You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: exchange/docs-conceptual/app-only-auth-powershell-v2.md
+21-17Lines changed: 21 additions & 17 deletions
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,6 @@ ms.collection: Strat_EX_Admin
13
13
ms.custom:
14
14
ms.assetid:
15
15
search.appverid: MET150
16
-
ROBOTS: NOINDEX, NOFOLLOW
17
16
description: "Learn about using the Exchange Online V2 module in scripts and other long-running tasks with modern authentication and app-only authentication."
18
17
---
19
18
@@ -41,7 +40,7 @@ The following examples show how to use the Exchange Online PowerShell V2 module
41
40
```
42
41
43
42
When you use the _CertificateThumbPrint_ parameter, the certificate needs to be installed on the computer where you are running the command. The certificate should be installed in the user certificate store.
44
-
43
+
45
44
- Connect using a certificate object:
46
45
47
46
```powershell
@@ -50,6 +49,9 @@ The following examples show how to use the Exchange Online PowerShell V2 module
50
49
51
50
When you use the _Certificate_ parameter, the certificate does not need to be installed on the computer where you are running the command. This parameter is applicable for scenarios where the certificate object is stored remotely and fetched at runtime during script execution.
52
51
52
+
> [!TIP]
53
+
> In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
54
+
53
55
## How does it work?
54
56
55
57
The EXO V2 module uses the Active Directory Authentication Library to fetch an app-only token using the application Id, tenant Id (organization), and certificate thumbprint. The application object provisioned inside Azure AD has a Directory Role assigned to it, which is returned in the access token. Exchange Online configures the session RBAC using the directory role information that's available in the token.
@@ -73,7 +75,7 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
73
75
- Create and configure a self-signed X.509 certificate, which will be used to authenticate your Application against Azure AD, while requesting the app-only access token.
74
76
75
77
- This is similar to generating a password for user accounts. The certificate can be self-signed as well. See the [Appendix](#step-3-generate-a-self-signed-certificate) section later in this topic for instructions for generating certificates in PowerShell.
76
-
78
+
77
79
> [!NOTE]
78
80
> Cryptography: Next Generation (CNG) certificates are not supported for app-only authentication with Exchange. CNG certificates are created by default in modern Windows versions. You must use a certificate from a CSP key provider. The [Appendix](#step-3-generate-a-self-signed-certificate) section covers two supported methods to create a CSP certificate.
79
81
@@ -121,25 +123,27 @@ If you encounter problems, check the [required permssions](https://docs.microsof
121
123
122
124
You need to assign the API permission `Exchange.ManageAsApp` so the application can manage Exchange Online. API permissions are required because they have consent flow enabled, which allows auditing (directory roles don't have consent flow).
123
125
124
-
1. Select **API permissions**.
125
-
126
-
2. In the **Configured permissions** page that appears, click **Add permission**.
127
-
128
-
3. In the flyout that appears, select **Exchange**.
129
-
130
-

131
-
132
-
4. In the flyout that appears, click **Application permissions**.
126
+
1. Select **Manifest** in the left-hand navigation under **Manage**.
133
127
134
-
5. In the **Select permissions** section that appears on the page, expand **Exchange** and select **Exchange.ManageAsApp**
128
+
2. Locate the `requiredResourceAccess` property in the manifest, and add the following inside the square brackets (`[]`):
6. Back on the **Configured permissions**page that appears, click **Grant admin consent for \<tenant name\>**, and select **Yes**in the dialog that appears.
144
+
4. Select **API permissions**under **Manage**. Confirm that the **Exchange.ManageAsApp**permission is listed.
141
145
142
-
7. Close the flyout when you're finished.
146
+
5. Select **Grant admin consent for org** and accept the consent dialog.
Copy file name to clipboardExpand all lines: exchange/docs-conceptual/basic-auth-connect-to-scc-powershell.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -23,15 +23,15 @@ Security & Compliance Center PowerShell allows you to manage your Security & Com
23
23
24
24
> [!NOTE]
25
25
> The procedures in this topic won't work if:
26
-
>
26
+
>
27
27
> - Your account uses multi-factor authentication (MFA).
28
-
>
28
+
>
29
29
> - Your organization uses federated authentication.
30
-
>
30
+
>
31
31
> - A location condition in an Azure Active Directory conditional access policy restricts your access to trusted IPs.
32
-
>
32
+
>
33
33
> In these scenarios, you need to download and use the Exchange Online PowerShell V2 module (EXO V2 module) to connect to Security & Compliance Center PowerShell. For instructions, see [Connect to Security & Compliance Center PowerShell using the EXO V2 module](connect-to-scc-powershell.md).
34
-
>
34
+
>
35
35
> Some features in the Security & Compliance Center (for example, mailbox archiving) link to existing functionality in Exchange Online. To use PowerShell with these features, you need to connect to Exchange Online PowerShell instead of Security & Compliance Center PowerShell. For instructions, see [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md).
0 commit comments