Connect to Exchange Online PowerShell using multi-factor authentication

 

Applies to: Exchange Online

Topic Last Modified: 2017-05-26

Learn how to connect to Exchange Online PowerShell by using multi-factor authentication (MFA).

If you want to use multi-factor authentication (MFA) to connect to Exchange Online PowerShell, you can't use the instructions at Connect to Exchange Online PowerShell to use remote PowerShell to connect to Exchange Online. MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-EXOPSSession cmdlet to connect.

  • Estimated time to complete: 5 minutes

  • The Exchange Online Remote PowerShell Module needs to be installed on your computer:

    1. Open the Exchange admin center (EAC) for your Exchange Online organization. For instructions, see Exchange admin center in Exchange Online.

    2. In the EAC, go to Hybrid > Setup and click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.

      Download the Exchange Online PowerShell Module from the Hybrid tab in the EAC
    3. In the Application Install window that opens, click Install.

      Click Install in the Exchange Online PowerShell Module window
  • Windows Remote Management (WinRM) on your computer needs to allow basic authentication (it's enabled by default). To verify that basic authentication is enabled, run this command in a Command Prompt:

    winrm get winrm/config/client/auth
    

    If you don’t see the value Basic = true, you need to run this command to enable basic authentication for WinRM:

    winrm set winrm/config/client/auth @{Basic="true"}
    

    If basic authentication is disabled, you'll get this error when you try to connect:

    The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

  1. On your local computer, open the Exchange Online Remote PowerShell Module (Microsoft Corporation > Microsoft Exchange Online Remote PowerShell Module).

  2. The command that you need to run uses the following syntax:

    Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
    
    • <UPN> is your Office 365 work or school account.

    • The <ConnectionUri> and <AzureADUri> values depend on the location of your Office 365 organization as described in the following table:

       

      Office 365 offering ConnectionUri parameter value AzureADAuthorizationEndPointUri parameter value

      Office 365

      Not used

      Not used

      Office 365 operated by 21Vianet

      https://partner.outlook.cn/PowerShell-LiveID

      https://login.chinacloudapi.cn/common

      Office 365 Germany

      https://outlook.office.de/PowerShell-LiveID

      https://login.microsoftonline.de/common

    This example connects to Exchange Online in Office 365 using the account chris@contoso.com.

    Connect-EXOPSSession -UserPrincipalName chris@contoso.com
    

    This example connects to Exchange Online in Office 365 operated by 21Vianet using the account zhangli@tailspintoys.com.

    Connect-EXOPSSession -UserPrincipalName zhangli@tailspintoys.com -ConnectionUri https://partner.outlook.cn/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.chinacloudapi.cn/common
    

    This example connects to Exchange Online in Office 365 Germany using the account lukas@fabrikam.com.

    Connect-EXOPSSession -UserPrincipalName lukas@fabrikam.com -ConnectionUri https://outlook.office.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.de/common
    
  3. In the sign-in window that opens, enter your password, and then click Sign in.

    Enter your password in the Exchange Online Remote PowerShell window.

    A verification code is generated and delivered based on the verification response option that's configured for your account (for example, a text message or the Azure Authenticator app on your mobile phone).

  4. In the verification window that opens, enter the verification code, and then click Sign in.

    Enter your verification code in the Exchange Online Remote PowerShell window.

After Step 4, the Exchange Online cmdlets are imported into your Exchange Online Remote PowerShell Module session and tracked by a progress bar. If you don’t receive any errors, you connected successfully. A quick test is to run an Exchange Online cmdlet, for example, Get-Mailbox, and see the results.

If you receive errors, check the following requirements:

  • To help prevent denial-of-service (DoS) attacks, you're limited to three open remote PowerShell connections to your Exchange Online organization.

  • The account you use to connect to Exchange Online must be enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.

  • TCP port 80 traffic needs to be open between your local computer and Office 365. It's probably open, but it’s something to consider if your organization has a restrictive Internet access policy.

 
Show: