Tag Archives: Remote PowerShell

Sync-ModernMailPublicFolders.ps1  fails with access denied

Moving mailboxes from Exchange 2016 to Exchange Online is not that difficult, that is when you have all the prerequisites in place of course. Public Folders is a bit different, but luckily Public Folders in Exchange 2016 are ‘Modern Public Folders’ and as such similar to Public Folders in Exchange Online.

You must move Public Folders from Exchange 2016 to Exchange Online when all mailboxes are in Exchange Online, and before doing that you must use Public Folders cross-premises. When mailboxes are in Exchange Online, they must use Public Folders in Exchange 2016.

The first step is to synchronize the Public Folder mailboxes from Exchange 2016 to Exchange Online using Azure AD Connect. Then the mail-enabled folders must be synchronized to Azure AD using the Sync-ModernMailPublicFolders.ps1 script that you can download from the Microsoft download site.

When starting the script, it wants to setup a Remote PowerShell connection to Exchange Online, and the following screenshot says it all: this is a basic authentication login prompt:

When entering the global admin credentials, it fails with an ‘access denied’ error:

And in plain text:

[3/24/2022 11:40:25 AM] Creating an Exchange Online remote session...
InitializeExchangeOnlineRemoteSession : Unable to create a remote shell session to Exchange Online. The error is as follows: "Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.".
At C:\Scripts\Sync-ModernMailPublicFolders.ps1:687 char:5
+     InitializeExchangeOnlineRemoteSession;
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,InitializeExchangeOnlineRemoteSession
[PS] C:\Scripts>

This is because the script is using Basic Authentication, and in Office 365 basic authentication is disabled (at least in our tenant). 

A workaround is to enable basic authentication only for PowerShell. To do this, click ‘Help & Support’ in lower right corner and in the ‘how can we help’ enter the following text “Diag: Enable Basic Auth in EXO” as shown in the following screenshot:

In the next pop-up window, the current basic authentication settings are shown and in the drop-down box you can select the protocol you want to enable basic authentication for: 

Select the Exchange Online Remote PowerShell option.

It takes some time before basic authentication is enabled. In my case, I disabled it late in the afternoon and the next morning it was possible to login using basic authentication. Most likely it will take less time, but overnight was not a big deal 🙂

Now when running the Sync-ModernMailPublicFolders.ps1 again it succeeds and finishes successfully.

However, enabling basic authentication is just a work-around and not really a long-term solution. And, Microsoft will turn off Basic Authentication by the end of this calendar year. But in the meantime, we must wait for Microsoft to release a new script that support Modern Authentication.

Connecting to remote server outlook.office365.com failed

In a previous blog I explained how to enable MFA for Admin accounts. This is a great security solution, but unfortunately it breaks Remote PowerShell for Exchange Online.
When you try to connect to Exchange Online using the following commands:

$Cred= Get-Credential
$Session= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveID -Credential $Cred -Authentication Basic -AllowRedirection

It fails with the following error message:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:11
+ $Session= New-PSSession -ConfigurationName Microsoft.Exchange -Connec …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

As shown in the following screenshot:


To overcome this issue, Microsoft has a special Exchange Online PowerShell module that supports Multi Factor Authentication. You can download this from the Exchange Admin Center in Exchange Online by selecting hybrid in the navigation pane as shown in the following screenshot:


Click Configure followed by Open to download and start the setup application. Click Install to continue. The Exchange Online PowerShell module will be automatically installed in seconds and when finished it will automatically open a PowerShell window as shown in the following screenshot:


You can now use the Get-EXOPSSession -UserPrincipalName admin@tenant.onmicrosoft.com command to logon to Remote PowerShell. A separate windows will be opened requesting your tenant credentials, followed by the MFA option you’ve configured.

If all is entered correctly the Remote PowerShell for Exchange Online is opened with MFA enabled.


SuspendWhenReadyToComplete when using a migration batch in Office 365

Currently I’m working with a customer in a hybrid Exchange 2010 environment. There are multiple offices around the US, and one office in California will close soon. Therefore, all Mailboxes need to be moved to Office 365. The customer created multiple migration batches, and all batches are set using the -SuspendWhenReadyToComplete option. So, when a Mailbox migration in this batch reaches 95% the move will stop, and both Mailboxes will be kept in sync.

