This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 5%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
I have been able to setup certificate based authentication for Exchange Online Powershell using the document seen here: https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
This was pretty easy to setup in only a few minutes.
However, corporate policy absolutely requires two factors of authentication for any process accessing sensitive data. Possession of a certificate is only a single factor in this scenario. Is there a way to require a valid user account + certificate, or perhaps an app password + certificate?
CA Policies require: Azure AD Premium P1 license.
But yea, if you dont have that, then you cant use this option. But otherwise, what you want to do wont work as there is no way to force two authentication methods on an app like this.
Is it possible to apply a single Azure AD Premium P1 license just to this particular app? Because it would be pure stupidity to have to buy it for every user in the organization for an app not a single user interacts with.
Well, the feature isnt out yet, but when its released - hopefully in the near future - its been promised for awhile - I would try it and see if to works. Not sure you would even need a license for one app honestly.
I wasn't aware that the feature wasn't available. Presumably, allowing access only for trusted IPs is a user account thing only at this time?
Correct. User or Group
sorry, that wouldnt really work with cert auth - that's the whole point of using a cert really :)
Having said that, in the future, you should be able to create a Conditional Access policy that you will only accept connections for service principals from "Trusted IPs" - the way you cna set now for regular users. If these scripts are running from on-prem servers for example, you could create a policy that only permits connections from those IPs - that would be pretty secure in addition to the cert auth.
We don't have the E5 licensing for that, and I will not be given the budget for it, unless there's a way I can buy a single E5 license just for this particular app.