How to Connect to Exchange Online PowerShell using an App registration and self-signed Certificate
Trying to connect to Exchange Online PowerShell using an App registration and Certificate from an Azure Runbook?
by Author
Before you begin, you'll need to install the Azure and Azure AD PowerShell modules
# Install NuGet Install-PackageProvider -Name NuGet -Force # Install PowerShellGet Install-Module -Name PowerShellGet -Force # Set execution policy to remote signed Set-ExecutionPolicy -ExecutionPolicy RemoteSigned # Install Azure module Install-Module -Name Az -Repository PSGallery -Force # Sign into Azure Connect-AzAccount # Update Azure module Update-Module -Name Az -Force
Create an Azure AD App Registration using PowerShell New-AzureADApplication
# Connect to Azure AD Connect-AzureAD Create new AAD App registration New-AzureADApplication -DisplayName "Exchange Online Test App"
Copy the AppId
Assign Exchange Manage as App permissions to the App registration by modifying the Apps Manifest JSON and granting admin consent
Azure AD - App registrations - select the Exchange Online Test App
Open Manifest
Find requiredResourceAccess in the JSON code and add these lines between the square brackets [ ]Then Save the changes
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
}
API permissions
Grant admin consent
Click Yes
# Create certificate $mycert = New-SelfSignedCertificate -DnsName "exotest.yourdomain.com" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange # Export certificate to .pfx file $mycert | Export-PfxCertificate -FilePath C:\temp\exotest.yourdomain.com.pfx -Password (Get-Credential).password # Export certificate to .cer file $mycert | Export-Certificate -FilePath C:\temp\exotest.yourdomain.com.cer
Enter the certificate password when prompted
Run write-host $mycert and copy the certificate thumbprint
Azure AD - App registrations
Select Exchange Online Test App
Certificates and secrets - Certificates - Upload certificate
Browse for the certificate .cer file, enter a description exotest.planetxpress.net and click Add
Copy the certificate thumbprint
Azure AD - Roles and administrators
Search for exchange
Select Exchange Administrator
Add assignments
Search for and select the Exchange Online Test App
Click Add
We can now connect to Exchange Online PowerShell using the Azure App registration and certificate from our local computer
# Connect to Exchange Online $CertThumbPrint = "xxxxxxxxxxxxxxx0b46fa6558a850644dfc8aafc" $AppID = "xxxxxxxx-xxxx-xxxx-8854-08fc098067fd" $Org = "planetxpressnet.onmicrosoft.com" Connect-ExchangeOnline -CertificateThumbPrint $CertThumbPrint -AppID $AppID -Organization $Org # Get Mailboxes $Mailboxes = Get-Mailbox -ResultSize 5 Write-Output $Mailboxes | format-table
Check you are connected to Exchange online by listing some mailboxes
Don't want to worry about managing SSL certificates?
by Author
Use a PowerShell Runbook with a System Assigned Managed Identity instead.
References:
by Author
How to install Azure PowerShell
https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell
Install Azure Active Directory PowerShell for Graph
https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2
Azure AD PowerShell - New-AzureADApplication
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication
App-only authentication for unattended scripts in Exchange Online PowerShell
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2
Comments 1
Hello
Great step by step article.
One question, if i want to use a client secret that i have added for the app instead, do you know how i go about connecting to exchange online with it? I've managed to use the client secret for the graph api connection but can't seem to do it for exchange online.
Regards
Z