With that said, don\u2019t expect to see many click-and-point instructions in this article. Most of the walkthrough instruction will be done in PowerShell.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Setting Up App-Only Authentication using PowerShell<\/h2>\n\n\n\n
You might be used to using a generic account, which is often referred to as a service account to run your PowerShell scripts. That type of account is a \u201cshared<\/em>\u201d account in nature. Anyone who knows that account\u2019s credential can use it to log in and perform all sorts of admin stuff on your organization; that is a security concern.<\/p>\n\n\n\n The app-only authentication attempts<\/em> to solve that security concern. App-only authentication requires the use of an Azure AD app with service principal and selected permissions and role. Use token or certificate to authenticate.<\/p>\n\n\n\n The first step is to create a new app in Azure AD with the right API permissions. First, open an elevated Windows PowerShell (run as admin) and make sure to connect to Azure AD<\/a><\/em>.<\/p>\n\n\n\n <\/p>\n\n\n\n The code below will register a new app in Azure AD with the name Exo_V2_App<\/em> and assign the Exchange.ManageAsApp<\/em> permission of the Office 365 Exchange Online<\/em> API.<\/p>\n\n\n\n If you prefer to use a different name for your app, edit the value of the <\/p>\n\n\n\n The demonstration below shows the code in action. In the end, it will present the\u00a0DisplayName,\u00a0ObjectID, and\u00a0AppID\u00a0properties of the new app is displayed.\u00a0$myApp\u00a0variable stores these properties. The\u00a0$mySP\u00a0variable holds the property values of the service principal.<\/p>\n\n\n\n <\/p>\n\n\n\n Export the property values of the application using this command below.<\/p>\n\n\n\n <\/p>\n\n\n\n After creating the app, the next step is to assign an Azure AD role<\/a><\/em> to the app\u2019s service principal. You\u2019ll need to decide the type of role you should assign to your app.<\/p>\n\n\n\n The valid supported roles for Exchange Online V2 are these below.<\/p>\n\n\n\n You should only assign the least privileged role that you deem appropriate to your script. In this example, the code below will assign the Exchange Service administrator<\/em> role to the app\u2019s service principal.<\/p>\n\n\n\n <\/p>\n\n\n\n When you run the command above in PowerShell, you should see an output similar to the one shown in the demo below.<\/p>\n\n\n\n <\/p>\n\n\n\n The next step is to generate a self-signed certificate and attach that certificate to your app. You\u2019ll need to use the Create-SelfSignedCertificate.ps1<\/a><\/em> script for this step.<\/p>\n\n\n\n The script below will generate a self-signed certificate using your app\u2019s name as its subject name, such as Exo_V2_App.<\/em> The certificate will be valid for one (1) year.<\/p>\n\n\n\n If you want to change the certificate\u2019s validity, you should change the\u00a0$certYears\u00a0value to the number of years you prefer. You may also change the\u00a0$certPassword\u00a0value if you want to use a different password for the resulting certificate (PFX) file.<\/p>\n\n\n\n <\/p>\n\n\n\n When you run the code above in PowerShell, two files will be created, as you can see from the demo below.<\/p>\n\n\n\n The next step is to upload the certificate that you\u2019ve just created to your Azure AD app. The code below will locate the certificate (.CER) file in your working directory and then attach it to the Azure AD app. There\u2019s no need to modify the code, just copy and run it in PowerShell.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n When you run the code above in PowerShell, you can expect to see no output, unless an error was encountered. The demo below shows the result when the code execution is successful.<\/p>\n\n\n\n You\u2019re almost done with your set up. The next step is for a Global Admin to grant consent to your Azure AD app. This step can be executed by yourself or by another Global Admin in your organization.<\/p>\n\n\n\n A Global admin can grant the consent from the Azure Active Directory admin center<\/a><\/em>. But, you can also just generate a consent URL<\/a><\/em> in PowerShell. Either give it to the Global admin, or you can use it yourself to grant consent.