How to connect to Office 365 via PowerShell with Modern Auth and MFA - Multi-Factor Authentication


Introduction to Modern Authentication - Multi-Factor Authentication - 

Introduction - 
Office 365 Modern Authentication is the underlying technology that also supports MFA (Multi-Factor Authentication). MFA is a great way to add a layer of security to your Office 365 Administration accounts. MFA is the addition of a security challenge that happens after your username and password are accepted. A passcode is then sent to your preferred option for final authentication.

This tutorial will step you through the process for connecting to Office 365 via PowerShell with Modern Authentication. I will also step you through connecting with MFA (Multi-Factor Authentication).

Please see below for a list of all my Modern Auth - MFA (Multi-Factor Authentication) tutorials. 
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

------------------------------------------------------------------------------------------------------

Pre-requisites -

Modern Auth and MFA -
- Download and install PowerShell modules and configure your PC for Office 365 Admin - Link

MFA only -
- Enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link

------------------------------------------------------------------------------------------------------

Download and update the Office 365 MFA PowerShell connection script.

Once your PC is configured, you will need to create a connection script.
*** Download and save my Office 365 Connection script with MFA - Link - ***

Next, edit my connection script by opening the file in Notepad or PowerShell ISE.
I personally prefer PowerShell ISE as it provides visual cues when creating and editing scripts.

To edit the script in PowerShell ISE, open PowerShell ISE on the left side of your window, and have Windows Explorer open on the right. Browse to your download directory and drag the file - Connect-O365-MFA-v2-x.ps1 into PowerShell ISE.








You will need to edit two variables - your tenant and your admin UPN.
Simply scroll down the script and find the two variables.







In the variables section, you will see two variables to update - Tenant and UPN









Edit the first variable 
$Tenant - "Tenant" by replacing 'Tenant' with name of your tenant.

Original script









Updated script









Edit the second variable - 
$UPN - "admin@tenant.onmicrosoft.com" by entering your admin user name

Original Script

Updated Script

Now that you have edited the two variables with your tenant name and admin credentials, save your connection script - Connect-Office365-MFA-v2-x.ps1

----------------------------------------------------------------------------------------------------

Connecting to Office 365 via PowerShell with Modern Authentication (non-MFA account)

One of the great features of PowerShell ISE, is that you can edit and RUN your scripts from the same program. Once you have saved your script, simply click on the green arrow to run the script -

Once the script runs, a Windows Forms GUI will load.











Here you can select one of seven Office 365 services (highlighted in red.
You can also click one of the three Support Links (highlighted in blue).


Choose the Office 365 service you wish to connect to by clicking the appropriate button.
In the following example, you will see what happens when I select - "Connect to Exchange Online".

The script will open up the login Modern Authentication login window to connect to Exchange Online. The login window will also pre-populate the username (from the variable that you edited).
Enter your password and click - Sign in -


PowerShell will display that it running the script to connect to Exchange Online...

PowerShell will display the progress of your connection.





Once connected, the Windows Forms GUI will close.

PowerShell will state that it has completed running the script, and to run Get-Mailbox to test connection.



To confirm successful connection, run the cmdlet - get-mailbox -








Note that the Exchange PowerShell Modern Auth connection will also allow you to administer Exchange Online Protection.
Run the cmdlet - Get-HostedConnectionFilterPolicy to confirm

-----------------------------------------------------------------------------------------------------

Connecting to Office 365 via PowerShell with Modern Authentication (MFA enabled account).
The process for connecting to Office 365 via PowerShell with Modern Authentication using a Multi-Factor Authentication enabled account is exactly the same. The only difference is that when you are logging in with an MFA enabled account, you will be prompted to supply the PIN that is sent to your mobile / cell phone.

Run the connection script as normal. In this example I will connect to SharePoint Online.
Select and click the button - Connect to SharePoint Online








The script will open up the login Modern Authentication login window to connect to SharePoint Online. At this stage, SharePoint Online Modern Authentication does not support pre-populating the UPN.
Enter the user name that is enabled for MFA
Enter your password and click - Sign in -


Office 365 will accept the password, and then prompt for the verification code sent to your preferred MFA verification source.





















Once connected, the Windows Forms GUI will close.

PowerShell will state that it has completed running the script, and to run Get-SPOTenant to test connection.



Run the cmdlet - Get-SPOTenant to confirm your connection to SharePoint.









If you need to connect to multiple services, simply run the script again and choose the extra service you would like to connect to. In the examples above, I have connected to Exchange Online with a non-MFA enabled account, and connected to SharePoint Online with a MFA enabled account, all in the same PowerShell ISE window.

To connect to more services, just run the script again and connect with the same process.

Skype for Business Online with Modern Authentication -
Get-CSTenant







Azure AD v1 with Modern Authentication -
Get-MsolUser






Azure AD v2 with Modern Authentication - 
Get-AzureADUser

Azure Resource Manager with Modern Authentication -
Get-AzureRMContext






Azure AD Rights Management with Modern Authentication -
Get-AADRM




---------------------------------------------------------------------------------------------------------

As of 22 July 2017, only the following seven PowerShell connections support Modern Auth.
- Exchange Online
- SharePoint Online
- Skype for Business Online
- Azure AD v1.0
- Azure AD v2.0
- Azure Resource Manager
- Azure Rights Manager

---------------------------------------------------------------------------------------------------------

Support Links -
Please click on the support links on Windows Forms GUI to take you straight to the info you need.
Support URLs - Takes you to my Modern Auth - MFA support page.
TechNet Gallery - Takes you to my TechNet Gallery contributions
Technical Blog - Takes you this technical blog

---------------------------------------------------------------------------------------------------------

Congratulations - 
You have successfully connected to Office 365 via PowerShell with Modern Authentication.

---------------------------------------------------------------------------------------------------------

No comments:

Post a Comment