Multi-Factor Authentication for the Hybrid Configuration Wizard and Remote PowerShell


You can now use an Administrator account that is enabled for Multi-Factor Authentication to sign in to Exchange Online PowerShell and the Office 365 Hybrid Configuration Wizard (HCW).

In case you are not aware, the Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365, users are required to acknowledge a phone call, text message, or app notification on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor has been satisfied. You can read more about the Office 365 Multi Factor Authentication option here.

Many Exchange Online customers wanted the extra level of security that is offered with Multi-Factor Authentication, which allows you to force the administrator account to use Multi-Factor Authentication. However, because of a limitation in Remote PowerShell, Exchange Online administrators could not connect with a Multi-Factor enabled account. In addition, as the Office 365 Hybrid Wizard also requires Remote PowerShell connections to Exchange Online, prior to now, the account you used to run the HCW could not be enabled for Multi-Factor Authentication.

The Exchange Online PowerShell Module

There is a new module that was created that can be downloaded to allow you to connect with an account that is enabled for Multi-Factor Authentication. You can download the module from the Exchange Online Administration Center (the steps are outlined in this article).

image

Note: We do not plan to discontinue traditional methods of connecting to Remote PowerShell; if you are not using Multi-Factor Authentication you can continue to connect using the methods you already have in place.

The Hybrid Wizard Update

The Hybrid Wizard has also been updated to allow for Multi-Factor Authentication enabled administrators to authenticate.

Note: There is an issue with this new Authentication method in the 21 Vianet Greater China tenants. For customers with Tenants in that region you cannot use the MFA module or Hybrid integration mentioned in this article and should instead use the Hybrid Wizard located here: http://aka.ms/HCWCN

In order to keep the sign in experience consistent for all customer whether they have MFA enabled or are using traditional credentials, we have updated our credentials page in the wizard.

On the Credential page of the wizard you will see that the “next” button is not available. You are required to pick your credential for on-premises (which by default will be the currently signed in credentials) and “sign in” to Office 365.

image

Once you select “sign in” you will be prompted for credentials in a familiar looking screen.

image

If you have Multi-Factor Authentication enabled for the administrator, you would then be prompted for the second factor of authentication.

image

Once verified, you would see the credential card for both the on-premises and Exchange Online administrators. You will also notice that the “next” button is now activated.

image

Conclusion

Your feedback about not being able to use MFA enabled account for Exchange Online administration was loud and clear! Please keep providing us feedback so we can continue to identify and address your needs.

The Exchange Team

Comments (14)

  1. We utilize ISE editor extensively when writing and running scripts. If our cloud accounts are MFA-enabled, how can we call this new MFA-enabled Powershell module in ISE Editor? It seems like it’s not possible and we just have to run the MFA-enabled Powershell module on it’s own.

    1. We are working with the MFA module folks to update content around this, but you are correct, the module should be runs on it’s own for scripting

    2. Sebastian Olsson says:

      If you’re using MFA with ISE Editor. Requiers you to run the above at least once before the the below script is working.
      Connect with the following script:

      $Path = $env:LOCALAPPDATA+”\Apps\2.0\”
      Import-Module MSOnline
      Connect-MsolService
      Import-Module $((Get-ChildItem -Path $($Path) -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch “_none_”}|select -First 1)
      $NewSession = New-ExoPSSession
      Import-PSSession $NewSession

  2. Jetze Mellema says:

    Thanks!

    Is the new PowerShell module no longer in Preview?

    1. The Module was in preview only till the HCW released the capability to use MFA, therefore it is no longer in preview

  3. Ben says:

    I appreciate it’s not your team! but would you be able to find out if we have a date planned for the Security and Compliance PS to support MFA? – now EXO is GA, that’s the only thing stopping us going fully MFA for all admins! (compliance searches etc)

  4. Kiran Ramesh says:

    Hello, We are a bunch of admins here who use Powershell extensively. Do I need to upgrade to the full version of Azure Multi-Factor Authentication if I need to take advantage of this.

  5. Powershell for MFA will be interesting. Great work team.

  6. Ashwin Chatla says:

    Is Security & Compliance covered as well with MFA enabled account?

    1. This is a connection to Exchange Online PowerShell with MFA, so anything you can do in Exchange Online PowerShell should work here

  7. Kazzan says:

    Great improvement! Are there plans to support Delegated Administrator Rights cmdlets in Exchange MFA PowerShell? I mean executing things with -TenantID parameter.

  8. adamrutt says:

    Can anyone get this new module to work with an authenticated proxy server? When doing a remote PowerShell session previously I was able to add options to the session to send it through our proxy server, is this possible with the MFA module?

  9. NotThatGuy says:

    Where do you guys keep the release notes for the HCW?

    1. We do not have release notes for this application, we will sometimes add release information to the Exchange Release Notes, in TechNet articles, or in EHLO blogs whenever appropriate.

Skip to main content