Tag Archives: Remote PowerShell

Connecting to remote server outlook.office365.com failed

In a previous blog I explained how to enable MFA for Admin accounts. This is a great security solution, but unfortunately it breaks Remote PowerShell for Exchange Online.
When you try to connect to Exchange Online using the following commands:

$Cred= Get-Credential
$Session= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveID -Credential $Cred -Authentication Basic -AllowRedirection

It fails with the following error message:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:11
+ $Session= New-PSSession -ConfigurationName Microsoft.Exchange -Connec …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

As shown in the following screenshot:

connecting-failed

To overcome this issue, Microsoft has a special Exchange Online PowerShell module that supports Multi Factor Authentication. You can download this from the Exchange Admin Center in Exchange Online by selecting hybrid in the navigation pane as shown in the following screenshot:

MFA-Portal

Click Configure followed by Open to download and start the setup application. Click Install to continue. The Exchange Online PowerShell module will be automatically installed in seconds and when finished it will automatically open a PowerShell window as shown in the following screenshot:

EXO-PSSession

You can now use the Get-EXOPSSession -UserPrincipalName admin@tenant.onmicrosoft.com command to logon to Remote PowerShell. A separate windows will be opened requesting your tenant credentials, followed by the MFA option you’ve configured.

If all is entered correctly the Remote PowerShell for Exchange Online is opened with MFA enabled.

 

SuspendWhenReadyToComplete when using a migration batch in Office 365

Currently I’m working with a customer in a hybrid Exchange 2010 environment. There are multiple offices around the US, and one office in California will close soon. Therefore, all Mailboxes need to be moved to Office 365. The customer created multiple migration batches, and all batches are set using the -SuspendWhenReadyToComplete option. So, when a Mailbox migration in this batch reaches 95% the move will stop, and both Mailboxes will be kept in sync.

So, I started a Remote PowerShell session to Exchange Online (completing an individual move request as part of a batch is not possible in the Exchange Admin Console) and executed the following command:

Get-MoveRequest -Identity John@contoso.com | Resume-MoveRequest -Confirm:$false

While no error message was generated, the move requests were not finished. After some head scratching I realized that the -SuspendWhenReadyToComplete option is set on the migration batch, and that the move requests ‘inherit’ this setting. So, when resuming the move request it will automatically suspend again when hitting 95% (which is a matter of seconds).

So, I executed the following commands:

Get-MoveRequest -Identity John@contoso.com | Set-MoveRequest -SuspendWhenReadyToComplete:$false
Get-MoveRequest -Identity John@contoso.com | Resume-MoveRequest -Confirm:$false

Unfortunately, nothing happened and the move request stayed in the ‘synced’ state and was not willing to finalize. And of course no errors were logged.

At one point I realized I read something in the New-MoveRequest page on TechNet, where it says at the SuspendWhenReadyToComplete option:

“The SuspendWhenReadyToComplete switch specifies whether to suspend the move request before it reaches the status of CompletionInProgress. Instead of this switch, we recommend that you use the CompleteAfter parameter.”

This time I executed the following commands:

$Date = Get-Date
Get-MoveRequest -Identity John@contoso.com | Set-MoveRequest -CompleteAfter $Date
Get-MoveRequest -Identity John@contoso.com | Resume-MoveRequest -Confirm:$false

And this time the individual move requests in the migration batch were successfully finalized.

The requested HTTP URL was not available

While trying to setup Remote PowerShell to an Exchange 2013 Server I ran into a couple of issues. The most obvious was that the Exchange server only accepts SSL request, so you have to specify ‘https’ in the ConnectionUri, so I used these commands:

$Credential = Get-Credential administrator@posh.local
$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://webmail.posh-workshop.com/PowerShell -Authentication Basic -Credential $Credential -AllowRedirection
Import-PSSession $Session

The following error was returned:
New-PSSession : [webmail.posh-workshop.com] Connecting to remote server webmail.posh-workshop.com failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For mor e information, see the about_Remote_Troubleshooting Help topic.

image

When checking the PowerShell virtual directory using the Get-PowerShellVirtualDirectory | fl command I got the following response:

image

When you want to use Remote PowerShell from a non domain member (or via the Internet) you have to use Basic Authentication (as specified in my request), you also have to set Basic Authentication on the Virtual Directory as well, like this:

Get-PowerShellVirtualDirectory –Server MAIL01 | Set-PowerShellVirtualDirectory –BasicAuthentication:$TRUE

Once changed Remote PowerShell works as expected.

ISE, Remote PowerShell and Exchange 2013

Last TechEd in Madrid I got an interesting question about Exchange 2013 supportability in the PowerShell ISE (Integrated Scripting Environment). This gentleman was using the Remote PowerShell functionality in ISE and was wondering if this was a supported solution.

It took some time to get a confirmation, but these are the supported scenarios:

  • Exchange Management Shell (which is running Remote PowerShell) – supported
  • Regular PowerShell connecting to Exchange via Remote PowerShell – supported
  • Powershell ISE connecting to Exchange via Remote PowerShell – supported

Regular PowerShell or PowerShell ISE simply loading Exchange snapins is not supported unless Technet specifically calls out that you must run local PowerShell for a specific cmdlet.

Remote PowerShell can be activated like this:

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri http://ams-exch01.contoso.com/PowerShell -Authentication Kerberos
Import-PSSession $Session

This can be done in a normal PowerShell window or in the ISE:

image

A Microsoft knowledgebase article was released recently regarding an issue with Remote Powershell, ISE and Exchange Server 2010 SP3:

http://support.microsoft.com/kb/2859999 – Some cmdlets fail in PowerShell ISE after an upgrade to Exchange Server 2010 SP3