Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Take the survey
Reply
sansbacher
Level 6 Contributor
‎05-11-2020 10:38 AM
Level 6 Contributor
‎05-11-2020 10:38 AM

Exch Online PowerShell with RefreshTokens/Secure App Model - WARNING: Basic Authentication is going to be deprecated soon

Hi,

 

We are a CSP and we have the Secure App Model working (secured with MFA), we have Delegated Admin Permissions to our Customers. Our scripts mostly run headless/unattended so I don't always see script output unless there's an error. Most of them use Exchange Online PowerShell to manage our Customers' ExO settings.

 

I noticed this warning recently (no idea how long it's been popping up) on most Customers:

WARNING: Using New-PSSession with Basic Authentication is going to be deprecated soon, checkout
https://aka.ms/exops-docs for using Exchange Online V2 Module which uses Modern Authentication.

 

The link goes to: The new Exch Online PowerShell V2 module - and I tried contacting the email address listed under Report Bugs and Issues 2 weeks ago (no reply yet).

 

I think it isn't a concern - that OAuth uses Basic Authentication for the Bearer AccessToken so I assume that while normal access to ExO PS using basic auth may be deprecated, I assume using Secure Access Model (RefreshTokens, AccessTokens, etc) will remain. Can anyone confirm?

 

I tried searching but was unable to find a definitive answer. And to be clear: my scripts are working fine, and the warning says "deprecated" not "disabled" but I wanted to check that this won't bite me in the future.

 

More Details:

 

I'm using the current New-PSSession method to connect to the existing Exchange Online PowerShell with RefreshTokens - the Secure App Model. All configured with the PartnerCenter PS module, and I can access MS Graph API, Azure AD, Msol, Exch Online, etc. As detailed for PartnerCenter MFA access. 

 

The code I'm using is roughly:

# First get the $Customer for their Tenant ID and Default Domain.
# Then get the AzureAD and Graph Tokens via New-PartnerAccessToken.
# And use Connect-AzureAD with those Tokens. No issues, Customer Azure AD access works.
#
# Finally to connect to Exchange Online PowerShell:
$exTok = New-PartnerAccessToken -Tenant $Customer.CustomerContextId -RefreshToken $ExchangeRefreshToken -Scopes "https://outlook.office365.com/.default" -ApplicationId "a0c73c16-a7e3-4564-9a95-2bdf47383716" 
$exTokValue = (ConvertTo-SecureString "Bearer $($exTok.AccessToken)" -AsPlainText -Force)
$exCred = New-Object System.Management.Automation.PSCredential($PartnerCenterMfaUpn, $exTokValue)
$exUrl = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($Customer.DefaultDomainName)&BasicAuthToOAuthConversion=true"
# This line gives the WARNING:
$O365Sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $exUrl -Credential $exCred -Authentication Basic –AllowRedirection

 

This last line connects fine but gives:

WARNING: Using New-PSSession with Basic Authentication is going to be deprecated soon, checkout

https://aka.ms/exops-docs for using Exchange Online V2 Module which uses Modern Authentication.

 

Which directed me to the EXO V2 module, which I've tried in the past but does not work for unattended situations. I updated the module and tried again, but when attempting to connect using something like:

Connect-ExchangeOnline -ConnectionUri $exUrl -DelegatedOrganization $Customer.DefaultDomainName -Credential $ExCred

 

I get:

New-ExoPSSession : AADSTS50052: The password entered exceeds the maximum length of '256'. Please reach out to your admin to reset the password.

 

The password in this case is the "Bearer ExchangeAccessTokenLongString" required for OAuth and the Secure App Module. And when I try to use:

Connect-ExchangeOnline -UserPrincipalName $PartnerCenterMfaUpn -DelegatedOrganization $Customer.DefaultDomainName

 

I get the MFA popup, which won't work when the script is run non-interactively via a scheduled task.

 

So I seem stuck: I'm told that Basic Auth is going to be deprecated soon, but the new EXO V2 module doesn't seem to support RefreshToken and the Secure App Model. Will this be fixed, any one know? Or am I missing something? Or will Basic Auth continue for OAuth Bearer tokens and I should just ignore the warning? (eg. the "basicAuthToOAuthConversion=true" part)

 

Anyone else notice this? Can anyone confirm if this is expected with Secure App Model and Bearer Tokens using Basic Auth and I can ignore the warning?

 

Thanks so much,

   --Saul

 

Labels:
3 Me too
1 ACCEPTED SOLUTION
JanoschUlmer
Microsoft
‎08-07-2020 12:04 AM
Microsoft
In response to sansbacher
‎08-07-2020 12:04 AM

I'm trying to get clarity on the same since a few weeks - my understanding is at some point in time to ExO v1 module will be affected and v2 module needs to be adopted, depends on when the delegated scenario is supported in the new module. Some of those decisions are reconsidered depending on the feedback and if engineering is able to keep up with their plan. E.g. if Exchange Team plans to block this they will consider if those modules for modern auth are available for sufficient time to allow customers/Partner/ISVs to adopt them.

