Exchange Online – Use the new Exchange Online PowerShell module v2 with Modern Authentication with your scripts (preview)

As you know, Microsoft is going to retire the basic authentication for Exchange Online PowerShell during the second half of 2021.

In preparation of this retirement, a new Exchange Online PowerShell module has been released, known as Exchange Online PowerShell module v2 (see https://t.co/Jg3iTICowv).

Well, the next step of this preparation is the introduction of the modern authentication for unattended scripts; you know the script you run using a schedule task with no interaction. The authentication method will use a self-signed certificate to authenticate against an Azure AD Application.

Install/Update Exchange Online PowerShell

To start using this new capability with your scripts, you need to install the preview module for Exchange Online PowerShell module v2 using the below command

  • Fresh install of the ExO PowerShell module v2 using the prerelease

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease

  • Update an existing installation of the module

Update-Module -Name ExchangeOnlineManagement –AllowPrerelease

Generate a self-signed certificate

Then you need to generate a self signed certificate using the script available at https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1 and the command

.Create-SelfSignedCertificate.ps1 -CommonName “MyCompanyName” -StartDate 2020-04-01 -EndDate 2022-04-01

or you can use the makecert.exe tool from the Windows SDK.

Capture the certificate thumbprint

Register an Azure AD Application

Connect to your Azure (https://portal.azure.com) or Azure AD portal (https://aad.portal.azure.com/) to access your Azure AD blade

image_thumb  image_thumb[1]

Then go to the App registrations blade and register a new application

image_thumb[2]  image_thumb[3]

Create the application using the below settings

  • Supported account types: Accounts in this organizational directory only
  • Redirect URI: Web with the URL where the token is being sent to

image_thumb[4]

Then you need to assign permissions to the newly create application by accessing the API Permissions blade and then Add a permission

image_thumb[6]

Then select Application permissions and the Exchange one under the Supported legacy APIs section to select Exchange.ManageAsApp after selecting Application Permissions

image_thumb[7]  image_thumb[8]

Capture the Application (client) ID of the registered application using the Overview blade

image_thumb[12]

Finally grant the admin consent to the application

image_thumb[9]

Upload the self-signed certificate you have generate earlier by accessing the Certificates & secrets blade

image_thumb[10]

Finally you need to grant one of the administration roles supported – depending of the administration permission you need with your script:

  • Global administrator
  • Compliance administrator
  • Security reader
  • Security administrator
  • Helpdesk administrator
  • Exchange Service administrator
  • Global Reader

You assign the corresponding administration role(s) from the Azure ADRoles and administrators blade

image_thumb[11]

Use the modern authentication in your script

You are now ready to include the new modern authentication in your script.

Install the self-signed certificate in the ComputerPersonal certificate store.

Replace the commands you used to authenticate and connect to Exchange Online with the below

Connect-ExchangeOnline -CertificateThumbPrint “<certificate thumbprint>” -AppID “<Azure AD application ID>” -Organization “<your Office 365 tenant – mytenant.onmicrosoft.com”