<\/p>\n\n\n\n <\/p>\n\n\n\n The consent URL follow this format below.<\/p>\n\n\n\n <\/p>\n\n\n\n The\u00a0{TenantID}\u00a0value is the directory ID or verified domain of your Office 365 tenant. The\u00a0{ApplicationID}\u00a0value is the AppID of the Azure AD application that you created previously.<\/p>\n\n\n\n The code below will generate the consent URL based on the values stated above. The consent URL will then be displayed on the screen and launched using the computer\u2019s default browser.<\/p>\n\n\n\n <\/p>\n\n\n\n Refer to the demo below to see what happens when you run the code above in PowerShell.<\/p>\n\n\n\n After creating the app and assigning the permission and role, you\u2019ll now need to upload and attach the certificate. You are now ready to connect to Exchange Online PowerShell using the app\u2019s certificate credentials.<\/p>\n\n\n\n There are two ways to utilize the certificate credentials; using the local certificate file (.pfx), and using the thumbprint of the certificate installed in the current user\u2019s personal certificate store<\/a><\/em>.<\/p>\n\n\n\n To connect to Exchange Online PowerShell using a local certificate to authenticate, you must have the following information:<\/p>\n\n\n\n Next, change the value of the\u00a0$tenantID,\u00a0$appID,\u00a0$CertificateFilePath, and\u00a0$pfxPassword\u00a0variables in the code below. Once you\u2019ve change the value of the variables as needed, copy the code and run it in PowerShell.<\/p>\n\n\n\n <\/p>\n\n\n\n The demo below shows that the connecting to Exchange Online PowerShell si successful using the local certificate file authentication.<\/p>\n\n\n\n If you look closely at the code again, one glaring problem is that the pfx certificate password is visible. You may consider using some kind of secret management solution<\/a><\/em> to store the certificate credential for added security.<\/p>\n\n\n\n This authentication method can be considered more secure than using the local certificate with a password. In this method, you will need to import the certificate to the Personal certificate store. You only need to use the thumbprint to identify which certificate to use for authentication.<\/p>\n\n\n\n The first step is to import the PFX certificate into the Personal certificate store. Note that you only need to do this step once for the current user.<\/p>\n\n\n\n <\/p>\n\n\n\n The demo below shows how to import the PFX certificate into the personal certificate store.<\/p>\n\n\n\n As you can see above, you will see the result of the PFX import process. Make sure to copy the value of the\u00a0Thumbprint\u00a0for quick reference later on.<\/p>\n\n\n\n After importing the certificate, your scripts can now authenticate with Exchange Online PowerShell using its thumbprint.<\/p>\n\n\n\n Edit the\u00a0$tenantID,\u00a0$appID, and\u00a0$CertificateThumbPrint\u00a0in the code below to match your correct values. Then, copy and run the code in PowerShell.<\/p>\n\n\n\n <\/p>\n\n\n\n Running the code above in PowerShell will give you an output similar to the demo below.<\/p>\n\n\n\n So far, in this article, you\u2019ve only been copying and pasting code into PowerShell. But now that you\u2019re familiar with how app-only authentication works, you should apply it to run your PowerShell scripts.<\/p>\n\n\n\n The script below connects to Exchange Online PowerShell using the certificate thumbprint to authenticate. Then, once connected, the script will get all the mailboxes available. The script is a saved in C:\\exo_v2_demo\\ListExoMailbox.ps1<\/em><\/p>\n\n\n\n <\/p>\n\n\n\n After you\u2019ve saved the script, run it in PowerShell. The script should connect to Exchange Online without any prompts and perform its function. Refer to the results shown in the demo below.<\/p>\n\n\n\n The release of the EXO V2 PowerShell module is a welcome development. Knowing that Microsoft has decided to take away basic authentication for connecting to Exchange Online via PowerShell, and having this new app-only authentication feature allows admins to update their existing scripts.<\/p>\n\n\n\n However, implementing EXO V2 app-only authentication is not without its challenges.