So, I started a Remote PowerShell session to Exchange Online (completing an individual move request as part of a batch is not possible in the Exchange Admin Console) and executed the following command:

Get-MoveRequest -Identity John@contoso.com | Resume-MoveRequest -Confirm:$false

While no error message was generated, the move requests were not finished. After some head scratching I realized that the -SuspendWhenReadyToComplete option is set on the migration batch, and that the move requests ‘inherit’ this setting. So, when resuming the move request it will automatically suspend again when hitting 95% (which is a matter of seconds).

So, I executed the following commands:

Get-MoveRequest -Identity John@contoso.com | Set-MoveRequest -SuspendWhenReadyToComplete:$false
Get-MoveRequest -Identity John@contoso.com | Resume-MoveRequest -Confirm:$false

Unfortunately, nothing happened and the move request stayed in the ‘synced’ state and was not willing to finalize. And of course no errors were logged.

At one point I realized I read something in the New-MoveRequest page on TechNet, where it says at the SuspendWhenReadyToComplete option:

“The SuspendWhenReadyToComplete switch specifies whether to suspend the move request before it reaches the status of CompletionInProgress. Instead of this switch, we recommend that you use the CompleteAfter parameter.”

This time I executed the following commands:

$Date = Get-Date
Get-MoveRequest -Identity John@contoso.com | Set-MoveRequest -CompleteAfter $Date
Get-MoveRequest -Identity John@contoso.com | Resume-MoveRequest -Confirm:$false

And this time the individual move requests in the migration batch were successfully finalized.

The requested HTTP URL was not available

While trying to setup Remote PowerShell to an Exchange 2013 Server I ran into a couple of issues. The most obvious was that the Exchange server only accepts SSL request, so you have to specify ‘https’ in the ConnectionUri, so I used these commands:

$Credential = Get-Credential administrator@posh.local
$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://webmail.posh-workshop.com/PowerShell -Authentication Basic -Credential $Credential -AllowRedirection
Import-PSSession $Session

The following error was returned:
New-PSSession : [webmail.posh-workshop.com] Connecting to remote server webmail.posh-workshop.com failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For mor e information, see the about_Remote_Troubleshooting Help topic.


When checking the PowerShell virtual directory using the Get-PowerShellVirtualDirectory | fl command I got the following response:


When you want to use Remote PowerShell from a non domain member (or via the Internet) you have to use Basic Authentication (as specified in my request), you also have to set Basic Authentication on the Virtual Directory as well, like this:

Get-PowerShellVirtualDirectory –Server MAIL01 | Set-PowerShellVirtualDirectory –BasicAuthentication:$TRUE

Once changed Remote PowerShell works as expected.

ISE, Remote PowerShell and Exchange 2013

Last TechEd in Madrid I got an interesting question about Exchange 2013 supportability in the PowerShell ISE (Integrated Scripting Environment). This gentleman was using the Remote PowerShell functionality in ISE and was wondering if this was a supported solution.

It took some time to get a confirmation, but these are the supported scenarios:

  • Exchange Management Shell (which is running Remote PowerShell) – supported
  • Regular PowerShell connecting to Exchange via Remote PowerShell – supported
  • Powershell ISE connecting to Exchange via Remote PowerShell – supported

Regular PowerShell or PowerShell ISE simply loading Exchange snapins is not supported unless Technet specifically calls out that you must run local PowerShell for a specific cmdlet.

Remote PowerShell can be activated like this:

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri http://ams-exch01.contoso.com/PowerShell -Authentication Kerberos
Import-PSSession $Session

This can be done in a normal PowerShell window or in the ISE:


A Microsoft knowledgebase article was released recently regarding an issue with Remote Powershell, ISE and Exchange Server 2010 SP3:

http://support.microsoft.com/kb/2859999 – Some cmdlets fail in PowerShell ISE after an upgrade to Exchange Server 2010 SP3