Exchange Online – The new Exchange Online PowerShell module (v2) is now available
It has been announced at last year Ignite Conference (Ignite 2019) and since then has been in preview.
2 min read
As you know, Microsoft is going to retire the basic authentication for Exchange Online PowerShell during the second half of 2021.
In preparation of this retirement, a new Exchange Online PowerShell module has been released, known as Exchange Online PowerShell module v2 (see https://t.co/Jg3iTICowv).
Well, the next step of this preparation is the introduction of the modern authentication for unattended scripts; you know the script you run using a schedule task with no interaction. The authentication method will use a self-signed certificate to authenticate against an Azure AD Application.
Install/Update Exchange Online PowerShell
To start using this new capability with your scripts, you need to install the preview module for Exchange Online PowerShell module v2 using the below command
- Fresh install of the ExO PowerShell module v2 using the prerelease
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease
- Update an existing installation of the module
Update-Module -Name ExchangeOnlineManagement –AllowPrerelease
Generate a self-signed certificate
Then you need to generate a self signed certificate using the script available at https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1 and the command
.Create-SelfSignedCertificate.ps1 -CommonName “MyCompanyName” -StartDate 2020-04-01 -EndDate 2022-04-01
or you can use the makecert.exe tool from the Windows SDK.
Capture the certificate thumbprint
Register an Azure AD Application
Connect to your Azure (https://portal.azure.com) or Azure AD portal (https://aad.portal.azure.com/) to access your Azure AD blade
![image_thumb[1]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb1-196.png "image_thumb[1]")
Then go to the App registrations blade and register a new application
![image_thumb[2]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb2-159.png "image_thumb[2]")
![image_thumb[3]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb3-128.png "image_thumb[3]")
Create the application using the below settings
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Web with the URL where the token is being sent to
![image_thumb[4]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb4-98.png "image_thumb[4]")
Then you need to assign permissions to the newly create application by accessing the API Permissions blade and then Add a permission
![image_thumb[6]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb6-47.png "image_thumb[6]")
Then select Application permissions and the Exchange one under the Supported legacy APIs section to select Exchange.ManageAsApp after selecting Application Permissions
![image_thumb[7]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb7-34.png "image_thumb[7]")
![image_thumb[8]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb8-27.png "image_thumb[8]")
Capture the Application (client) ID of the registered application using the Overview blade
![image_thumb[12]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb12-6.png "image_thumb[12]")
Finally grant the admin consent to the application
![image_thumb[9]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb9-16.png "image_thumb[9]")
Upload the self-signed certificate you have generate earlier by accessing the Certificates & secrets blade
![image_thumb[10]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb10-14.png "image_thumb[10]")
Finally you need to grant one of the administration roles supported – depending of the administration permission you need with your script:
- Global administrator
- Compliance administrator
- Security reader
- Security administrator
- Helpdesk administrator
- Exchange Service administrator
- Global Reader
You assign the corresponding administration role(s) from the Azure ADRoles and administrators blade
![image_thumb[11]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb11-13.png "image_thumb[11]")
Use the modern authentication in your script
You are now ready to include the new modern authentication in your script.
Install the self-signed certificate in the ComputerPersonal certificate store.
Replace the commands you used to authenticate and connect to Exchange Online with the below
Connect-ExchangeOnline -CertificateThumbPrint “<certificate thumbprint>” -AppID “<Azure AD application ID>” -Organization “<your Office 365 tenant – mytenant.onmicrosoft.com”