Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Level 3 Contributor

ExchangeOnlineManagement AOBO Secure Application Model _without_ certificate?

Is it possible to use ExchangeOnlineManagement with AOBO and Secure Application Model _without_ using certificates?


Currently we're using following to connect to CSP customers with AOBO and Secure Application Model:




# Get access token
$CustomerExToken = New-PartnerAccessToken -Tenant $CustomerInitialDomain -ApplicationId $RefreshTokenIdentifier -RefreshToken $RefreshToken -Scopes 'https://outlook.office365.com/.default'
$CustomerCredential = [PSCredential]::new(
    $(ConvertTo-SecureString -String ('Bearer {0}' -f ($CustomerExToken.'AccessToken')) -AsPlainText -Force)
# Connect
$PSSession = New-PSSession -ConfigurationName 'Microsoft.Exchange' -ConnectionUri ('https://ps.outlook.com/powershell-liveid?DelegatedOrg={0}&BasicAuthToOAuthConversion=true' -f ($CustomerExToken.'TenantId')) -Credential $CustomerCredential -Authentication 'Basic' -AllowRedirection -WarningAction 'SilentlyContinue'
# Import modules - Enter-PSSession if $RunFromOnprem    
$null = Import-PSSession $PSSession -DisableNameChecking -ErrorAction 'Stop'




But would like to take advantage of the new cmdlets, as the old ones seem to be unreliable. Get-MailboxFolderPermission to calendar folders fails way to often, said cause "Cmdlet error with following error message: Microsoft.Exchange.Data.Directory.ADServerSettingsChangedException: An error caused a change in the current set of domain controllers..".


Relevant resources:


So our setup currently is like this:

  • User is CSP partner tenant with AOBO (added to "AdminAgents" Azure AD group), Global Admin (to consent to applications, creating RefreshToken) and MFA.
  • Multi tenant Azure AD Application, where its' service principal/ runas account also is member of "AdminAgents" Azure AD group.
  • Automation Account for scripts that refreshes existing refresh tokens, and scritps that use AOBO and Secure Application model to do stuff to various MS cloud products, like EXO in this example.
  • Key Vault holding all secrets, using Automation Account runas account for giving permissions into Key Vault.


If said scenario is not possible with ExchangeOnlineManagement yet, it's about time to add such functionality. An alternative way would be to reuse an open/ existing PSSession to also connect with the ExchangeOnlineManagement module, so that one could benefit from the new <verb>-EXO<noun> cmdlets.

Level 3 Contributor

One more simple example on how it works with PSSession to outlook.office.365, but doesn't with ExchangeOnlineManagement.



#Requires -Modules ExchangeOnlineManagement,PartnerCenter
        Connects to EXO with AOBO  and Secure Application Model.

# Assets
## Generic
$ExoApplicationId = [string] 'a0c73c16-a7e3-4564-9a95-2bdf47383716'
$ExoScopeUri      = [string] 'https://outlook.office365.com/.default'

## Case specific
$PartnerInitialDomain  = [string] '<removed>.onmicrosoft.com'
$CustomerInitialDomain = [string] '<removed>.onmicrosoft.com'

# Get RefreshToken
$PartnerExoToken  = New-PartnerAccessToken -Tenant $PartnerInitialDomain -ApplicationId $ExoApplicationId -Scopes $ExoScopeUri

# Create access token to customer tenant using refresh token from partner tenant
$CustomerExoToken = New-PartnerAccessToken -Tenant $CustomerInitialDomain -ApplicationId $ExoApplicationId -Scopes $ExoScopeUri -RefreshToken $PartnerExoRefreshToken.'RefreshToken'

# Create URI and Credential for customer
## Credential
$CustomertExoCredential = [PSCredential]::new(
    $(ConvertTo-SecureString -String ('Bearer {0}' -f ($CustomerExoToken.'AccessToken')) -AsPlainText -Force)

## Uri
$CustomerExoUri = [string]('https://ps.outlook.com/powershell-liveid?DelegatedOrg={0}&amp;BasicAuthToOAuthConversion=true' -f ($CustomerExoToken.'TenantId'))

# Connect - Old way
## Connect
$PSSession = New-PSSession -ConfigurationName 'Microsoft.Exchange' -ConnectionUri $CustomerExoUri -Credential $CustomertExoCredential -Authentication 'Basic' -AllowRedirection -WarningAction 'SilentlyContinue'

## Import modules  
$null = Import-PSSession -Session $PSSession -DisableNameChecking -ErrorAction 'Stop'

# Connect - ExchangeOnlineManagement
Connect-ExchangeOnline -ExchangeEnvironmentName 'O365Default' -ConnectionUri $CustomerExoUri -Credential $CustomertExoCredential



For the v2 module this is not supported yet, unfortunately

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
Visitor 1

@JanoschUlmerdoes Microsoft have something on the list to assist with this issue? We are a lot of engineers that use PS a lot and we would not mind connecting via Azure app and certificate with a password but that 2FA mandate for AOBO is a bit too much. Any alternative we could use would be great.


@computerassist : Haven't checked in a while - if nothing changed in the ExchangeOnline PowerShell module in this regard, the only option I see would involve using AOBO/GDAP to register an App with permissions for Exchange Online Management into the customer tenant (not requiring their consent, because you have AOBO/GDAP) to then do Certificate-based auth.

You can raise a ticket in my team to get advisory on this scenario, this way a Partner Consultant like me can do a bit more research on this scenario (for community work I have only limited amout of time I can invest, so raising a ticket would be appreciated. See my signature on how to raise an advisory ticket.



Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team