- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe to Topic
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Unsure how to use app-only authentication in the EXO V2 module
Hi All,
Microsoft has announced that we are now able to use app only authentication for ExchangeOnline Powershell V2.
https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2
Does this mean there a way to use the "Connect using an existing service principal and client-secret" with the current Secure Application Module setup I have? If so how?
In the doco, it gives the following example for connecting via a token:
$AppCredential = New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
Connect-ExchangeOnline -Credential $AppCredential
But I don't seem to be able to get this to work, the errors I get are:
1. If I use my UPN:
New-ExoPSSession : missing_federation_metadata_url: Federation Metadata Url is missing for federated user. This user type is unsupported
2. If I use my Apps ID:
New-ExoPSSession : unknown_user_type: Unknown User Type.
These errors seem to be related to the user I am using and not the token?
Has anyone been able to get this to work? Please let me know if I'm going about this the wrong way
Thanks 🙂
Solved! Go to Solution.
- Labels:
-
Cloud Platform
-
CSP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.
@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.
"Please note the feature does not support delegation."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@CobXTech : I'm currently trying to find out if delegated admin scenarios are in even in scope for this release, I suspect they are not. Waiting for the product team to confirm
I also tried to use this - but failed so far. Main issue for me is currently how to correctly create the ADAL token and using this - using other access tokens (e.g. Graph token) does not work because I receive the error that password (--> token) exceeds 256 characters - but this should be true for any token.
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
I've found that using the Exchange Online PowerShell application id to create a refresh token using a delegated admin, works for delegated access to customer tenants.
Where $PartnerTenantInitialDomain is your partner domain, and $TenantInitialDomain is the target tenant (*.onmicrosoft.com):
Create initial token as such:
$ExchangeApplicationId = 'a0c73c16-a7e3-4564-9a95-2bdf47383716'
$PartnerExToken = New-PartnerAccessToken -Tenant $PartnerTenantInitialDomain -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'
Then get access token to a customer tenant like this:
$TargetExToken = New-PartnerAccessToken -Tenant $TenantInitialDomain -RefreshToken $PartnerExToken.'RefreshToken' -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'
Then build auth headers and connect as such:
# Exchange
## Credential
$TargetExCredential = [PSCredential]::new(
$TargetExToken.'Account'.'Username',
$(ConvertTo-SecureString -String ('Bearer {0}' -f ($TargetExToken.'AccessToken')) -AsPlainText -Force)
)
## Uri
$TargetExUri = [string]('https://ps.outlook.com/powershell-liveid?DelegatedOrg={0}&BasicAuthToOAuthConversion=true' -f ($TargetExToken.'TenantId'))
## Connect
$PSSession = New-PSSession -ConfigurationName 'Microsoft.Exchange' -ConnectionUri $TargetExUri -Credential $TargetExCredential -Authentication 'Basic' -AllowRedirection -WarningAction 'SilentlyContinue'
## Import modules
$null = Import-PSSession -Session $PSSession -DisableNameChecking -ErrorAction 'Stop'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@olavrb : Yes, this is how it works for the v1 ExO powershell module that leverages basic auth - the question is how to do similar with the 2.0.3 preview module that uses modern auth.
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.
@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.
"Please note the feature does not support delegation."