<\/p>\n\n\n\n The benefits of using the new EXO V2 PowerShell module outweigh these challenges.<\/p>\n\n\n\n In this article, you\u2019ve learned the step-by-step process of setting up the app-only authentication for the Exchange Online V2 PowerShell module. You\u2019ve also learned how to connect to Exchange Online PowerShell using a self-signed certificate.<\/p>\n\n\n\n Now you do not have to deal with Exchange Online PowerShell MFA prompts and use app-only certificate-based authentication in your scripts.<\/p>\n","protected":false},"excerpt":{"rendered":" In this article, you will learn how to prepare to use the EXO V2 module to run Exchange Online unattended scripts with app-only modern authentication. You\u2019ll learn how to: Register a new app in Azure Active Directory and enable its\u00a0service principal. Assign API permissions and roles. Generate and upload a self-signed certificate. Use the app […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35,58,62,73,59],"tags":[],"class_list":["post-3273","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing","category-exchange-2013","category-microsoft-exchange-server-2016","category-exchange-server-2019","category-powershell"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3273"}],"version-history":[{"count":11,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3273\/revisions"}],"predecessor-version":[{"id":3284,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3273\/revisions\/3284"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Creating an Azure AD Application with API Permissions<\/h3>\n\n\n\n
![\"Connect](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2021\/05\/connect-azuread-min.gif\")
$appName<\/code> variable in the code below. Copy the code and run it in PowerShell.<\/p>\n\n\n\n# CODE TO REGISTER APP, ASSIGN API PERMISSIONS, AND ENABLE SERVICE PRINCIPAL\n## Define the client app name\n$appName = 'Exo_V2_App'\n\n## Get the Office 365 Exchange Online API details.\n$api = (Get-AzureADServicePrincipal -Filter \"AppID eq '00000002-0000-0ff1-ce00-000000000000'\")\n\n## Get the API permission ID\n$permission = $api.AppRoles | Where-Object { $_.Value -eq 'Exchange.ManageAsApp' }\n\n## Build the API permission object (TYPE: Role = Application, Scope = User)\n$apiPermission = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{\n ResourceAppId = $api.AppId ;\n ResourceAccess = [Microsoft.Open.AzureAD.Model.ResourceAccess]@{\n Id = $permission.Id ;\n Type = \"Role\"\n }\n}\n\n## Register the new Azure AD App with API Permissions\n$myApp = New-AzureADApplication -DisplayName $appName -ReplyUrls 'http:\/\/localhost' -RequiredResourceAccess $apiPermission\n\n## Enable the Service Principal\n$mySP = New-AzureADServicePrincipal -AppID $myApp.AppID\n\n## Display the new app properties\n$myApp | Format-List DisplayName,ObjectID,AppID\n<\/code><\/pre>\n\n\n\n![\"Register](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2021\/05\/Register-App-min.gif\")
$myApp | Export-Csv -NoTypeInformation \"$($appName).csv\"\n<\/code><\/pre>\n\n\n\nAssigning an Azure AD Role to the Application<\/h3>\n\n\n\n
## The role to assign to your app\n$directoryRole = 'Exchange Service Administrator'\n\n## Find the ObjectID of 'Exchange Service Administrator'\n$RoleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayname -eq $directoryRole}).ObjectID\n\n## Add the service principal to the directory role\nAdd-AzureADDirectoryRoleMember -ObjectId $RoleId -RefObjectId $mySP.ObjectID -Verbose\n<\/code><\/pre>\n\n\n\n![\"Assigning](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2021\/05\/Add-Role-min.gif\")
Generating and Attach a Self-Signed Certificate to the Application<\/h3>\n\n\n\n
