How-to connect to Office 365 with PowerShell and multi-factor authentication

Related post: How-to connect to Office 365 with PowerShell

There are several Office 365 services that can be managed with PowerShell. These are:

  • Exchange Online
  • Security & Compliance Center
  • SharePoint Online
  • Skype for Business Online
  • StaffHub
  • Teams

Related services are:

  • Azure Active Directory
  • Microsoft Graph

This post shows how to connect with PowerShell to these services using an account with Multi-Factor Authentication (MFA) enabled. For the connection, a global administrator account is used. The given PowerShell commands are executed on a Windows 10 Pro device.

Exchange Online

There are some pre-requisites before a connection to Exchange Online can be made. The pre-requisites are described here. A new PowerShell shell is added to the device as part of the installation. It has the name: Microsoft Exchange Online PowerShell Module. This shell must be used. On the device used, the following code also had to be run in a command prompt with administrator privileges: winrm quickconfig. The firewall exception does not have to be setup if asked for.

Connecting to Exchange Online can be done with the following code:

Connect-EXOPSSession -UserPrincipalName <UPN>

<UPN> is your Office 365 login username. Example: administrator@contoso.com. When running the code given above, the next step depends on your situation:

  • When you are logged in with the same account (Azure Active Directory joined device), the module is imported automatically and after a few seconds you can enter PowerShell commando’s.
  • When you are logged in with a different account, a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

Security & Compliance Center

There are some pre-requisites before a connection to the “Security & Compliance Center” can be made. The pre-requisites are described here. Simply said, it uses the same module (and shell) as used for connecting to Exchange Online.

Connecting to the “Security & Compliance Center” can be done with the following code:

Connect-IPPSSession -UserPrincipalName <UPN>

<UPN> is your Office 365 login username. Example: administrator@contoso.com. When running the code given above, the next step depends on your situation:

  • When you are logged in with the same account (Azure Active Directory joined device), the module is imported automatically and after a few seconds you can enter PowerShell commando’s.
  • When you are logged in with a different account, a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

SharePoint Online

There are 2 different options to connect to SharePoint Online, both having their own scope:

  • SharePoint Online Management Shell
  • PnP PowerShell

The first focuses mainly on the Tenant and site collection level. The second focuses on the site collection level and “below”

SharePoint Online Management Shell

The same software is used as installed for connecting without MFA. Connecting to SharePoint Online can be done with the following code:

$url = <URL>
Connect-SPOService -Url $url
<YOUR CODE>
Disconnect-SPOService

, where <YOUR CODE> is the PowerShell code you want to run. <URL> is the url to the SharePoint admin center. Example: https://contoso-admin.sharepoint.com

After the second step, a login box will appear in which the username must be entered. Then a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

PnP PowerShell

The same software is used as installed for connecting without MFA. Connecting to SharePoint Online can be done with the following code:

$url = <URL>
Connect-PnPOnline -Url $url -UseWebLogin
<YOUR CODE>
Disconnect-PnPOnline

, where <YOUR CODE> is the PowerShell code you want to run. <URL> is the url of a site. Example: https://contoso.sharepoint.com

When running the code given above, the next step depends on your situation:

  • When you are logged in with the same account (Azure Active Directory joined device), the connection is made automatically and after a few seconds you can enter PowerShell commando’s.
  • When you are logged in with a different account, a login box will appear in which the username must be entered. Then a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

Skype for Business Online

The same software is used as installed for connecting without MFA. Connecting to Skype for Business Online can be done with the following code:

$skypeSession = New-CSOnlineSession -Username <UserName>
Import-PSSession $skypeSession
<YOUR CODE>
Remove-PSSession $skypeSession

, where <YOUR CODE> is the PowerShell code you want to run. <UserName> is your Office 365 login username. After the first step, a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

StaffHub

There is currently no PowerShell module for StaffHub. As can been seen from this page, cmdlets seem to be coming to us.

Teams

The same software is used as installed for connecting without MFA. Connecting to Microsoft Teams can be done with the following code:

Connect-MicrosoftTeams
<YOUR CODE>
Disconnect-MicrosoftTeams

, where <YOUR CODE> is the PowerShell code you want to run.

After the first step, a login box will appear in which the username must be entered. Then a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

Azure Active Directory

There are 2 ways to connect to Azure Active Directory (Azure AD):

  • Version 1
  • Version 2

As the name implies, version 2 is the newer one.

Version 1

The same software is used as installed for connecting without MFA. Connecting to Azure AD can be done with the following code:

Connect-MsolService
<YOUR CODE>

, where <YOUR CODE> is the PowerShell code you want to run.

After the first step, a login box will appear in which the username must be entered. Then a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

Version 2

The same software is used as installed for connecting without MFA. Connecting to Azure AD can be done with the following code:

Connect-AzureAD
<YOUR CODE>
Disconnect-AzureAD

, where <YOUR CODE> is the PowerShell code you want to run.

After the first step, a login box will appear in which the username must be entered. Then a login box will appear in which the password must be entered. When clicking on the “Sign in” button, MFA kicks in.

Microsoft Graph

Connecting to Microsoft Graph is a bit more complex then a simple connect cmdlet. How to connect to Microsoft Graph with PowerShell using a MFA enabled account is saved for a future blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *