Exchange Online PSSession and modern auth

Philippe tulesauraspas 126 Reputation points
2021-06-24T19:05:30.4+00:00

Hello,

we are trying to use a pssession with an azure app and with the modern auth to connect to exchange online.

Connecting is not a problem.

this is how we do it :

$tenantID = "xxxxx-xxxxxxxxxx-xxxxx" #your tenantID or tenant root domain  
  
$appID = "xxxxx-xxxxxxxxxx-xxxxx" #the GUID of your app  
  
$client_secret = "someverylongsecret" #client secret for the app  
  
$body = @{  
  
     client_id = $AppId  
  
scope = "https://outlook.office365.com/.default"  
  
     client_secret = $client_secret  
  
     grant_type = "client_credentials"  
  
}  
  
$authenticationResult = Invoke-WebRequest -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -ErrorAction Stop  
  
$token = ($authenticationResult.Content | ConvertFrom-Json).access_token  
  
$Authorization = "Bearer {0}" -f $Token  
  
$Password = ConvertTo-SecureString -AsPlainText $Authorization -Force  
  
$Ctoken = New-Object System.Management.Automation.PSCredential -ArgumentList "OAuthUser@$tenantId",$Password #replace your tenantGUID here  
  
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true" -Credential $Ctoken -Authentication Basic -AllowRedirection -Verbose  

Connecting does work, and i can enter the pssession without problem.
Get-* cmdlets work without issues.

Set-* cmdlets do not work.

I get this kind of message :

System.Management.Automation.RemoteException: Serveur source:PR0P264MB0730.FRAP264.PROD.OUTLOOK.COM n’a pas l’autorisation
d’écrire sur DC cible:VI1P189A003DC03.EURP189A003.PROD.OUTLOOK.COM. Cela signifie généralement que la forêt cible n’est pas une
partition de la forêt source. Informations supplémentaires : Insufficient access rights to perform the operation.
Réponse d'Active Directory : 00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The thing is if i use the new exchangeonlinemanagement module, with the same APP ID, i dont have this kind of problems... so it's not a right problems per say.. !

this does work on another subscription.. so i'm a bit lost here !

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,168 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,339 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 95,081 Reputation points MVP
    2021-06-25T06:13:03.28+00:00

    Oh, I remembered one thing I forgot to add in the blog - make sure you pass the "anchor" when connecting. The module cmdlet does that for you, but when you create the session yourself, you need to add "&email=SystemMailbox%7bbb558c35-97f1-4cb9-8ff7-d53741dc928c%7d%40tenantname.onmicrosoft.com" to the connection string.

    So the end result should be something like this:
    "https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true&email=SystemMailbox%7bbb558c35-97f1-4cb9-8ff7-d53741dc928c%7d%40tenantname.onmicrosoft.com"

    This will fix some of the issues, but not all, as some cmdlets are simply not designed to work in the context of an app.

    2 people found this answer helpful.

4 additional answers

Sort by: Most helpful
  1. Vasil Michev 95,081 Reputation points MVP
    2021-06-24T20:56:57.467+00:00

    Decode the token and check whether it contains the proper list of AAD roles in the wids claim.

    1 person found this answer helpful.
    0 comments No comments

  2. Philippe tulesauraspas 126 Reputation points
    2021-06-25T07:49:49.787+00:00

    Fyi this works great :)
    thank youuuuuu !
    in our scenari we are using UniversalDashboard to work on exo, and with the exov2 module, the ud process memory kept growing and growing ... i saw some posts about a memory leak...
    the only workaroung was to restart our process every 24H so it was pretty ugly!
    but with this we dont depend on exov2 and this is awesome !!!

    Can you elaborate on "some cmdlets are simply not designed to work in the context of an app" ??

    And last question: will MS eventually make this impossible in the near future ?

    Thank you very much @Vasil Michev !

    1 person found this answer helpful.

  3. Philippe tulesauraspas 126 Reputation points
    2021-06-24T21:02:09.353+00:00

    yes it does.
    In fact, i compared the generated token and the one generated by the exov2 module (there is a gettoken method available on the pssession) and they are exactly the same. Wids, aud, etc..

    ( btw thanks for you blog :) i fist discovred this solution on you blog :) )


  4. Philippe tulesauraspas 126 Reputation points
    2021-06-25T06:54:50.817+00:00

    haha :) i was wondering if maybe i add to complete the uri .. thought all that was after "BasicAuthToOAuthConversion=true" was just for telemetry !
    ok i'll try that and test it ! and get back !

    0 comments No comments