Azure Automation Connect-ExchangeOnline using Managed Identity

Jesus Chao 141 Reputation points

I have been trying to get Connect-ExchangeOnline cmdlet to work in Azure Automation using the System Managed Identity. Does anyone have any idea if this works? I would rather use the Managed ID to connect to Exchange Online instead of using certificates or a saved credential. I do have this bit of code working but I am afraid it is using Basic Auth which is going away soon. Using this code does not give me access to ExchangeOnline specific cmdlets like Get-EXOMailbox.
Connect-ExchangeOnline Reference

"Connect Exchange"
function makeMSIOAuthCred () {
    $accessToken = Get-AzAccessToken -ResourceUrl ""
    $authorization = "Bearer {0}" -f $accessToken.Token
    $Password = ConvertTo-SecureString -AsPlainText $authorization -Force
    $username = "OAuthUser@" + ((Get-AzTenant).Id)
    $MSIcred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username,$Password)
    return $MSICred
$cred = makeMSIOAuthCred

#This works using PSSESSION
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection -Verbose
Import-PSSession $Session

#using Connect-ExchangeOnline
Connect-ExchangeOnline -Credential $cred

The error returned when using Connect-ExchangeOnline is:
Authentication Failure. The password entered exceeds the maximum length. Please reach out to your admin to reset the password.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,187 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,368 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 145K Reputation points MVP

    Ok, heard back from the product group. At this time, Exo V2 Module does not support managed identities. So, this won't work for you, sorry.

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
  1. Jesus Chao 141 Reputation points

    It appears that EXO V2 Module 2.0.6 preview 7 has support for managed identities now. To connect, make sure you are running the latest preview module and that the session is running in the context of the managed identity (Azure Automation Runbook)

    connect-exchangeonline -managedidentity -Organization "<Name of your org>"

    Our organization formation was <domainname>

    Andy can you confirm that this has been added.

    ALSO note that it appears that the connect-ippssession cmdlet does NOT support managed identities which I find rather odd. The cmdlet has not been updated to pass the parameters to the connect-exchangonline cmdlet within the module. It would be nice to know how to use connect-ippssession for connecting to the Security and Compliance console with two different auth types? I can only assume that if you use connect-ippssesion after connecting to EXO with a managed identity, it will override that connection with whatever auth type you use for connect-ippssession?


    1 person found this answer helpful.

  2. Andy David - MVP 145K Reputation points MVP

  3. Jesus Chao 141 Reputation points

    Great - Thanks Andy. I am sure this will help the community. Any chance you know if they are working on adding this in the future and if there is a time table? I believe Basic Auth will be gone later this year and Microsoft is heavily recommending the use of managed identities in Azure Automation.

    Thanks again.

  4. Dmitry B 1 Reputation point
    0 comments No comments