Use PowerShell MFA with Office 365

To ensure the security of your connections to Office 365, whether its for Exchange, Security and Compliance Center or Azure AD, using Multifactor Authentication (MFA) is a key component you should be using. Why use MFA? MFA is another security layer that makes it hard for someone to jeopardize your accounts. For Global Admins or any account with raised privileges, this is key. Any compromise to those accounts can cause severe harm to your Office 365 tenant. So how do we go about this?

Exchange Online
In order to connect to ExO with MFA, log into your Office 365 tenant, select the Exchange Admin Center and browse to the Hybrid Tab. From there you can download the Exchange Online PowerShell module. Once that is download you can kick off a session with the shortcut on your desktop that shows as ‘Microsoft Exchange Online PowerShell Module’. The ExO shell that is launched looks different than your standard shells and it provides a helpful tip at the start:

We then run Connect-ExOPSSession either with the -UserPrincipalName parameter or not. If we do not specify the UPN, we will be prompted to enter it. If we do specify it, then we will be prompted for a password first.

Once logged in, we have a session that looks like this:

Security and Compliance Center
Where to get the module – See the Exchange Online section above.
Once downloaded and launched, all we need to do it use the ‘Connect-IPPSSession’ to connect to the Security and Compliance Center:

Just as easy as Exchange Online.

Azure AD

In order to connect to Azure AD with MFA, you need to have the new MSOnline PowerShell Module. If you do not, you will experience failures. Check to see which version you have with:
[sourcecode language=”powershell”]
Get-Module MSOnline
[/sourcecode]
If the version is less than 1.1 for example, it is out of date and probably will not support MFA. Example of a newer install:

In order to update or download the newest version, we can use this cmdlet:
[sourcecode language=”powershell”]
Install-Module MSOnline
[/sourcecode]
Make sure you are running your PowerShell window as an admin, or you experience this error:

Once installed, connecting to Azure AD with MFA is as simple as the other above with:
[sourcecode language=”powershell”]
Connect-MSOLService
[/sourcecode]
.. and that’s it.

… and Beyond – Further Reading

SharePoint – https://social.technet.microsoft.com/wiki/contents/articles/36857.sharepoint-online-o365-set-up-multi-factor-authentication.aspx
Azure – https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Teams – https://docs.microsoft.com/en-us/microsoftteams/sign-in-teams
Overall – https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

In the end, any admin account connecting to an Office 365 workload should be using MFA, even in PowerShell. The entire process is easy to work with and for the couple of extra seconds per login, worth the extra security it provides.

** Also, there is support for hard and soft OATH tokens – https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Hardware-OATH-tokens-in-Azure-MFA-in-the-cloud-are-now-available/ba-p/276466.

Related Post

Schedule It!Schedule It!

Schedule it. Automate it. Leveraging this function enables a coder to expand what they can accomplish with scripting in an environment. PowerShell scripts can do this with the Windows Scheduler