- Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
- Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
- Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
The move was a smart one for security, but many administrators now struggle to connect to Exchange Online to run automated maintenance or monitor scripts. Resorting to enabling basic authentication for a service account, or setting up conditional access policies are potentially popular workarounds. However, if you follow the steps outlined below, you will be able to connect to Exchange Online with PowerShell using certificate-based authentication instead.
These instructions are written with a single tenant in mind.
So, first up, we need to get a certificate. This can be a self-signed certificate issued by any Windows device.
Open up a PowerShell window, and enter the following:
New-SelfSignedCertificate -DnsName "mytenant.onmicrosoft.com" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange | Export-PfxCertificate -FilePath mycert.pfx -Password (Read-Host -AsSecureString -Prompt "Enter a Password for PFX File")
The DNS name can be anything; however, it may be useful to use the tenant domain name to identify the certificate more easily.
Create and export a self signed certificate
You will be prompted to enter a password.
The password will be used when you want to import the certificate, so make sure it is strong and stored securely (we will go through storage a little later).
Self signed certificate saved to a file
Self-signed certificate saved to a file
We also need to export the certificate again, but only the public key this time.
Enter the following:
(get-childitem Cert:\CurrentUser\my) | Where-Object {$_.Subject -eq "cn=mytenant.onmicrosoft.com"} | Export-Certificate -FilePath mycert.cer
Export certificate public key
Next, log in to Azure Active Directory, and then navigate to App registrations.
Create a new registration
Enter a name for your application, and click Register.
Register an application
Once it's created, navigate to Certificates & secrets.
Navigate to Certificates secrets
We will upload the certificate public key we created earlier to our application.
Switch to the Certificates tab, choose Upload a certificate, and browse to the file mycert.cer (not the PFX file).
Upload certificate to application
Your certificate will now show as installed. As we have uploaded the public key, the only thing that can be used to authenticate against this is our certificates' private key.
Certificate uploaded to App Registration
Take note of the thumbprint; you will need that to connect to Exchange Online.
Next, we need to assign some permissions to our application. Switch to the API permissions page.
Application API permissions
Choose Add a permission. Then, on the Request API permissions screen, choose APIs my organization uses, and then type Office 365 Exchange Online exactly as shown.
Office 365 Exchange Online
Select Office 365 Exchange Online, and then select Application permissions.
Choose Application permission
From the list of available permissions, choose Exchange.ManageAsApp. Then, on the next screen, choose Grant admin consent.
Exchange.ManageAsApp permission
Grant admin consent for the tenant
You can remove the Microsoft Graph User.Read permission, as it is good practice to minimize the assigned permissions.
Remove Microsoft Graph permission
We now need to assign the Exchange Administrator role to the application.
To do so, in Azure, navigate to Roles and administrators. Find the Exchange Administrator role.
Azure roles and administrators
Choose Add assignments, and add the app registration we created.
Add role assignment
Add app registration to role
The last thing we need to do is collect the application ID. You can get this from the overview page of the application registration.
Get the app registration ID
You can use the following information to connect to Exchange Online PowerShell:
| Organization | The tenant domain of your M365 tenant |
| AppId | The Application ID of our app registration |
| Certificate Thumbprint | The thumbprint of the certificate we created |
If you want, you can now connect from the PowerShell window we started with initially.
Subscribe to 4sysops newsletter!
Connect to Exchange Online
However, you can also use the certificate in Azure Automation to run scheduled PowerShell scripts, which I will cover in a separate article.
