Ok, heard back from the product group. At this time, Exo V2 Module does not support managed identities. So, this won't work for you, sorry.
Azure Automation Connect-ExchangeOnline using Managed Identity
I have been trying to get Connect-ExchangeOnline cmdlet to work in Azure Automation using the System Managed Identity. Does anyone have any idea if this works? I would rather use the Managed ID to connect to Exchange Online instead of using certificates or a saved credential. I do have this bit of code working but I am afraid it is using Basic Auth which is going away soon. Using this code does not give me access to ExchangeOnline specific cmdlets like Get-EXOMailbox.
Connect-ExchangeOnline Reference
https://o365reports.com/2020/07/04/modern-auth-and-unattended-scripts-in-exchange-online-powershell-v2/
"Connect Exchange"
function makeMSIOAuthCred () {
$accessToken = Get-AzAccessToken -ResourceUrl "https://outlook.office365.com/"
$authorization = "Bearer {0}" -f $accessToken.Token
$Password = ConvertTo-SecureString -AsPlainText $authorization -Force
$username = "OAuthUser@" + ((Get-AzTenant).Id)
$MSIcred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username,$Password)
return $MSICred
}
$cred = makeMSIOAuthCred
#This works using PSSESSION
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $cred -Authentication Basic -AllowRedirection -Verbose
Import-PSSession $Session
#using Connect-ExchangeOnline
Connect-ExchangeOnline -Credential $cred
The error returned when using Connect-ExchangeOnline is:
Authentication Failure. The password entered exceeds the maximum length. Please reach out to your admin to reset the password.
4 additional answers
Sort by: Most helpful
-
Jesus Chao 141 Reputation points
2022-09-08T15:32:26.91+00:00 It appears that EXO V2 Module 2.0.6 preview 7 has support for managed identities now. To connect, make sure you are running the latest preview module and that the session is running in the context of the managed identity (Azure Automation Runbook)
connect-exchangeonline -managedidentity -Organization "<Name of your org>"
Our organization formation was <domainname>.onmicrosoft.com
Andy can you confirm that this has been added.
ALSO note that it appears that the connect-ippssession cmdlet does NOT support managed identities which I find rather odd. The cmdlet has not been updated to pass the parameters to the connect-exchangonline cmdlet within the module. It would be nice to know how to use connect-ippssession for connecting to the Security and Compliance console with two different auth types? I can only assume that if you use connect-ippssesion after connecting to EXO with a managed identity, it will override that connection with whatever auth type you use for connect-ippssession?
Thanks
-
Andy David - MVP 145.6K Reputation points MVP
2022-01-10T21:44:45.827+00:00 Have you seen this?
https://github.com/mardahl/ExchangeOnlineScripts/blob/main/AzureAutomation/ConnectEXOwithMSIRunbookExample.ps1Full Disclosure: I have not tested this myself.
-
Jesus Chao 141 Reputation points
2022-01-11T13:25:46.317+00:00 Great - Thanks Andy. I am sure this will help the community. Any chance you know if they are working on adding this in the future and if there is a time table? I believe Basic Auth will be gone later this year and Microsoft is heavily recommending the use of managed identities in Azure Automation.
Thanks again.
-
Dmitry B 1 Reputation point
2022-10-19T18:23:27.947+00:00 It is now officially supported in v3.0
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps