Certificate-Based Authentication for Exchange Online PowerShell
In the never ending quest to remove Basic Authentication from Exchange Online, Microsoft have taken a step towards being able to do this with Certificate based authentication for Remote PowerShell Sessions. This is going to be incredibly useful for any automated tasks etc.
Installing the module
Currently this is a preview feature of the latest version of ExchangeOnlineManagement PowerShell Module so this does not install through a simple
Update-Module if you already have this module installed. To install this module you simply need to run the following:
Install-Module -Name ExchangeOnlineManagement -AllowPrerelease
Fortunately a self signed certificate is enough to use for authentication to Exchange Online PowerShell, however you can use any certificate for this as long as you can export it into a .cer format.
Run this to create and export the certificate:
$cert = New-SelfSignedCertificate -FriendlyName "Exchange Online Authentication Certificate" -Subject "Exchange Online Authentication Certificate" -CertStoreLocation 'cert:\CurrentUser\My' -KeySpec KeyExchange Export-Certificate -Cert $cert -FilePath 'c:\temp\ExchangeAuth.cer'
It is important to ensure that the user that is authenticating using the certificate has it within their certificate store or can also access the certificate file.
Creating the Azure AD App
Next we need to create an Azure AD App, this is done as follows:
- Login to Azure and navigate to App Registrations
- Select New Registration
- Type a friendly name such as ‘Exchange Certificate Auth’ so that you know what this is when you come back to it in the future
- Once the application has been created you should see the App ID and the Object ID
- Navigate to API permissions and add the Exchange.ManageAsApp permission and then Grant admin consent for this permission
- Browse to Certificates & secrets and upload the previously created certificate
Assigning the required Exchange Online permissions
Currently the Graph API does not support any Exchange management operations so we cannot scope the permissions using Graph. We also cannot use the tried and tested Exchange RBAC model as this only applies to user objects and this doesn’t exist for our application. What exists for us is a ‘Service Principal’ object, this exists to be able to grant permissions and roles within Azure in order to achieve more secure authentication models.
Now as we are trying to manage Exchange through this method we need to look at what roles we can give that are present within Azure AD and Exchange Online, these are:
- Global Administrator
- Exchange Administrator
- Security Administrator
- Security Reader
- Helpdesk Admin
- Global Reader
Select the role that is correct for what you want to do and add the application using the application ID for the application that we have already created. N.B. This has to be done through Azure AD as the application does not appear within Office 365.
Connecting to Exchange Online
From here we are at the easy bit, connecting to Exchange Online, this is simply done by using the following:
Connect-ExchangeOnline -CertificateThumbprint "YOURCERTIFICATETHUMBRPRINT" -AppId "YOURAPPID" -Organization tenant.onmicrosoft.com
Now you are connected you can operate EXO PowerShell as you normally would. This is excellent for use in Scheduled Tasks and other automation tools for anything Exchange Online management related.