Exchange Online Powershell - MFA for unattended scripts

asked 2021-11-16T19:46:55.267+00:00
Brandon Poindexter 61 Reputation points

I have been able to setup certificate based authentication for Exchange Online Powershell using the document seen here: https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

This was pretty easy to setup in only a few minutes.

However, corporate policy absolutely requires two factors of authentication for any process accessing sensitive data. Possession of a certificate is only a single factor in this scenario. Is there a way to require a valid user account + certificate, or perhaps an app password + certificate?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,560 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
2,878 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-11-16T21:53:38.647+00:00
    Andy David - MVP 108.7K Reputation points Microsoft MVP

    CA Policies require: Azure AD Premium P1 license.
    But yea, if you dont have that, then you cant use this option. But otherwise, what you want to do wont work as there is no way to force two authentication methods on an app like this.


1 additional answer

Sort by: Most helpful
  1. answered 2021-11-16T19:58:40.917+00:00
    Andy David - MVP 108.7K Reputation points Microsoft MVP

    sorry, that wouldnt really work with cert auth - that's the whole point of using a cert really :)

    Having said that, in the future, you should be able to create a Conditional Access policy that you will only accept connections for service principals from "Trusted IPs" - the way you cna set now for regular users. If these scripts are running from on-prem servers for example, you could create a policy that only permits connections from those IPs - that would be pretty secure in addition to the cert auth.