers to Service Packs


I was administering an Exchange 2007 installation today and needed to know what service pack it was running. The problem is that exchange does not display as a service pack, only an increase in version. A bit of googling revealed the following microsoft page that contains the version to Service pack information which i have duplicated at the bottom of this post for ease

Find the Version of Exchange 2007

To find out the build number of Exchange 2007, launch an Exchange Management Shell and run the following command:

Get-ExchangeServer | fl name,edition,admindisplayversion
This will then give you the build number in the form of:

Name : EXCH01A
Edition : Standard
AdminDisplayVersion : Version 8.1 (Build 240.6)

Exchange Server Version lists 2003-2010

Microsoft Exchange Server 2003 6.5.6944 October 2003
Microsoft Exchange Server 2003 SP1 6.5.7226 May 2004
Microsoft Exchange Server 2003 SP2 6.5.7638 October 2005
Microsoft Exchange Server 2003 post-SP2 6.5.7653.33 March 2008
Microsoft Exchange Server 2003 post-SP2 6.5.7654.4 August 2008
Microsoft Exchange Server 2007 8.0.685.24 or 8.0.685.25 December 2006
Microsoft Exchange Server 2007 SP1 8.1.0240.006 November 2007
Microsoft Exchange Server 2007 SP2 8.2.0176.002 August 2009
Microsoft Exchange Server 2010 14.00.0639.021 October 2009