Exchange Online – Use the new Exchange Online PowerShell module v2 with Modern Authentication with your scripts (preview)

Exchange / Office 365

As you know, Microsoft is going to retire the basic authentication for Exchange Online PowerShell during the second half of 2021.

In preparation of this retirement, a new Exchange Online PowerShell module has been released, known as Exchange Online PowerShell module v2 (see https://t.co/Jg3iTICowv).

Well, the next step of this preparation is the introduction of the modern authentication for unattended scripts; you know the script you run using a schedule task with no interaction. The authentication method will use a self-signed certificate to authenticate against an Azure AD Application.

Install/Update Exchange Online PowerShell

To start using this new capability with your scripts, you need to install the preview module for Exchange Online PowerShell module v2 using the below command

  • Fresh install of the ExO PowerShell module v2 using the prerelease

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease

  • Update an existing installation of the module

Update-Module -Name ExchangeOnlineManagement –AllowPrerelease

Generate a self-signed certificate

Then you need to generate a self signed certificate using the script available at https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1 and the command

.Create-SelfSignedCertificate.ps1 -CommonName “MyCompanyName” -StartDate 2020-04-01 -EndDate 2022-04-01

or you can use the makecert.exe tool from the Windows SDK.

Capture the certificate thumbprint

Register an Azure AD Application

Connect to your Azure (https://portal.azure.com) or Azure AD portal (https://aad.portal.azure.com/) to access your Azure AD blade

image_thumb  image_thumb[1]

Then go to the App registrations blade and register a new application

image_thumb[2]  image_thumb[3]

Create the application using the below settings

  • Supported account types: Accounts in this organizational directory only
  • Redirect URI: Web with the URL where the token is being sent to

image_thumb[4]

Then you need to assign permissions to the newly create application by accessing the API Permissions blade and then Add a permission

image_thumb[6]

Then select Application permissions and the Exchange one under the Supported legacy APIs section to select Exchange.ManageAsApp after selecting Application Permissions

image_thumb[7]  image_thumb[8]

Capture the Application (client) ID of the registered application using the Overview blade

image_thumb[12]

Finally grant the admin consent to the application

image_thumb[9]

Upload the self-signed certificate you have generate earlier by accessing the Certificates & secrets blade

image_thumb[10]

Finally you need to grant one of the administration roles supported – depending of the administration permission you need with your script:

  • Global administrator
  • Compliance administrator
  • Security reader
  • Security administrator
  • Helpdesk administrator
  • Exchange Service administrator
  • Global Reader

You assign the corresponding administration role(s) from the Azure ADRoles and administrators blade

image_thumb[11]

Use the modern authentication in your script

You are now ready to include the new modern authentication in your script.

Install the self-signed certificate in the ComputerPersonal certificate store.

Replace the commands you used to authenticate and connect to Exchange Online with the below

Connect-ExchangeOnline -CertificateThumbPrint “<certificate thumbprint>” -AppID “<Azure AD application ID>” -Organization “<your Office 365 tenant – mytenant.onmicrosoft.com”

Default Avatar