Introduction
In this Quick PowerShell Post of the Week, we will walk through the process for connecting to the Security and Compliance Center PowerShell module with Certificate Based Authentication (CBA). CBA use for PowerShell is now a primary concern for Administrators as both a greater concern for security when executing code remotely against a tenant, but as well as a opportunity to get ahead of Microsoft’s Basic Authentication removal from a tenant. While only Exchange Online is affected, putting this in place for all supported workloads, should be a priority for administrators.
Where to Start
In order to do so, first make sure that your Exchange Online PowerShell module is at 3.0 or higher. Below we quickly verify our version, which in this case is 3.0.0 – most current as of this blog post.
Import-Module ExchangeOnlineManagement Get-Module ExchangeOnlineManagement
Once we verify that our module is the correct version, we can check the Connect-IPPSSession cmdlet Help to see if a valid example exist for us to build off of. There is indeed an example in PowerShell help for the cmdlet:
Get-Help Connect-IPPSSession -Examples
Preparation Steps
From the above example we can see we need a Certificate, an Application and finally our tenant ID. First, we can create the Azure App Registration.
Browse to the Azure AD Portal [ aad.portal.azure.com ] and select App Registrations, then click on New Registration:
In the Application Registration page, make sure to provide (1) a name, (2) supported account types and finally (3) add a Web Redirect URI:
Then we need to modify the Manifest for the registered app as this will expose the permissions we need to modify next:
For reference, the values are:
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000", "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", "type": "Role"
Next, we need to add permissions to the Registered App – the Microsoft Graph API permission needed is Exchange.ManageAsApp – which is good for both Exchange Online and the Security and Compliance Center PowerShell modules.
On the app, we can add these permissions:
After adding all the permissions, noticed that we still need to grant consent. Clicking on Grant admin consent, brings up this dialog box:
This will then change the permissions status to Granted for this application.
Remember to pull your Tenant ID (from the Azure AD Overview blade) and the Application ID from the Applications Overview blade as well.
Generating a Certificate for Authentication
$NewCertificate = New-SelfSignedCertificate -DnsName "PowerShellGeek.com" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange $NewCertificate | Export-PfxCertificate -FilePath ExOConnection.pfx -Password (Get-Credential).password $NewCertificate | Export-Certificate -FilePath c:\ExOConnection.cer
Check in the Certificates MMC for the certificate Thumbprint:
Import certificate into the Azure App Registration:
Connecting to the Security and Compliance Center (All Together Now)
Now that we have an app, a certificate and all the other IDs, we can now connect with PowerShell with CBA to the Security and Compliance Center:
Connect-IPPSSession -CertificateThumbPrint EA838DEB88BFDD64D8E779D7131064DFEAEF794 -AppID 279fcdda-c0b9-4f99-b2d7-c99dd2376d3c -Organization powershellgeek.onmicrosoft.com
Which results in a successful connection:
And off we go to work in the Security and Compliance Center connection, secured by Certificate Based Authentication.
————————————————————————————————–
See previous Quick PowerShell Posts of the Week [ HERE ]
————————————————————————————————–
Comments? Questions?
Feel free to leave your Comments below! Learn to more efficiently utilize PowerShell to manage Exchange Server, Exchange Online, Microsoft Defender for Office or Microsoft Purview Compliance portals by picking up frequently updated eBooks: