Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
CobXTech
Level 2 Contributor

Unsure how to use app-only authentication in the EXO V2 module

Hi All,

 

Microsoft has announced that we are now able to use app only authentication for ExchangeOnline Powershell V2.

https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2

 

Does this mean there a way to use the "Connect using an existing service principal and client-secret" with the current Secure Application Module setup I have? If so how? 

 

In the doco, it gives the following example for connecting via a token:

 

 

$AppCredential = New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)

Connect-ExchangeOnline -Credential $AppCredential

 

 

But I don't seem to be able to get this to work, the errors I get are:

1. If I use my UPN:

 

 

New-ExoPSSession : missing_federation_metadata_url: Federation Metadata Url is missing for federated user. This user type is unsupported

 

 

2. If I use my Apps ID:

 

 

New-ExoPSSession : unknown_user_type: Unknown User Type. 

 

 

These errors seem to be related to the user I am using and not the token?

Has anyone been able to get this to work? Please let me know if I'm going about this the wrong way

 

Thanks 🙂 

1 ACCEPTED SOLUTION
CobXTech
Level 2 Contributor

@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.

 

@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.

 

"Please note the feature does not support delegation."

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

View solution in original post

4 REPLIES 4
JanoschUlmer
Microsoft

@CobXTech : I'm currently trying to find out if delegated admin scenarios are in even in scope for this release, I suspect they are not. Waiting for the product team to confirm

 

I also tried to use this - but failed so far. Main issue for me is currently how to correctly create the ADAL token and using this - using other access tokens (e.g. Graph token) does not work because I receive the error that password (--> token) exceeds 256 characters - but this should be true for any token.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
olavrb
Level 3 Contributor

I've found that using the Exchange Online PowerShell application id to create a refresh token using a delegated admin, works for delegated access to customer tenants.

 

Where $PartnerTenantInitialDomain is your partner domain, and $TenantInitialDomain is the target tenant (*.onmicrosoft.com):

 

Create initial token as such:

 

 

$ExchangeApplicationId = 'a0c73c16-a7e3-4564-9a95-2bdf47383716'
$PartnerExToken = New-PartnerAccessToken -Tenant $PartnerTenantInitialDomain -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'

 

 

 

Then get access token to a customer tenant like this:

 

 

$TargetExToken = New-PartnerAccessToken -Tenant $TenantInitialDomain -RefreshToken $PartnerExToken.'RefreshToken' -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'

 

 

 

Then build auth headers and connect as such:

 

 

# Exchange
## Credential
$TargetExCredential = [PSCredential]::new(
    $TargetExToken.'Account'.'Username',
    $(ConvertTo-SecureString -String ('Bearer {0}' -f ($TargetExToken.'AccessToken')) -AsPlainText -Force)
)
## Uri
$TargetExUri = [string]('https://ps.outlook.com/powershell-liveid?DelegatedOrg={0}&amp;BasicAuthToOAuthConversion=true' -f ($TargetExToken.'TenantId'))
## Connect        
$PSSession = New-PSSession -ConfigurationName 'Microsoft.Exchange' -ConnectionUri $TargetExUri -Credential $TargetExCredential -Authentication 'Basic' -AllowRedirection -WarningAction 'SilentlyContinue'
## Import modules  
$null = Import-PSSession -Session $PSSession -DisableNameChecking -ErrorAction 'Stop'

 

 

JanoschUlmer
Microsoft

@olavrb : Yes, this is how it works for the v1 ExO powershell module that leverages basic auth - the question is how to do similar with the 2.0.3 preview module that uses modern auth.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
CobXTech
Level 2 Contributor

@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.

 

@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.

 

"Please note the feature does not support delegation."

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

View solution in original post