- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe to Topic
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Unsure how to use app-only authentication in the EXO V2 module
Hi All,
Microsoft has announced that we are now able to use app only authentication for ExchangeOnline Powershell V2.
https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2
Does this mean there a way to use the "Connect using an existing service principal and client-secret" with the current Secure Application Module setup I have? If so how?
In the doco, it gives the following example for connecting via a token:
$AppCredential = New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
Connect-ExchangeOnline -Credential $AppCredential
But I don't seem to be able to get this to work, the errors I get are:
1. If I use my UPN:
New-ExoPSSession : missing_federation_metadata_url: Federation Metadata Url is missing for federated user. This user type is unsupported
2. If I use my Apps ID:
New-ExoPSSession : unknown_user_type: Unknown User Type.
These errors seem to be related to the user I am using and not the token?
Has anyone been able to get this to work? Please let me know if I'm going about this the wrong way
Thanks 🙂
Solved! Go to Solution.
- Labels:
-
Cloud Platform
-
CSP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.
@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.
"Please note the feature does not support delegation."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Well, Microsoft wouldn't solve it, but Kelvin from CyberDrain will.
This new module of his solved my issues.
https://www.cyberdrain.com/automating-with-powershell-faster-exchange-powershell-commands/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Well, Microsoft wouldn't solve it, but Kelvin from CyberDrain will.
This new module of his solved my issues.
https://www.cyberdrain.com/automating-with-powershell-faster-exchange-powershell-commands/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@CobXTech : I'm currently trying to find out if delegated admin scenarios are in even in scope for this release, I suspect they are not. Waiting for the product team to confirm
I also tried to use this - but failed so far. Main issue for me is currently how to correctly create the ADAL token and using this - using other access tokens (e.g. Graph token) does not work because I receive the error that password (--> token) exceeds 256 characters - but this should be true for any token.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I've found that using the Exchange Online PowerShell application id to create a refresh token using a delegated admin, works for delegated access to customer tenants.
Where $PartnerTenantInitialDomain is your partner domain, and $TenantInitialDomain is the target tenant (*.onmicrosoft.com):
Create initial token as such:
$ExchangeApplicationId = 'a0c73c16-a7e3-4564-9a95-2bdf47383716'
$PartnerExToken = New-PartnerAccessToken -Tenant $PartnerTenantInitialDomain -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'
Then get access token to a customer tenant like this:
$TargetExToken = New-PartnerAccessToken -Tenant $TenantInitialDomain -RefreshToken $PartnerExToken.'RefreshToken' -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'
Then build auth headers and connect as such:
# Exchange
## Credential
$TargetExCredential = [PSCredential]::new(
$TargetExToken.'Account'.'Username',
$(ConvertTo-SecureString -String ('Bearer {0}' -f ($TargetExToken.'AccessToken')) -AsPlainText -Force)
)
## Uri
$TargetExUri = [string]('https://ps.outlook.com/powershell-liveid?DelegatedOrg={0}&BasicAuthToOAuthConversion=true' -f ($TargetExToken.'TenantId'))
## Connect
$PSSession = New-PSSession -ConfigurationName 'Microsoft.Exchange' -ConnectionUri $TargetExUri -Credential $TargetExCredential -Authentication 'Basic' -AllowRedirection -WarningAction 'SilentlyContinue'
## Import modules
$null = Import-PSSession -Session $PSSession -DisableNameChecking -ErrorAction 'Stop'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@olavrb : Yes, this is how it works for the v1 ExO powershell module that leverages basic auth - the question is how to do similar with the 2.0.3 preview module that uses modern auth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.
@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.
"Please note the feature does not support delegation."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hello @JanoschUlmer
A year passed. Any news about accesing EXO V2 with refresh token (delegated access)?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Nope.
It's crazy that Microsoft pushes the Secure Application Model as the recommended way for MSP's to run scripts but doesn't actually provide any support for one of the most used modules.
I'm currently looking into just generating an application in all of my tenants and storing the keys in KeyVault to finally move to the V2 module since the V1 module is basically broken for over half my tenants.
