Multi-Factor Authentication
Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication through a range of easy to use authentication methods. Users may or may not be challenged for Multi-Factor Authentication based on configuration decisions that an administrator makes. The requirement for Multi-Factor Authentication can complicate any automation that you have developed because a second form of authentication must be provided when authenticating.
Azure Active Directory has recently introduced a new feature known as baseline protection. Baseline protection is a set of predefined conditional access policies. The goal of these policies is to ensure that you have at least the baseline level of security enabled in all editions of Azure Active Directory. Through the enforcement of these policies users who meet the criteria of the baseline policy will be required to authenticate using Multi-Factor Authentication.
With the requirement for Multi-Factor Authentication you will face a new challenge when automating tasks in a headless manner. This article covers how to utilize the Secure Application Model to establish a connection to the following PowerShell modules without being prompted for credentials.
- Azure PowerShell
- Azure Active Directory
- MS Online
- Partner Center
Azure
Azure PowerShell
$credential = Get-Credential
$refreshToken = 'Your-Refresh-Token-Value'
$azureToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://management.azure.com/ -Credential $credential
$graphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.microsoft.com -Credential $credential
# Az Module
Connect-AzAccount -AccessToken $token.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId '<TenantId>'
# AzureRM Module
Connect-AzureRmAccount -AccessToken $token.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId '<TenantId>'
Microsoft 365
Azure Active Directory
$credential = Get-Credential
$refreshToken = 'Your-Refresh-Token-Value'
$aadGraphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net -Credential $credential
$graphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.microsoft.com -Credential $credential
Connect-AzureAD -AadAccessToken $aadGraphToken.AccessToken -AccountId '<UPN-OF-USER-USED-TO-GEN-REFRESH-TOKEN>' -MsAccessToken $graphToken.AccessToken
Exchange Online PowerShell
When MFA is enabled partners will not be able to utilize their delegated administrative privileges with Exchange Online PowerShell to perform actions against their customers. See Connect to Exchange Online PowerShell using multi-factor authentication for more information regarding this limitation.
MS Online
$credential = Get-Credential
$refreshToken = 'Your-Refresh-Token-Value'
$aadGraphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net -Credential $credential
$graphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.microsoft.com -Credential $credential
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
Partner Center
$refreshToken = 'Enter the refresh token value here'
$credential = Get-Credential
$pcToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://api.partnercenter.microsoft.com -Credential $credential -TenantId '<Your Tenant Id>'
Connect-PartnerCenter -AccessToken $pcToken.AccessToken -ApplicationId $appId -TenantId '<Your Tenant Id>'