This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 32%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Creating New-PSSession is not working with an app password for MFA enabled account (MFA Type: Authenticator App).
Users having the following privileges.
Role: Global Administrator
Permissions:
Compliance Management (Audit Logs).
Organization Management (View-Only Audit Logs).
While creating new-PSSession getting 
error(Screenshot attached) in Powershell
When I use the initial app password given by Azure when registering of MFA, It's working fine (Newly created app password not working)
App passwords should not work for any admin endpoints, that's a default security limitation that cannot be lifted. Moreover there's absolutely no reason to keep using app passwords, ExO Remote PowerShell has supported modern auth/MFA for years now.
Yes, Powers hell supports modern auth/MFA, But in my case i want to read Search-UnifiedAuditLog through the programmatic way. So i need to use app password instead of MFA. (We cannot authenticate via MFA in programmatic access)
Note:
I have mentioned initial app password given by Azure working fine in powershell(My doubt is when i am creating new app password it's not working)
Right, so you wouldnt use an app password here.
You would either user a service account and password that doesnt have MFA enabled ( and you could create a Conditional Access policy to limit the connecting account to "trusted networks" ) or use the V2 latest update and cert-based auth and an Azure app:
https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
Here is the document that references the issues with app passwords ( and Vasil's spot-on point)
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords
When you use app passwords, the following considerations apply:
There's a limit of 40 app passwords per user.
Applications that cache passwords and use them in on-premises scenarios can fail because the app password isn't known outside the work or school account. An example of this scenario is Exchange emails that are on-premises, but the archived mail is in the cloud. In this scenario, the same password doesn't work.
After Azure Multi-Factor Authentication is enabled on a user's account, app passwords can be used with most non-browser clients like Outlook and Microsoft Skype for Business.
However, administrative actions can't be performed by using app passwords through non-browser applications, such as Windows PowerShell. The actions can't be performed even when the user has an administrative account.
To run PowerShell scripts, create a service account with a strong password and don't enable the account for two-step verification.
The last sentence can be mitigated by using the latest V2 PS ExO module that supports Cert-Based Auth using an Azure App:
https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
I have not enabled any condition policy I have enabled only security default in my tenant.
Security default is also the Condition Access Policy?
If you are using Conditional Access to enforce MFA, app passwords do not work. Is that the case here?
I am not using Conditional Access for MFA (Any documents available for this scenario)
No, the security defaults arent the same thing as a Conditional Access policy.
You still cant use an app password for what you are trying to do. See the links and information I have already posted above
To run PowerShell scripts, create a service account with a strong password and don't enable the account for two-step verification.
The last sentence can be mitigated by using the latest V2 PS ExO module that supports Cert-Based Auth using an Azure App:
https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
I have seen these links, But in this link, they are not saying anything about you must use Connect-ExchangeOnline cmdlets for MFA enabled account.
New-PSSession is not deprecated
Note:
Sometimes New_PSSession working fine for MFA enabled account with an app password, How this working?
@AD-7937 any updates on this?
Sorry, I didn't see you updated this a few days ago.
I think you are misunderstanding those docs. There are no accounts used and MFA doesn't apply if using that new process. You create an app in Azure and use a certificate to authenticate and secure it.
If you want to use a Service Account instead, then don't MFA-enable it.
You have those two choices:
2, or use the V2 latest update and cert-based auth and an Azure app:
I prefer 2