In a previous blog I explained how to enable MFA for Admin accounts. This is a great security solution, but unfortunately it breaks Remote PowerShell for Exchange Online.
When you try to connect to Exchange Online using the following commands:
$Session= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveID -Credential $Cred -Authentication Basic -AllowRedirection
It fails with the following error message:
New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:11
+ $Session= New-PSSession -ConfigurationName Microsoft.Exchange -Connec …
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
As shown in the following screenshot:
To overcome this issue, Microsoft has a special Exchange Online PowerShell module that supports Multi Factor Authentication. You can download this from the Exchange Admin Center in Exchange Online by selecting hybrid in the navigation pane as shown in the following screenshot:
Click Configure followed by Open to download and start the setup application. Click Install to continue. The Exchange Online PowerShell module will be automatically installed in seconds and when finished it will automatically open a PowerShell window as shown in the following screenshot:
You can now use the Get-EXOPSSession -UserPrincipalName firstname.lastname@example.org command to logon to Remote PowerShell. A separate windows will be opened requesting your tenant credentials, followed by the MFA option you’ve configured.
If all is entered correctly the Remote PowerShell for Exchange Online is opened with MFA enabled.
In a previous blogpost I explained about the Microsoft Secure Score and how this indicates the level of security in your Office 365 tenant.
My initial score was only 70, which is pretty low. By implementing Self Service Password Reset and MFA for Admin Acccounts the Secure Score was increased to 122. It could have been a couple of point higher when enabling MFA for all users, but not all users have licenses in Office 365.
I’m curious to see what improvements I can make in the Exchange Online part and how this will influence the Secure Score. Stay tuned 🙂
During Ignite 2018 in Orlando there was a lot of focus on security in Office 365 and Azure Active Directory. That makes sense, a cloud solution is accessible for everyone. Not only your own internal users, but also the bad guys that are out for your data, accounts or money. And not only your user accounts are at risk, your admin accounts even more, and when losing your admin accounts, you are pretty much out of business.
It was shocking to hear that there are 6,000 compromised admin accounts each month, and only 4% of all admin accounts have MFA enabled. And the number of compromised admin accounts decreases with 99,9% with MFA enabled. Go figure!
Other issues that impact security negatively is weak passwords. Everybody knows about brute force attacks, but ever heard of password spray attacks? Based on user lists and (default) weak passwords all combinations of usernames and passwords are tried, without you as an admin even knowing what’s going on.
The list with security issues is impressive…. Weak (legacy) authentication, no password changes, phishing attacks, spoofing, auto-forwarding, too many global admins, permissions and roles, unmanaged devices, etc. etc.
Continue reading Microsoft Secure Score – Improve security of your tenant
It’s a good thing to enable multi-factor authentication (MFA) for Office 365 administrators. For web based management portals this is not a problem, just enter your username and password, wait for the text message to arrive, enter it in the additional dialog box and you’re in.
For PowerShell this has been more difficult, but MFA for PowerShell is available as well for some time now. When you login to the Exchange Admin Center and select hybrid in the navigation pane you can configure a hybrid environment (first option) or install and configure the Exchange Online PowerShell MFA module.
Click on the second configure button, and in the pop-up box that appears click Open to start the installation of the PowerShell module:
Continue reading Exchange Online PowerShell multi factor authentication (MFA)