Exch Online PowerShell with RefreshTokens/Secure App Model - WARNING: Basic Authentication is going to be deprecated soon
We are a CSP and we have the Secure App Model working (secured with MFA), we have Delegated Admin Permissions to our Customers. Our scripts mostly run headless/unattended so I don't always see script output unless there's an error. Most of them use Exchange Online PowerShell to manage our Customers' ExO settings.
I noticed this warning recently (no idea how long it's been popping up) on most Customers:
WARNING: Using New-PSSession with Basic Authentication is going to be deprecated soon, checkout https://aka.ms/exops-docs for using Exchange Online V2 Module which uses Modern Authentication.
The link goes to: The new Exch Online PowerShell V2 module - and I tried contacting the email address listed under Report Bugs and Issues 2 weeks ago (no reply yet).
I think it isn't a concern - that OAuth uses Basic Authentication for the Bearer AccessToken so I assume that while normal access to ExO PS using basic auth may be deprecated, I assume using Secure Access Model (RefreshTokens, AccessTokens, etc) will remain. Can anyone confirm?
I tried searching but was unable to find a definitive answer. And to be clear: my scripts are working fine, and the warning says "deprecated" not "disabled" but I wanted to check that this won't bite me in the future.
I'm using the current New-PSSession method to connect to the existing Exchange Online PowerShell with RefreshTokens - the Secure App Model. All configured with the PartnerCenter PS module, and I can access MS Graph API, Azure AD, Msol, Exch Online, etc. As detailed for PartnerCenter MFA access.
The code I'm using is roughly:
# First get the $Customer for their Tenant ID and Default Domain. # Then get the AzureAD and Graph Tokens via New-PartnerAccessToken. # And use Connect-AzureAD with those Tokens. No issues, Customer Azure AD access works. # # Finally to connect to Exchange Online PowerShell: $exTok = New-PartnerAccessToken -Tenant $Customer.CustomerContextId -RefreshToken $ExchangeRefreshToken -Scopes "https://outlook.office365.com/.default" -ApplicationId "a0c73c16-a7e3-4564-9a95-2bdf47383716" $exTokValue = (ConvertTo-SecureString "Bearer $($exTok.AccessToken)" -AsPlainText -Force) $exCred = New-Object System.Management.Automation.PSCredential($PartnerCenterMfaUpn, $exTokValue) $exUrl = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($Customer.DefaultDomainName)&BasicAuthToOAuthConversion=true" # This line gives the WARNING: $O365Sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $exUrl -Credential $exCred -Authentication Basic –AllowRedirection
This last line connects fine but gives:
WARNING: Using New-PSSession with Basic Authentication is going to be deprecated soon, checkout
https://aka.ms/exops-docs for using Exchange Online V2 Module which uses Modern Authentication.
Which directed me to the EXO V2 module, which I've tried in the past but does not work for unattended situations. I updated the module and tried again, but when attempting to connect using something like:
Connect-ExchangeOnline -ConnectionUri $exUrl -DelegatedOrganization $Customer.DefaultDomainName -Credential $ExCred
New-ExoPSSession : AADSTS50052: The password entered exceeds the maximum length of '256'. Please reach out to your admin to reset the password.
The password in this case is the "Bearer ExchangeAccessTokenLongString" required for OAuth and the Secure App Module. And when I try to use:
Connect-ExchangeOnline -UserPrincipalName $PartnerCenterMfaUpn -DelegatedOrganization $Customer.DefaultDomainName
I get the MFA popup, which won't work when the script is run non-interactively via a scheduled task.
So I seem stuck: I'm told that Basic Auth is going to be deprecated soon, but the new EXO V2 module doesn't seem to support RefreshToken and the Secure App Model. Will this be fixed, any one know? Or am I missing something? Or will Basic Auth continue for OAuth Bearer tokens and I should just ignore the warning? (eg. the "basicAuthToOAuthConversion=true" part)
Anyone else notice this? Can anyone confirm if this is expected with Secure App Model and Bearer Tokens using Basic Auth and I can ignore the warning?
Thanks so much,
I don't have a definitive answer for you but just wanted you to know I am in the same position - it's not just you.
I actually e-mailed them in January to let them know that the delegated access via the v2 module didn't work and didn't get anywhere. In truth, a number of a Powershell cmdlets don't work with delegated access for a number of 365 services (even though the documentation insists they do).
Well good to hear it's not just me 😀
And I'm sure somewhere I read that while OAuth does use Basic Auth (for mainly legacy reasons) it's secure because it does so over HTTPS/TLS and uses Refresh Tokens and Access Tokens which are very limited. I just can't find that reference anywhere. So my feeling is that they'll continue to allow OAuth Bearer Tokens via Basic Auth, I'd just like confirmation. Or ExO PS V2 module to support head-less unattended access and call it a day.
Regarding ExO V2 module - I can't recall if I've ever used the Delegated Access option successfully, but unless it can be done through non-interactive scripts I don't really need it.
What other O365 services don't work for Delegated Access that should? I've only ever tried Azure AD, Msol, ExO, and Azure -- all have worked for me.