Skip to content

Commit 829f0b8

Browse files
authored
Merge branch 'master' into patch-1
2 parents 44fb777 + 17dc2f6 commit 829f0b8

File tree

573 files changed

+4604
-2908
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

573 files changed

+4604
-2908
lines changed

exchange/docs-conceptual/app-only-auth-powershell-v2.md

Lines changed: 21 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ ms.collection: Strat_EX_Admin
1313
ms.custom:
1414
ms.assetid:
1515
search.appverid: MET150
16-
ROBOTS: NOINDEX, NOFOLLOW
1716
description: "Learn about using the Exchange Online V2 module in scripts and other long-running tasks with modern authentication and app-only authentication."
1817
---
1918

@@ -41,7 +40,7 @@ The following examples show how to use the Exchange Online PowerShell V2 module
4140
```
4241

4342
When you use the _CertificateThumbPrint_ parameter, the certificate needs to be installed on the computer where you are running the command. The certificate should be installed in the user certificate store.
44-
43+
4544
- Connect using a certificate object:
4645

4746
```powershell
@@ -50,6 +49,9 @@ The following examples show how to use the Exchange Online PowerShell V2 module
5049

5150
When you use the _Certificate_ parameter, the certificate does not need to be installed on the computer where you are running the command. This parameter is applicable for scenarios where the certificate object is stored remotely and fetched at runtime during script execution.
5251

52+
> [!TIP]
53+
> In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
54+
5355
## How does it work?
5456

5557
The EXO V2 module uses the Active Directory Authentication Library to fetch an app-only token using the application Id, tenant Id (organization), and certificate thumbprint. The application object provisioned inside Azure AD has a Directory Role assigned to it, which is returned in the access token. Exchange Online configures the session RBAC using the directory role information that's available in the token.
@@ -73,7 +75,7 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
7375
- Create and configure a self-signed X.509 certificate, which will be used to authenticate your Application against Azure AD, while requesting the app-only access token.
7476

7577
- This is similar to generating a password for user accounts. The certificate can be self-signed as well. See the [Appendix](#step-3-generate-a-self-signed-certificate) section later in this topic for instructions for generating certificates in PowerShell.
76-
78+
7779
> [!NOTE]
7880
> Cryptography: Next Generation (CNG) certificates are not supported for app-only authentication with Exchange. CNG certificates are created by default in modern Windows versions. You must use a certificate from a CSP key provider. The [Appendix](#step-3-generate-a-self-signed-certificate) section covers two supported methods to create a CSP certificate.
7981
@@ -121,25 +123,27 @@ If you encounter problems, check the [required permssions](https://docs.microsof
121123

122124
You need to assign the API permission `Exchange.ManageAsApp` so the application can manage Exchange Online. API permissions are required because they have consent flow enabled, which allows auditing (directory roles don't have consent flow).
123125

124-
1. Select **API permissions**.
125-
126-
2. In the **Configured permissions** page that appears, click **Add permission**.
127-
128-
3. In the flyout that appears, select **Exchange**.
129-
130-
![Select Exchange API permssions](media/app-only-auth-exchange-api-perms.png)
131-
132-
4. In the flyout that appears, click **Application permissions**.
126+
1. Select **Manifest** in the left-hand navigation under **Manage**.
133127

134-
5. In the **Select permissions** section that appears on the page, expand **Exchange** and select **Exchange.ManageAsApp**
128+
2. Locate the `requiredResourceAccess` property in the manifest, and add the following inside the square brackets (`[]`):
135129

136-
![Select Exchange.ManageAsApp permssions](media/app-only-auth-exchange-manageasapp.png)
130+
```json
131+
{
132+
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
133+
"resourceAccess": [
134+
{
135+
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
136+
"type": "Role"
137+
}
138+
]
139+
}
140+
```
137141

138-
When you're finished, click **Add permissions**.
142+
3. Select **Save**.
139143

140-
6. Back on the **Configured permissions** page that appears, click **Grant admin consent for \<tenant name\>**, and select **Yes** in the dialog that appears.
144+
4. Select **API permissions** under **Manage**. Confirm that the **Exchange.ManageAsApp** permission is listed.
141145

142-
7. Close the flyout when you're finished.
146+
5. Select **Grant admin consent for org** and accept the consent dialog.
143147

144148
## Step 3: Generate a self-signed certificate
145149

exchange/docs-conceptual/basic-auth-connect-to-eop-powershell.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ The following introductory video shows you how to connect to and use Exchange On
6161
**Note**: You must temporarily enable WinRM to run the following commands. You can enable it by running the command: `winrm quickconfig`.
6262

6363
To verify that Basic authentication is enabled for WinRM, run this command **in a Command Prompt** (not in Windows PowerShell):
64-
64+
6565
```dos
6666
winrm get winrm/config/client/auth
6767
```

exchange/docs-conceptual/basic-auth-connect-to-exo-powershell.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ The following introductory video shows you how to connect to and use Exchange On
6464
**Note**: You must temporarily enable WinRM to run the following commands. You can enable it by running the command: `winrm quickconfig`.
6565

6666
To verify that Basic authentication is enabled for WinRM, run this command **in a Command Prompt** (not in Windows PowerShell):
67-
67+
6868
```dos
6969
winrm get winrm/config/client/auth
7070
```

exchange/docs-conceptual/basic-auth-connect-to-scc-powershell.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,15 @@ Security & Compliance Center PowerShell allows you to manage your Security & Com
2323

2424
> [!NOTE]
2525
> The procedures in this topic won't work if:
26-
>
26+
>
2727
> - Your account uses multi-factor authentication (MFA).
28-
>
28+
>
2929
> - Your organization uses federated authentication.
30-
>
30+
>
3131
> - A location condition in an Azure Active Directory conditional access policy restricts your access to trusted IPs.
32-
>
32+
>
3333
> In these scenarios, you need to download and use the Exchange Online PowerShell V2 module (EXO V2 module) to connect to Security & Compliance Center PowerShell. For instructions, see [Connect to Security & Compliance Center PowerShell using the EXO V2 module](connect-to-scc-powershell.md).
34-
>
34+
>
3535
> Some features in the Security & Compliance Center (for example, mailbox archiving) link to existing functionality in Exchange Online. To use PowerShell with these features, you need to connect to Exchange Online PowerShell instead of Security & Compliance Center PowerShell. For instructions, see [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md).
3636
3737
## What do you need to know before you begin?

0 commit comments

Comments
 (0)