How It Started?
After the basic authentication deprecation announcement, Microsoft introduced the EXO V2 module to connect Exchange Online PowerShell with modern authentication. Even though the EXO V2 module uses modern auth, it still needs WinRM basic auth to transport modern auth tokens. If the basic auth is disabled in the local machine, the admin will get the following error.
New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the following error message : The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration.
Now You Can Use EXO V2 Module More Secure:
Recently, Microsoft introduced EXO V2 Module Preview, which allows admins to connect Exchange Online without enabling WinRM basic authentication.
How it works: When you use the preview module, Connect-ExchangeOnline invokes REST API in the background, which doesn’t require WinRM basic auth.
Let’s see how to install EXO V2 Preview Module and disable WinRM basic authentication.
Install EXO V2 Preview Module:
To install the EXO V2 Preview module, run the following cmdlet,
1 |
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.6-Preview3 -AllowPrerelease |
To check whether the module has been installed successfully, you can use the Get-Module cmdlet.
For e.g.,
1 |
Get-Module -Name ExchangeOnlineManagement –ListAvailable |
Disable WinRM Basic Authentication:
To check whether the basic authentication is enabled, run the below command in the command prompt.
1 |
winrm get winrm/config/client/auth |
If Basic= true set, you need to run the following command to disable WinRM basic auth.
1 |
winrm set winrm/config/client/auth @{Basic="false"} |
After executing above command, the output looks similar to below screenshot.
Note: Only 229 EXO cmdlets have been converted to use REST API in this version. If you disable WinRM basic authentication, you can access only 229 EXO cmdlets; other RPS cmdlets will not work without WinRM basic authentication.
To use all the cmdlets via a Remote PowerShell connection, you need to pass the UseRPSSession parameter while running Connect-ExchangeOnline.
1 |
Connect-ExchangeOnline –UseRPSSession |
Overall, this is a good start, but most admins feel disappointed as all the Exo cmdlets are not converted to use Rest API. How do you feel about this update? Share your thoughts through the comment section.