question

JesusChao-6831 avatar image
0 Votes"
JesusChao-6831 asked DmitryB-8722 answered

Azure Automation Connect-ExchangeOnline using Managed Identity

I have been trying to get Connect-ExchangeOnline cmdlet to work in Azure Automation using the System Managed Identity. Does anyone have any idea if this works? I would rather use the Managed ID to connect to Exchange Online instead of using certificates or a saved credential. I do have this bit of code working but I am afraid it is using Basic Auth which is going away soon. Using this code does not give me access to ExchangeOnline specific cmdlets like Get-EXOMailbox.
Connect-ExchangeOnline Reference
https://o365reports.com/2020/07/04/modern-auth-and-unattended-scripts-in-exchange-online-powershell-v2/


 "Connect Exchange"
 function makeMSIOAuthCred () {
     $accessToken = Get-AzAccessToken -ResourceUrl "https://outlook.office365.com/"
     $authorization = "Bearer {0}" -f $accessToken.Token
     $Password = ConvertTo-SecureString -AsPlainText $authorization -Force
     $username = "OAuthUser@" + ((Get-AzTenant).Id)
     $MSIcred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username,$Password)
     return $MSICred
 }
 $cred = makeMSIOAuthCred
    
 #This works using PSSESSION
 $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $cred -Authentication Basic -AllowRedirection -Verbose
 Import-PSSession $Session
    
 #using Connect-ExchangeOnline
 Connect-ExchangeOnline -Credential $cred


The error returned when using Connect-ExchangeOnline is:
Authentication Failure. The password entered exceeds the maximum length. Please reach out to your admin to reset the password.


office-exchange-online-itproazure-automation
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
2 Votes"
AndyDavid answered JesusChao-6831 converted comment to answer

Ok, heard back from the product group. At this time, Exo V2 Module does not support managed identities. So, this won't work for you, sorry.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I just upvoted this because you took the time to follow up, but I want to also downvote somebody because I just wasted I dont know how many hours trying to get this to work!!! Can they at least update the docs?

1 Vote 1 ·

Hi, does anyone know if there is any update on Exchange Online V2 PowerShell to support Managed Identities for Azure Automation? I'd really like to set up Azure Automation to automate some of my mailbox processes but have run into this blocker considering Microsoft is strongly recommending Managed Identities over Run As accounts in Azure Automation.

0 Votes 0 ·

I know it's highly unsupported, but we managed to get it working:
1. Create an Azure Logic App (any other service capable of using managed identity and performing a REST call works)
2. Enable Managed Identity
3. Perform an admin consent for the scope "Exchange.ManageAsApp" exposed by "Office 365 Exchange Online" appId "00000002-0000-0ff1-ce00-000000000000"
4. Assign the Azure AD directory role "Exchange Administrator" to the managed identity - not ideal but there seems to be no option to use a lesser privileged role
5. Execute step 6 or 7
6. Not fully migrated commands: In the logic app perform a http POST call to "https://outlook.office365.com/adminapi/beta/<tenantid>/InvokeCommand" -replace <tenantid> with your actual tenant id
under Authentication, select "AuthenticationType=ManagedIdentity, ManagedIdentity=SystemAssigned, Audience=https://outlook.office365.com"
body:
{
"CmdletInput": {
"CmdletName": "Get-ApplicationAccessPolicy"
}
}
7. Migrated commands: In the logic app perform a http GET call to "https://outlook.office.com/adminApi/beta/<tenantid>/Mailbox('user@xyz.com')"
same authentication settings, empty body

Credits to Vasil for the inspiration:
https://www.michev.info/Blog/Post/2869/abusing-the-rest-api-endpoints-behind-the-new-exo-cmdlets

Hope it is useful for others

0 Votes 0 ·
JesusChao-6831 avatar image JesusChao-6831 PatrickMangold-2508 ·

Thanks but what are the parameter values that you are using in Azure Automation to get connect-exchangeonline to work with the managed ID?

0 Votes 0 ·
Show more comments
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks David - yes I have. In fact I am using a bit of the code within this PS1 (the function in my post) to make the token and then connect using PSSession. That seems to work great but if you notice - and I could be wrong about this - it is using Basic Auth and it does not allow you to use the Exchange Online powershell commands like Get-EXOMailbox.

0 Votes 0 ·

yea, it might be worth pinging the author of that. Perhaps he has something that uses Modern Auth

0 Votes 0 ·

Perhaps. I was hopeful that I could get an official answer through this forum as to whether or not Connect-ExchangeOnline will ever support Managed Identities for authentication. Connect-AzureAD is working.

0 Votes 0 ·
Show more comments
JesusChao-6831 avatar image
1 Vote"
JesusChao-6831 answered AndyDavid commented

Great - Thanks Andy. I am sure this will help the community. Any chance you know if they are working on adding this in the future and if there is a time table? I believe Basic Auth will be gone later this year and Microsoft is heavily recommending the use of managed identities in Azure Automation.

Thanks again.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I believe they are working on it, yes. I was told its not supported yet :)

1 Vote 1 ·
JesusChao-6831 avatar image
1 Vote"
JesusChao-6831 answered

It appears that EXO V2 Module 2.0.6 preview 7 has support for managed identities now. To connect, make sure you are running the latest preview module and that the session is running in the context of the managed identity (Azure Automation Runbook)


connect-exchangeonline -managedidentity -Organization "<Name of your org>"

Our organization formation was <domainname>.onmicrosoft.com

Andy can you confirm that this has been added.

ALSO note that it appears that the connect-ippssession cmdlet does NOT support managed identities which I find rather odd. The cmdlet has not been updated to pass the parameters to the connect-exchangonline cmdlet within the module. It would be nice to know how to use connect-ippssession for connecting to the Security and Compliance console with two different auth types? I can only assume that if you use connect-ippssesion after connecting to EXO with a managed identity, it will override that connection with whatever auth type you use for connect-ippssession?

Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes it in the release notes:

v2.0.6-Preview7 :
1. Support for system-assigned and user-assigned Managed Identity from Azure VMs and Virtual Machine Scale Sets.
- The -ManagedIdentity switch parameter, and the -Organization parameters need to be provided to indicate that a managed identity should be used. This will by default attempt to use a system-assigned managed identity.
- For specifying a user-assigned managed identity, in addition to the parameters specified above, the AppID of the service principal corresponding to the user-assigned identity needs to be passed to the -ManagedIdentityAccountId.

0 Votes 0 ·
DmitryB-8722 avatar image
0 Votes"
DmitryB-8722 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.