As you know, Microsoft is going to retire the basic authentication for Exchange Online PowerShell during the second half of 2021.
In preparation of this retirement, a new Exchange Online PowerShell module has been released, known as Exchange Online PowerShell module v2 (see https://t.co/Jg3iTICowv).
Well, the next step of this preparation is the introduction of the modern authentication for unattended scripts; you know the script you run using a schedule task with no interaction. The authentication method will use a self-signed certificate to authenticate against an Azure AD Application.
Install/Update Exchange Online PowerShell
To start using this new capability with your scripts, you need to install the preview module for Exchange Online PowerShell module v2 using the below command
- Fresh install of the ExO PowerShell module v2 using the prerelease
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease
- Update an existing installation of the module
Update-Module -Name ExchangeOnlineManagement –AllowPrerelease
Generate a self-signed certificate
Then you need to generate a self signed certificate using the script available at https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1 and the command
.Create-SelfSignedCertificate.ps1 -CommonName “MyCompanyName” -StartDate 2020-04-01 -EndDate 2022-04-01
or you can use the makecert.exe tool from the Windows SDK.
Capture the certificate thumbprint
Register an Azure AD Application
Then go to the App registrations blade and register a new application
Create the application using the below settings
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Web with the URL where the token is being sent to
Then you need to assign permissions to the newly create application by accessing the API Permissions blade and then Add a permission
Then select Application permissions and the Exchange one under the Supported legacy APIs section to select Exchange.ManageAsApp after selecting Application Permissions
Capture the Application (client) ID of the registered application using the Overview blade
Finally grant the admin consent to the application
Upload the self-signed certificate you have generate earlier by accessing the Certificates & secrets blade
Finally you need to grant one of the administration roles supported – depending of the administration permission you need with your script:
- Global administrator
- Compliance administrator
- Security reader
- Security administrator
- Helpdesk administrator
- Exchange Service administrator
- Global Reader
You assign the corresponding administration role(s) from the Azure ADRoles and administrators blade
Use the modern authentication in your script
You are now ready to include the new modern authentication in your script.
Install the self-signed certificate in the ComputerPersonal certificate store.
Replace the commands you used to authenticate and connect to Exchange Online with the below
Connect-ExchangeOnline -CertificateThumbPrint “<certificate thumbprint>” -AppID “<Azure AD application ID>” -Organization “<your Office 365 tenant – mytenant.onmicrosoft.com”