Multi-Factor Authentication for the Hybrid Configuration Wizard and Remote PowerShell

You can now use an Administrator account that is enabled for Multi-Factor Authentication to sign in to Exchange Online PowerShell and the Office 365 Hybrid Configuration Wizard (HCW).

In case you are not aware, the Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365, users are required to acknowledge a phone call, text message, or app notification on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor has been satisfied. You can read more about the Office 365 Multi Factor Authentication option here.

Many Exchange Online customers wanted the extra level of security that is offered with Multi-Factor Authentication, which allows you to force the administrator account to use Multi-Factor Authentication. However, because of a limitation in Remote PowerShell, Exchange Online administrators could not connect with a Multi-Factor enabled account. In addition, as the Office 365 Hybrid Wizard also requires Remote PowerShell connections to Exchange Online, prior to now, the account you used to run the HCW could not be enabled for Multi-Factor Authentication.

The Exchange Online PowerShell Module

There is a new module that was created that can be downloaded to allow you to connect with an account that is enabled for Multi-Factor Authentication. You can download the module from the Exchange Online Administration Center (the steps are outlined in this article).


Note: We do not plan to discontinue traditional methods of connecting to Remote PowerShell; if you are not using Multi-Factor Authentication you can continue to connect using the methods you already have in place.

The Hybrid Wizard Update

The Hybrid Wizard has also been updated to allow for Multi-Factor Authentication enabled administrators to authenticate.

Note: There is an issue with this new Authentication method in the 21 Vianet Greater China tenants. For customers with Tenants in that region you cannot use the MFA module or Hybrid integration mentioned in this article and should instead use the Hybrid Wizard located here:

In order to keep the sign in experience consistent for all customer whether they have MFA enabled or are using traditional credentials, we have updated our credentials page in the wizard.

On the Credential page of the wizard you will see that the “next” button is not available. You are required to pick your credential for on-premises (which by default will be the currently signed in credentials) and “sign in” to Office 365.


Once you select “sign in” you will be prompted for credentials in a familiar looking screen.


If you have Multi-Factor Authentication enabled for the administrator, you would then be prompted for the second factor of authentication.


Once verified, you would see the credential card for both the on-premises and Exchange Online administrators. You will also notice that the “next” button is now activated.



Your feedback about not being able to use MFA enabled account for Exchange Online administration was loud and clear! Please keep providing us feedback so we can continue to identify and address your needs.

The Exchange Team

Comments (22)
  1. We utilize ISE editor extensively when writing and running scripts. If our cloud accounts are MFA-enabled, how can we call this new MFA-enabled Powershell module in ISE Editor? It seems like it’s not possible and we just have to run the MFA-enabled Powershell module on it’s own.

    1. We are working with the MFA module folks to update content around this, but you are correct, the module should be runs on it’s own for scripting

    2. Sebastian Olsson says:

      If you’re using MFA with ISE Editor. Requiers you to run the above at least once before the the below script is working.
      Connect with the following script:

      $Path = $env:LOCALAPPDATA+”\Apps\2.0\”
      Import-Module MSOnline
      Import-Module $((Get-ChildItem -Path $($Path) -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch “_none_”}|select -First 1)
      $NewSession = New-ExoPSSession
      Import-PSSession $NewSession

      1. Abbas says:

        Hey Sebastian Olsson

        Thank you so much for this one mate.

        THis is really very helpful.

        Have a nice life.

        Good things come back to you man.


  2. Jetze Mellema says:


    Is the new PowerShell module no longer in Preview?

    1. The Module was in preview only till the HCW released the capability to use MFA, therefore it is no longer in preview

  3. Ben says:

    I appreciate it’s not your team! but would you be able to find out if we have a date planned for the Security and Compliance PS to support MFA? – now EXO is GA, that’s the only thing stopping us going fully MFA for all admins! (compliance searches etc)

  4. Kiran Ramesh says:

    Hello, We are a bunch of admins here who use Powershell extensively. Do I need to upgrade to the full version of Azure Multi-Factor Authentication if I need to take advantage of this.

  5. Powershell for MFA will be interesting. Great work team.

  6. Ashwin Chatla says:

    Is Security & Compliance covered as well with MFA enabled account?

    1. This is a connection to Exchange Online PowerShell with MFA, so anything you can do in Exchange Online PowerShell should work here

  7. Kazzan says:

    Great improvement! Are there plans to support Delegated Administrator Rights cmdlets in Exchange MFA PowerShell? I mean executing things with -TenantID parameter.

  8. adamrutt says:

    Can anyone get this new module to work with an authenticated proxy server? When doing a remote PowerShell session previously I was able to add options to the session to send it through our proxy server, is this possible with the MFA module?

  9. NotThatGuy says:

    Where do you guys keep the release notes for the HCW?

    1. We do not have release notes for this application, we will sometimes add release information to the Exchange Release Notes, in TechNet articles, or in EHLO blogs whenever appropriate.

  10. Shlesh Shah says:

    Hello, I am getting some timeout issues when trying to use PowerShell with dual factor authentication. After 1-2 hours, my online exchange commands stop working. They try to re-authenticate but fail since it pops up with a PowerShell authentication and not the Microsoft authentication to prompt for a code. Is there a fix for this?

    1. Shlesh Shah says:

      I also put in a premier ticket to Microsoft about this issue and received a reply saying the product team will not be looking into this issue. I will have to close and reopen power shell every hour and go through the authentication again. Any thoughts on this?

      1. JSujat says:

        Ours is timing out between one to two minutes. We have found it may have something to do with the proxy. Are you running it behind a proxy?

        1. Jose says:

          We are having the same time-out issue about every two minutes where we have to go through the MFA authentication process again. I do not believe we are behind a proxy, but will confirm. Were you able to get this resolved?

  11. Alain GRAPPY says:

    How can I pass to New-ExoPSSession Cmdlet at least the name of the admin and if possible the password ?

  12. Chris Mankowski says:

    How does this (technically work)?

    We have existing systems that need to integrate similarly.

  13. Please feel free to use my connection script for PowerShell with MFA –

    I have also created tutorials on MFA, including how to enable your admin account with MFA and how to configure your PC for PowerShell with MFA. –

    The script was updated 1 July 2017 and will connect to the following services with MFA enabled –
    – Exchange Online
    – SharePoint Online
    – Skype for Business Online
    – Azure AD v1.0
    – Azure AD v2.0
    – Azure Resource Manager
    – Azure Rights Manager
    – Exchange Online Protection

Comments are closed.

Skip to main content