Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 2 Contributor

Exchange Online and the Secure App Model

Am I missing something in that I cannot see a way to implement it. A lot of my automation relies on the ability to see things like transport rules and Exchange configuration settings that come out of the Exchange Online Powershell cmdlets.

 

Is this stuff exposed in the Graph API or ANY API? I can't see it anywhere. Are there plans to update the Exchange Online Powershell Module to support the Secure App Model before 1st of August?

9 REPLIES 9
Microsoft

Re: Exchange Online and the Secure App Model

Hi @Gavsto

 

Currently the Exchange Online PowerShell module does not support DAP when MFA is enabled. You can find more information about this here. The Exchange Online team is working to resolve this issue as quickly as possible. Unfortunately I do not have any additional information to share just yet. As I learn more I will be sure to share it with you.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Exchange Online and the Secure App Model

Sorry for jumping in and for the late reply (I was on holidays when this was announced early July and I'm just back now).

 

So what is the solution for Partners using Delegated Admin to access our clients' Exchange Online via PowerShell? In another thread it was mentioned that we shoould create an Admin in each client's tenant and use that - use 100's of separated admin accounts? That seems like a worse solution.

 

I have various automations that run daily that need to connect to all our client's Exchange Orgs to make changes, I can't even envision a simple method to manage all the changes so we can still access all clients alonng with separate usernames/passwords for each.

 

Can we avoid the issue with Azure AD IP Based Conditionl Access policies and still be in compliance? (all connections come from our secured servers)

 

Or will the Exch Online team have this fixed by Aug 1st?!

    --Saul

Level 2 Contributor

Re: Exchange Online and the Secure App Model

I am keen to get an answer to this too because I have heavy reliance on Exchange Powershell cmdlets across hundreds of different clients too.

Microsoft

Re: Exchange Online and the Secure App Model

@Gavsto and @sansbacher our documentation has been updated to include details for a workaround for this limitation. You can find the details for this workaround here. The Exchange Online team is actively developing a solution for this limitation, but it will be some time before it is available. We will be sure to keep everyone informed as progress is made.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Exchange Online and the Secure App Model

Thanks @idwilliams

 

So I'm clear: the workaround is to create a new AzureAD user in OUR (CSP/Partner) tenancy, assign it AdminAgents privleges (in the PartnerCenter) and not using it to perform an interactive login?

 

How is that going to work when MS enforces the technical requirement that ALL accounts in our CSP/Partner tenantancy have MFA enabled with the Baseline Policies? Or is the fact that it isn't logged into interactively mean it doesn't have the MFA policy applied and will continue to work with Exchange Online Delegated Admin Privileges? Essentially "fly under the radar"? [I actually have an account now I use only from unattended scripts, so it may continue working? Or must it be an all new account?]

 

This is confirmed to work? Will this account also work to connect to AzureAD?

 

A previous suggestion had been to create an Exchange Admin in client/customer tenant and manage Exch Online that way - is that no longer suggested?

Level 2 Contributor

Re: Exchange Online and the Secure App Model

I have to say that Microsoft's response to these changes, especially related to Exchange Online has been absolutely inadequate and sub-standard.

 

I'm left in a position now where our clients are actually in a WORSE position with the implementation of these new security measures because none of our custom security monitoring works any more.

 

You come back with half-baked, hacked together bypasses that go directly against your own security guidance on how you are going to be enforcing these security standards.

 

It's disgraceful and Microsoft should be ashamed of themselves. They've had YEARS now to upgrade the Exchange Online module.

 

 

Microsoft

Re: Exchange Online and the Secure App Model

@sansbacher, the workaround for Exchange Online will continue to function with technical enforcement.  The account you created for unattended scripting will continue to function as well as long as the account has never been used to complete an interactive login.  With that said, this workaround should be viewed only as a temporary workaround.  Support for delegated admin priviledges will be added to the Exchange Online powershell module in the future and this workaround will be removed.  Your unattended scripts should be modified to support the secure application model to ensure long-term support.

 

The previous suggestion of creating an account in each client/customer tenant is no longer recommended.

Level 2 Contributor

Re: Exchange Online and the Secure App Model

Thank you @daokeefe - I appreciate the response (though I have to say that in general I agree with @Gavsto regarding how all this has been handled, esp. as it relates to the Exch Online PowerShell)

 

I have an existing unattanded service account, it was created a while ago so I don't know if it was ever logged into interactively, it hasn't been recently since MFA was turned on. If it fails to work I will create another one.

 

I hope that when proper Delegated Admin Privileges are added to the Exchange Online PowerShell module that we'll get advance notice before the work-around is disabled so that we can test the new module with the Secure App Model and our scripts (since we won't know exactly how it works until you deliver it).

ALSO: how will we be notified when the ExO module has been updated?

 

NOTE: I have tested the Secure App Model, and I found it works with the older MsOnline module, but not the newer AzureAD module. I hope that is fixed too. (and add the MFA controls to AzureAD at the same time)

 

Sorry for my late reply, I was on holidays - but I'm back now!

   --Saul

Microsoft

Re: Exchange Online and the Secure App Model

@sansbacher once the issue Exchange Online PowerShell is resolved, we will post an announcement through this community. Also, there will be a number of additional mechanisms we use to communicate this release. Once we get closer to the update being release, I will be able to comment more percisely on how this announcement will be handled. 

 

As it relates to the Azure AD PowerShell module, I have confirmed it does work with the Secure Application Model. If you can let us know what issues you encountered we will be glad to see if we can help resolve the issue. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner