Exchange Online Remote PowerShell Still Used with Basic Authentication
This brings me to the sad fact that many who use PowerShell to interact with Exchange Online still use Remote PowerShell (RPS) with basic authentication. Among the reasons why this situation exists are:
Lack of awareness that Microsoft will disable basic authentication for PowerShell in remaining tenants starting on October 1. Once Microsoft removes basic authentication from a tenant, scripts that attempt to connect using basic authentication will fail.
Lack of visibility for scripts running within the tenant. Scripts might have been created and implemented without the knowledge of administrators, or maybe even by previous administrators who might not have documented their work.
Lack of time and serendipity. For example, it’s common to find that people include commands to connect to different services in their PowerShell profile. If the profile is more than a year old, it’s likely to use outdated connectivity.
In addition, if you search for “How to connect to Exchange Online with PowerShell” in blogs, articles, and books, you’ll probably find that the recommended method is to run the New-PSSession cmdlet to connect to Microsoft Exchange. Anyone checking out best practices in this area can be forgiven if they come away from a search with the impression that this is the best method. The only problem is that it creates a Remote PowerShell session using basic authentication, just like people have done for a decade.
Exchange Online Management Module
Microsoft introduced the Exchange Online Management module in 2019. At the time, the big headline was the creation of nine REST-based cmdlets designed to replace the set most likely to experience problems in cloud environments. The new cmdlets like Get-ExoMailbox and Get-ExoMailboxStatistics are faster and more tolerant of network issues and I was happy to talk about the cmdlets at the Ignite 2019 conference.
The new module also supported modern authentication. From version 2.0.3 onward, the module supports certificate-based authentication. The RPS cmdlets have a dependency on WinRM. Microsoft is removing the WinRM dependency by upgrading the RPS cmdlets. Substantial progress has been made in the preview version of the module and the most heavily used of the RPS cmdlets no longer depend on WinRM.
Work is ongoing to complete the upgrade for the remainder of the RPS cmdlets and hopefully, Microsoft will make the preview module that includes the upgraded RPS cmdlets generally available soon. The work to upgrade the remaining RPS cmdlets doesn’t have to be completed by October because Microsoft is not deprecating the WinRM connection when it turns off basic authentication for Exchange Online connections.
Note that if you use the preview version of the module, you must include the UseRPSSession parameter to load all the RPS cmdlets. If you don’t, Exchange only loads the upgraded RPS cmdlets. For more information about the different combinations of PowerShell and authentication supported by Exchange Online, see this blog post.
Call to Action: Avoid Basic Authentication PowerShell
The need for action is real. If tenants don’t check Exchange Online scripts to make sure that they connect to Exchange Online using modern authentication, they’ll have problems sometime after October 1 when scripts stop working. Because the Connect-ExchangeOnline cmdlet loads the old RPS cmdlets when it runs, the work to upgrade scripts is straightforward. That is, if you can find all the scripts that need to be updated.
Figure 1: Use Connect-ExchangeOnline to connect with modern authentication
While you’re making sure that scripts connect properly, take the time to check that any connections made to the security and compliance endpoint do so through the Connect-IPPSSession cmdlet.
You can go ahead and convert old cmdlets like Get-Mailbox to their upgraded equivalents to gain extra performance and stability, but this work doesn’t have to be done now (and will take substantially more effort in terms of coding and testing). The immediate priority is to make sure that scripts continue to connect and function after October.
Remember Azure AD Too
PowerShell developers have an even closer date to focus on. Microsoft plans to introduce a new license management platform for Microsoft 365 on 26 August 2022. That’s only a hundred days away before scripts that use cmdlets from the Azure AD and Microsoft Online Services (MSOL) modules for license management cease to work. It’s the first step along the path toward full depreciation of the modules in late 2022 or early 2023.
Limited time exists to validate that Exchange Online scripts work with modern authentication. No one wants to be the person who fails to take the necessary steps to update scripts, or to take the call when people discover that important scripts stop working.
Learn about exploiting Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}