 

In short - no need to worry, but stay tuned on updates to start adopting when this becomes an option.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)

View solution in original post

7 REPLIES 7
sansbacher
Level 6 Contributor
‎08-06-2020 10:35 AM
Level 6 Contributor
‎08-06-2020 10:35 AM

Yes, @Embry - I saw that too. But I've not had a chance to play with it yet. With a bit more time and reading it all now I see that it won't work - at least for what I need: unattended script access to client tenants I have delegated access to. This link:

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

says "Please note the feature does not support delegation. Unattended scripting in delegation scenarios is supported with the Secure App Model".

 

The new ExO V2 module still uses Basic Auth for the OAuth header.

 

So near as I can GUESS:

  • Basic auth in ExO may be going away in 2021, but Basic Auth will still be used for the OAuth Header.
  • Our current method of accessing unattended Exch Online PowerShell for delegated access will remain the same: the Secure App Model and the Refresh Tokens / Access Tokens, etc.
  • Thus we don't need to change anything, though we won't gain any of the new ExO V2 cmdlets.

 

I don't know how to confirm this, maybe @JanoschUlmer could maybe pull some strings and check internally? Mostly I just want to know: will the current Secure App Model method we're using now continue to work after 2021 when Basic Auth is retired? Do we need to make any changes?

 

   --Saul

0 Kudos
JanoschUlmer
Microsoft
‎08-07-2020 12:04 AM
Microsoft
In response to sansbacher
‎08-07-2020 12:04 AM

I'm trying to get clarity on the same since a few weeks - my understanding is at some point in time to ExO v1 module will be affected and v2 module needs to be adopted, depends on when the delegated scenario is supported in the new module. Some of those decisions are reconsidered depending on the feedback and if engineering is able to keep up with their plan. E.g. if Exchange Team plans to block this they will consider if those modules for modern auth are available for sufficient time to allow customers/Partner/ISVs to adopt them.

 

In short - no need to worry, but stay tuned on updates to start adopting when this becomes an option.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
sansbacher
Level 6 Contributor
‎08-07-2020 10:01 AM
Level 6 Contributor
In response to JanoschUlmer
‎08-07-2020 10:01 AM

Thanks for the update @JanoschUlmer ! I would definitely vote that Delegated Access is a must, so until they add that then it's a non-starter for us. I will keep eye on things, and if they do add Delegated + Modern Auth + unattended to ExO V2 then I'll look at making the switch. Or maybe they'll just allow ExO V2 to work with Secure App Model? Whatever works to be secure and allow us to do what we're doing. 

Just a shame to throw away all the work we put into getting Secure App Model with V1 working! 🙂

   --Saul

Embry
‎07-07-2020 01:26 AM
Visitor 1
‎07-07-2020 01:26 AM

Microsoft has released EXO V2 preview module for non-interactive PowerShell scripts using Modern authentication.
For more info: Modern auth and unattended script in Exchange Online

TasGray
‎06-28-2020 02:35 AM
Visitor 1
‎06-28-2020 02:35 AM

I'm also looking for a solution to this. Hopefully we see an update or a response soon.

Gavsto
Level 3 Contributor
‎05-11-2020 03:21 PM
Level 3 Contributor
‎05-11-2020 03:21 PM

I don't have a definitive answer for you but just wanted you to know I am in the same position - it's not just you.

 

I actually e-mailed them in January to let them know that the delegated access via the v2 module didn't work and didn't get anywhere. In truth, a number of a Powershell cmdlets don't work with delegated access for a number of 365 services (even though the documentation insists they do).

0 Kudos
sansbacher
Level 6 Contributor
‎05-12-2020 08:56 AM
Level 6 Contributor
In response to Gavsto
‎05-12-2020 08:56 AM

Morning,

 

Well good to hear it's not just me 😀

 

And I'm sure somewhere I read that while OAuth does use Basic Auth (for mainly legacy reasons) it's secure because it does so over HTTPS/TLS and uses Refresh Tokens and Access Tokens which are very limited. I just can't find that reference anywhere. So my feeling is that they'll continue to allow OAuth Bearer Tokens via Basic Auth, I'd just like confirmation. Or ExO PS V2 module to support head-less unattended access and call it a day.

 

Regarding ExO V2 module - I can't recall if I've ever used the Delegated Access option successfully, but unless it can be done through non-interactive scripts I don't really need it.

 

What other O365 services don't work for Delegated Access that should? I've only ever tried Azure AD, Msol, ExO, and Azure -- all have worked for me.

 

   --Saul

0 Kudos
Follow Us
    Share