Multi-Factor Authentication (MFA)

The Secure Application Model documentation states that the modules Az, AzureRM en MSonline supports the ability to authenticate using access tokens.  How about the azureAD module?

At the moment we can revoke refresh tokens (in a custom made portal) from users when needed (e.g a security incident) in our customers tenants. The below code is now in use:

Connect-AzureAd -TenantId $o365TenantIDparam -Credential $LiveCred

Hi @degraafm76, 

Yes, you can find more information on that here. You will be switching from using user credentials when connecting to an access token. The Az, AzureRM, Azure AD, and MS Online modules all support the use of access tokens when authenticating. There are numerous others, but the ones I listed are the most common. Hope that this helps.

We run a PowerShell script through Azure Automation for auditing and enforcing various MFA requirements across our entire directory.  This is even more imperitive, given the recent partner-enforced mandatory new security requirements.

How can we continue to run this?

• Set-MsolUser does not support using a Service Principal (password alternative) for authentication, so accessing with an MFA-enabled account cannot be used in an automated fashion.
• The Azure AD PowerShell module - while it fully supports Service Principals - does not support configuring MFA on target accounts.

See also:

• https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36816202-set-mfa-using-azure-active-directory-powershell-mo
  • Please vote!
  • Can someone from Microsoft please at least acknowledge the feedback entry by replying with a status on it?
• https://github.com/AzureAD/azure-activedirectory-powershell/issues/12
• https://github.com/MicrosoftDocs/azure-docs/issues/10926

To-date, we've been using a dedicated service account with MFA disabled and other security controls in-place - which seems will no longer be allowed in the new security requirements.

Please advise.  Thanks!

Hi @ziesemer,

The MS Online module supports the use of access tokens for authentication. So, you can leverage the secure application model framework to generate the token used wen establishing the connection. You can find more information on this at https://docs.microsoft.com/powershell/partnercenter/secure-app-model

@idwilliamsand @JanoschUlmer - thank you for your replies.  Despite the "Email me when someone replies", I did not receive any notifications and didn't see the updates until checking back here just now.

I'll work through validating this here sometime yet today.

I am indeed interested if someone could answer this. We are struggling on how we have to proceed with Azure.

Hi @alexstucchi and @degraafm76,

We have added functionality to the Partner Center PowerShell module, that makes it possible for you to follow the secure application model framework. You can find more information, including samples on to connect to modules like Azure and Azure AD, at https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model. Please let us know if you have any concerns or questions.  

Hi @idwilliams,

thanks for you reply. I have already read that documentation but I was confused on how it is possible to connect to AzureAD powershell using ApplicationId and Refresh Token. Otherwise it seems impossible to me to create an Azure Application and Service Principal programmatically without user interaction during the process.

Could you please help?
Alex

@alexstucchi : Examples for using AzureAD powershell with appid & service principal are here: https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0

However, you are correct that for settig up an application at least one time this requires an interactive logon.

How on earth do I interact with Exchange Online Powershell Cmdlets? The entire thing doesn't seem to support the secure app model.

@Gavsto 

Yes, this is a known problem: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#exchange-online-powershell

Currently the only working solution is to create a user account in the customer tenant specifically for Exchange Online administration.

@JanoschUlmer - Was there any update to this around using the ExchangeOnline powershell CmdLets?

Yes - https://docs.microsoft.com/en-gb/powershell/module/exchange/powershell-v2-module/connect-exchangeonline?view=exchange-ps

See also this other discussion, seems there is still an issue: https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/m-p/11771#M39