4 minutes reading time (741 words)

Connect to Exchange Online using App Registration and Certificate

How to Connect to Exchange Online PowerShell using an App registration and self-signed Certificate

Trying to connect to Exchange Online PowerShell using an App registration and Certificate from an Azure Runbook?

1. Before you begin

Before you begin, you'll need to install the Azure and Azure AD PowerShell modules

Install Azure PowerShell module

# Install NuGet
Install-PackageProvider -Name NuGet -Force

# Install PowerShellGet
Install-Module -Name PowerShellGet -Force

# Set execution policy to remote signed
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned 

# Install Azure module
Install-Module -Name Az -Repository PSGallery -Force

# Sign into Azure

# Update Azure module
Update-Module -Name Az -Force 

2. Create Azure AD App Registration

Create an Azure AD App Registration using PowerShell New-AzureADApplication

# Connect to Azure AD

Create new AAD App registration
New-AzureADApplication -DisplayName "Exchange Online Test App" 

Copy the AppId

3. Assign API permissions to the App registration

Assign Exchange Manage as App permissions to the App registration by modifying the Apps Manifest JSON and granting admin consent

Azure AD - App registrations - select the Exchange Online Test App

Open Manifest

Find requiredResourceAccess in the JSON code and add these lines between the square brackets [ ]

Then Save the changes

      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
            "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
            "type": "Role"

API permissions

Grant admin consent

Click Yes

4. Generate self-signed Certificate using PowerShell

# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "exotest.yourdomain.com" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath C:\temp\exotest.yourdomain.com.pfx -Password (Get-Credential).password

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath C:\temp\exotest.yourdomain.com.cer 

Enter the certificate password when prompted

Run write-host $mycert and copy the certificate thumbprint

5. Upload Certificate to App Registration

Azure AD - App registrations

Select Exchange Online Test App

Certificates and secrets - Certificates - Upload certificate

Browse for the certificate .cer file, enter a description exotest.planetxpress.net and click Add

Copy the certificate thumbprint

6. Assign Exchange Administrator role to the App

Azure AD - Roles and administrators

Search for exchange

Select Exchange Administrator

Add assignments

Search for and select the Exchange Online Test App
Click Add

7. Connect to Exchange online using App registration from local computer

We can now connect to Exchange Online PowerShell using the Azure App registration and certificate from our local computer

# Connect to Exchange Online
$CertThumbPrint = "xxxxxxxxxxxxxxx0b46fa6558a850644dfc8aafc"
$AppID = "xxxxxxxx-xxxx-xxxx-8854-08fc098067fd"
$Org = "planetxpressnet.onmicrosoft.com"

Connect-ExchangeOnline -CertificateThumbPrint $CertThumbPrint -AppID $AppID -Organization $Org

# Get Mailboxes
$Mailboxes = Get-Mailbox -ResultSize 5 
Write-Output $Mailboxes | format-table 

Check you are connected to Exchange online by listing some mailboxes

Don't want to worry about managing SSL certificates?

Use a PowerShell Runbook with a System Assigned Managed Identity instead.


How to install Azure PowerShell

Install Azure Active Directory PowerShell for Graph

Azure AD PowerShell - New-AzureADApplication

App-only authentication for unattended scripts in Exchange Online PowerShell

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, 23 September 2023