Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Take the survey
Reply
CobXTech
Level 3 Contributor
‎07-07-2020 07:16 PM
Level 3 Contributor
‎07-07-2020 07:16 PM

Unsure how to use app-only authentication in the EXO V2 module

Hi All,

 

Microsoft has announced that we are now able to use app only authentication for ExchangeOnline Powershell V2.

https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2

 

Does this mean there a way to use the "Connect using an existing service principal and client-secret" with the current Secure Application Module setup I have? If so how? 

 

In the doco, it gives the following example for connecting via a token:

 

 

$AppCredential = New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)

Connect-ExchangeOnline -Credential $AppCredential

 

 

But I don't seem to be able to get this to work, the errors I get are:

1. If I use my UPN:

 

 

New-ExoPSSession : missing_federation_metadata_url: Federation Metadata Url is missing for federated user. This user type is unsupported

 

 

2. If I use my Apps ID:

 

 

New-ExoPSSession : unknown_user_type: Unknown User Type.

 

 

These errors seem to be related to the user I am using and not the token?

Has anyone been able to get this to work? Please let me know if I'm going about this the wrong way

 

Thanks 🙂 

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS
CobXTech
Level 3 Contributor
‎07-16-2020 04:27 PM
Level 3 Contributor
In response to JanoschUlmer
‎07-16-2020 04:27 PM

@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.

 

@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.

 

"Please note the feature does not support delegation."

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

View solution in original post

CobXTech
Level 3 Contributor
‎07-07-2021 03:35 PM
Level 3 Contributor
‎07-07-2021 03:35 PM

Well, Microsoft wouldn't solve it, but Kelvin from CyberDrain will.

This new module of his solved my issues.

 

https://www.cyberdrain.com/automating-with-powershell-faster-exchange-powershell-commands/

View solution in original post

7 REPLIES 7
CobXTech
Level 3 Contributor
‎07-07-2021 03:35 PM
Level 3 Contributor
‎07-07-2021 03:35 PM

Well, Microsoft wouldn't solve it, but Kelvin from CyberDrain will.

This new module of his solved my issues.

 

https://www.cyberdrain.com/automating-with-powershell-faster-exchange-powershell-commands/

JanoschUlmer
Microsoft
‎07-14-2020 04:35 AM
Microsoft
‎07-14-2020 04:35 AM

@CobXTech : I'm currently trying to find out if delegated admin scenarios are in even in scope for this release, I suspect they are not. Waiting for the product team to confirm

 

I also tried to use this - but failed so far. Main issue for me is currently how to correctly create the ADAL token and using this - using other access tokens (e.g. Graph token) does not work because I receive the error that password (--> token) exceeds 256 characters - but this should be true for any token.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
olavrb
Level 3 Contributor
‎07-15-2020 05:12 AM
Level 3 Contributor
In response to JanoschUlmer
‎07-15-2020 05:12 AM

I've found that using the Exchange Online PowerShell application id to create a refresh token using a delegated admin, works for delegated access to customer tenants.

 

Where $PartnerTenantInitialDomain is your partner domain, and $TenantInitialDomain is the target tenant (*.onmicrosoft.com):

 

Create initial token as such:

 

 

$ExchangeApplicationId = 'a0c73c16-a7e3-4564-9a95-2bdf47383716'
$PartnerExToken = New-PartnerAccessToken -Tenant $PartnerTenantInitialDomain -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'

 

 

 

Then get access token to a customer tenant like this:

 

 

$TargetExToken = New-PartnerAccessToken -Tenant $TenantInitialDomain -RefreshToken $PartnerExToken.'RefreshToken' -ApplicationId $ExchangeApplicationId -Scopes 'https://outlook.office365.com/.default'

 

 

 

Then build auth headers and connect as such:

 

 

# Exchange
## Credential
$TargetExCredential = [PSCredential]::new(
    $TargetExToken.'Account'.'Username',
    $(ConvertTo-SecureString -String ('Bearer {0}' -f ($TargetExToken.'AccessToken')) -AsPlainText -Force)
)
## Uri
$TargetExUri = [string]('https://ps.outlook.com/powershell-liveid?DelegatedOrg={0}&amp;BasicAuthToOAuthConversion=true' -f ($TargetExToken.'TenantId'))
## Connect        
$PSSession = New-PSSession -ConfigurationName 'Microsoft.Exchange' -ConnectionUri $TargetExUri -Credential $TargetExCredential -Authentication 'Basic' -AllowRedirection -WarningAction 'SilentlyContinue'
## Import modules  
$null = Import-PSSession -Session $PSSession -DisableNameChecking -ErrorAction 'Stop'

 

 

0 Kudos
JanoschUlmer
Microsoft
‎07-15-2020 11:42 PM
Microsoft
In response to olavrb
‎07-15-2020 11:42 PM

@olavrb : Yes, this is how it works for the v1 ExO powershell module that leverages basic auth - the question is how to do similar with the 2.0.3 preview module that uses modern auth.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
CobXTech
Level 3 Contributor
‎07-16-2020 04:27 PM
Level 3 Contributor
In response to JanoschUlmer
‎07-16-2020 04:27 PM

@olavrb : I do have that working, but it's using the V1 module and is also authenticating as an account, not as an app.

 

@JanoschUlmer Apologies I meant to update this thread earlier, it was pointed out to me in another group that the feature doesn't currently support delegated auth.

 

"Please note the feature does not support delegation."

https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

Rodrigo
Level 1 Contributor
‎06-23-2021 12:25 AM
Level 1 Contributor
In response to CobXTech
‎06-23-2021 12:25 AM

Hello @JanoschUlmer 

       A year passed. Any news about accesing EXO V2 with refresh token (delegated access)?

 

Regards

0 Kudos
CobXTech
Level 3 Contributor
‎06-23-2021 06:47 PM
Level 3 Contributor
In response to Rodrigo
‎06-23-2021 06:47 PM

Nope. 

 

It's crazy that Microsoft pushes the Secure Application Model as the recommended way for MSP's to run scripts but doesn't actually provide any support for one of the most used modules.

 

I'm currently looking into just generating an application in all of my tenants and storing the keys in KeyVault to finally move to the V2 module since the V1 module is basically broken for over half my tenants. 

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Search-UnifiedAuditLog-returns-nothing-for-half-my-tenants-when/m-p/37643#M240

Follow Us
    Share