Connect to Exchange Online using App Registration and Certificate

How to Connect to Exchange Online PowerShell using an App registration and self-signed Certificate

1. Before you begin

Before you begin, you'll need to install the Azure and Azure AD PowerShell modules

Install Azure PowerShell module

# Install NuGet
Install-PackageProvider -Name NuGet -Force

# Install PowerShellGet
Install-Module -Name PowerShellGet -Force

# Set execution policy to remote signed
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned 

# Install Azure module
Install-Module -Name Az -Repository PSGallery -Force

# Sign into Azure
Connect-AzAccount

# Update Azure module
Update-Module -Name Az -Force 

2. Create Azure AD App Registration

Create an Azure AD App Registration using PowerShell New-AzureADApplication

# Connect to Azure AD
Connect-AzureAD 

Create new AAD App registration
New-AzureADApplication -DisplayName "Exchange Online Test App" 

Copy the AppId

3. Assign API permissions to the App registration

Assign Exchange Manage as App permissions to the App registration by modifying the Apps Manifest JSON and granting admin consent

Azure AD - App registrations - select the Exchange Online Test App

Open Manifest

Then Save the changes

   {
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
         {
            "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
            "type": "Role"
         }
      ]
   } 

API permissions

Grant admin consent

Click Yes

4. Generate self-signed Certificate using PowerShell

# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "exotest.yourdomain.com" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath C:\temp\exotest.yourdomain.com.pfx -Password (Get-Credential).password

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath C:\temp\exotest.yourdomain.com.cer 

Enter the certificate password when prompted

Run write-host $mycert and copy the certificate thumbprint

5. Upload Certificate to App Registration

Azure AD - App registrations

Select Exchange Online Test App

Certificates and secrets - Certificates - Upload certificate

Browse for the certificate .cer file, enter a description exotest.planetxpress.net and click Add

Copy the certificate thumbprint

6. Assign Exchange Administrator role to the App

Azure AD - Roles and administrators

Search for exchange

Select Exchange Administrator

Add assignments

Search for and select the Exchange Online Test App
Click Add

7. Connect to Exchange online using App registration from local computer

We can now connect to Exchange Online PowerShell using the Azure App registration and certificate from our local computer

# Connect to Exchange Online
$CertThumbPrint = "xxxxxxxxxxxxxxx0b46fa6558a850644dfc8aafc"
$AppID = "xxxxxxxx-xxxx-xxxx-8854-08fc098067fd"
$Org = "planetxpressnet.onmicrosoft.com"

Connect-ExchangeOnline -CertificateThumbPrint $CertThumbPrint -AppID $AppID -Organization $Org

# Get Mailboxes
$Mailboxes = Get-Mailbox -ResultSize 5 
Write-Output $Mailboxes | format-table 

Check you are connected to Exchange online by listing some mailboxes

References:

How to install Azure PowerShell
https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell

Install Azure Active Directory PowerShell for Graph
https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2

Azure AD PowerShell - New-AzureADApplication
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication

App-only authentication for unattended scripts in Exchange Online PowerShell
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2

by Author