## Number of years of certificate validity\n$certYears = 1\n\n## Certificate (PFX) password\n$certPassword = '4~mt4G*8Qd@G'\n\n.\\Create-SelfSignedCertificate.ps1 -CommonName $appName `\n-StartDate (Get-Date).AddDays(-1) `\n-EndDate (Get-Date).AddYears($certYears) `\n-Password (ConvertTo-SecureString $certPassword -AsPlainText -Force) `\n-Force\n<\/code><\/pre>\n\n\n\n![\"Generate](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2021\/05\/Generate-Cert-min.gif\")
## Get the certificate file (.CER)\n$CertificateFilePath = (Resolve-Path \".\\$($appName).cer\").Path\n## Create a new certificate object\n$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2\n$cer.Import(\"$($CertificateFilePath)\")\n$bin = $cer.GetRawCertData()\n$base64Value = [System.Convert]::ToBase64String($bin)\n$bin = $cer.GetCertHash()\n$base64Thumbprint = [System.Convert]::ToBase64String($bin)\n\n## Upload and assign the certificate to application in AzureAD\n$null = New-AzureADApplicationKeyCredential -ObjectId $myApp.ObjectID `\n-CustomKeyIdentifier $base64Thumbprint `\n-Type AsymmetricX509Cert -Usage Verify `\n-Value $base64Value `\n-StartDate ($cer.NotBefore) `\n-EndDate ($cer.NotAfter)\n<\/code><\/pre>\n\n\n\n![\"Attaching](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2020\/07\/attach-cert.gif\")
Granting Admin Consent to the Application<\/h3>\n\n\n\n
https://login.microsoftonline.com\/{TenantID}\/adminconsent?client_id={ApplicationID}\n<\/code><\/pre>\n\n\n\n## Get the TenantID\n$tenantID = (Get-AzureADTenantDetail).ObjectID\n\n## Browse this URL\n$consentURL = \"https:\/\/login.microsoftonline.com\/$tenantID\/adminconsent?client_id=$($myApp.AppId)\"\n\n## Display the consent URL\n$consentURL\n\n## Launch the consent URL using the default browser\nStart-Process $consentURL\n<\/code><\/pre>\n\n\n\n![\"Generate](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2020\/07\/grant-consent-2.gif\")
Connecting to Exchange Online PowerShell<\/h2>\n\n\n\n
Authenticating Using Local PFX Certificate<\/h3>\n\n\n\n
## set the tenant ID (directory ID or domain)\n$tenantID = 'poshlab.ga'\n\n## Set the Exo_V2_App app id\n$appID = '3f76be04-5cf0-47f1-9df6-d05981a450fc'\n\n## Set the certificate file path (.pfx)\n$CertificateFilePath = 'C:\\exo_v2_demo\\Exo_V2_App.pfx'\n\n## Get the PFX password\n$pfxPassword = '4~mt4G*8Qd@G'\n\n## Connect to Exchange Online\nConnect-ExchangeOnline -CertificateFilePath $CertificateFilePath `\n-CertificatePassword (ConvertTo-SecureString -String $pfxPassword -AsPlainText -Force) `\n-AppID $appID `\n-Organization $tenantID\n<\/code><\/pre>\n\n\n\n![\"Authenticating](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2020\/07\/Connect-PFX.gif\")
Authenticating Using Certificate Thumbprint<\/h3>\n\n\n\n
# CODE TO IMPORT THE PFX CERTIFICATE INTO THE CURRENT PERSONAL CERTIFICATE STORE\n## Set the certificate file path (.pfx)\n$CertificateFilePath = 'C:\\exo_v2_demo\\Exo_V2_App.pfx'\n\n## Get the PFX password\n$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'\n\n## Import the PFX certificate to the current user's personal certificate store.\nImport-PfxCertificate -FilePath $CertificateFilePath -CertStoreLocation Cert:\\CurrentUser\\My -Password $mypwd.Password\n<\/code><\/pre>\n\n\n\n![\"Importing](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2020\/07\/import-pfx.gif\")
## set the tenant ID (directory ID or domain)\n$tenantID = 'poshlab.ga'\n\n## Set the Exo_V2_App app id\n$appID = '3f76be04-5cf0-47f1-9df6-d05981a450fc'\n\n## Set the certificate thumbprint\n$CertificateThumbPrint = 'DED486B87C38CEA966EC71F8EE90BB3AAE694A74'\n\n## Connect to Exchange Online\nConnect-ExchangeOnline -CertificateThumbPrint $CertificateThumbPrint `\n-AppID $appID `\n-Organization $tenantID\n<\/code><\/pre>\n\n\n\n![\"Output](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2020\/07\/connect-store.gif\")
Connecting and Running Exchange Online PowerShell Scripts with App-Only Authentication<\/h2>\n\n\n\n
## Clean up Exchange Online Session\nGet-PSSession | Where-Object {$_.name -like \"ExchangeOnline*\"} | Remove-PSSession -ErrorAction SilentlyContinue\n\n## set the tenant ID (directory ID or domain)\n$tenantID = 'poshlab.ga'\n\n## Set the Exo_V2_App app id\n$appID = '3f76be04-5cf0-47f1-9df6-d05981a450fc'\n\n## Set the certificate thumbprint\n$CertificateThumbPrint = 'DED486B87C38CEA966EC71F8EE90BB3AAE694A74'\n\n## Connect to Exchange Online\nConnect-ExchangeOnline -CertificateThumbPrint $CertificateThumbPrint `\n-AppID $appID `\n-Organization $tenantID\n\n## Get All Mailbox\nWrite-Output \"Getting all mailboxes\"\nGet-Mailbox -ResultSize Unlimited | Format-Table Name,DisplayName\n<\/code><\/pre>\n\n\n\n![\"PowerShell](\"https:\/\/adamtheautomator.com\/wp-content\/uploads\/2020\/07\/script-1.gif\")
Summary<\/h2>\n\n\n\n