Certificate-Based Authentication for Exchange Online PowerShell

In the never ending quest to remove Basic Authentication from Exchange Online, Microsoft have taken a step towards being able to do this with Certificate based authentication for Remote PowerShell Sessions. This is going to be incredibly useful for any automated tasks etc.

Installing the module

Currently this is a preview feature of the latest version of ExchangeOnlineManagement PowerShell Module so this does not install through a simple Update-Module if you already have this module installed. To install this module you simply need to run the following:

Install-Module -Name ExchangeOnlineManagement -AllowPrerelease

A Certificate

Fortunately a self signed certificate is enough to use for authentication to Exchange Online PowerShell, however you can use any certificate for this as long as you can export it into a .cer format.

Run this to create and export the certificate:

$cert = New-SelfSignedCertificate -FriendlyName "Exchange Online Authentication Certificate" -Subject "Exchange Online Authentication Certificate" -CertStoreLocation 'cert:\CurrentUser\My' -KeySpec KeyExchange 
Export-Certificate -Cert $cert -FilePath 'c:\temp\ExchangeAuth.cer'

It is important to ensure that the user that is authenticating using the certificate has it within their certificate store or can also access the certificate file.

Creating the Azure AD App

Next we need to create an Azure AD App, this is done as follows:

  • Login to Azure and navigate to App Registrations
  • Select New Registration
  • Type a friendly name such as ‘Exchange Certificate Auth’ so that you know what this is when you come back to it in the future
  • Once the application has been created you should see the App ID and the Object ID
  • Navigate to API permissions and add the Exchange.ManageAsApp permission and then Grant admin consent for this permission API Permissions
  • Browse to Certificates & secrets and upload the previously created certificate

Assigning the required Exchange Online permissions

Currently the Graph API does not support any Exchange management operations so we cannot scope the permissions using Graph. We also cannot use the tried and tested Exchange RBAC model as this only applies to user objects and this doesn’t exist for our application. What exists for us is a ‘Service Principal’ object, this exists to be able to grant permissions and roles within Azure in order to achieve more secure authentication models.

Now as we are trying to manage Exchange through this method we need to look at what roles we can give that are present within Azure AD and Exchange Online, these are:

  • Global Administrator
  • Exchange Administrator
  • Security Administrator
  • Security Reader
  • Helpdesk Admin
  • Global Reader

Select the role that is correct for what you want to do and add the application using the application ID for the application that we have already created. N.B. This has to be done through Azure AD as the application does not appear within Office 365.

Connecting to Exchange Online

From here we are at the easy bit, connecting to Exchange Online, this is simply done by using the following:

Connect-ExchangeOnline -CertificateThumbprint "YOURCERTIFICATETHUMBRPRINT" -AppId "YOURAPPID" -Organization tenant.onmicrosoft.com

Connect-ExchangeOnline via Certificate

Now you are connected you can operate EXO PowerShell as you normally would. This is excellent for use in Scheduled Tasks and other automation tools for anything Exchange Online management related.