|
| 1 | +--- |
| 2 | +title: App-only authentication |
| 3 | +ms.author: chrisda |
| 4 | +author: chrisda |
| 5 | +manager: dansimp |
| 6 | +ms.date: |
| 7 | +ms.audience: Admin |
| 8 | +ms.topic: article |
| 9 | +ms.service: exchange-online |
| 10 | +ms.reviewer: navgupta |
| 11 | +localization_priority: Priority |
| 12 | +ms.collection: Strat_EX_Admin |
| 13 | +ms.custom: |
| 14 | +ms.assetid: |
| 15 | +search.appverid: MET150 |
| 16 | +robots: noindex,nofollow |
| 17 | +description: "Learn about using the Exchange Online V2 module in scripts and other long-running tasks." |
| 18 | +--- |
| 19 | + |
| 20 | +# App-only authentication in Exchange Online PowerShell (Preview) |
| 21 | + |
| 22 | +> [!NOTE] |
| 23 | +> The features described in this topic are in Preview, are not available to everyone, and are subject to change. |
| 24 | +
|
| 25 | +Auditing and reporting scenarios in Exchange Online often involve scripts that run unattended. In most cases, these unattended scripts access Exchange Online PowerShell using Basic authentication (a username and password). Even when the connection to Exchange Online PowerShell uses Modern authentication, the credentials are stored in a local file or a secret vault that's access at run-time. |
| 26 | + |
| 27 | +Because storing user credentials locally is not a good security practice, we're releasing this feature to support authentication for app-only scenarios using AzureAD applications and self-signed certificates. |
| 28 | + |
| 29 | +The following examples show how to use the Exchange Online PowerShell V2 module with app-only authentication |
| 30 | + |
| 31 | +- Connect using a local certificate: |
| 32 | + |
| 33 | + ```powershell |
| 34 | + Connect-ExchangeOnline -CertificateFilePath "C:\Users\johndoe\Desktop\automation-cert.pfx" -AppID "alpha-beta-gamma-123456" -TenantID "contosoelectronics.onmicrosoft.com" |
| 35 | + ``` |
| 36 | + |
| 37 | +- Connect using a certificate thumbprint: |
| 38 | + |
| 39 | + ```powershell |
| 40 | + Connect-ExchangeOnline -CertificateThumbPrint "012THISISADEMOTHUMBPRINT" -AppID "alpha-beta-gamma-123456" -TenantID "contosoelectronics.onmicrosoft.com" |
| 41 | + ``` |
| 42 | + |
| 43 | +- Connect using an existing service principal and client-secret: |
| 44 | + |
| 45 | + 1. Get an OAuth access token using Active Directory Authentication Library (ADAL) PowerShell. |
| 46 | + |
| 47 | + 2. Use the access token and username to create a PSCredential object: |
| 48 | + |
| 49 | + ```powershell |
| 50 | + $AppCredential = New-Object System.Management.Automation.PSCredential(<UPN>,<Token>) |
| 51 | + ``` |
| 52 | +
|
| 53 | + 3. Silently pass the PSCredential object to the EXO V2 module: |
| 54 | +
|
| 55 | + ```powershell |
| 56 | + Connect-ExchangeOnline -Credential $AppCredential |
| 57 | + ``` |
| 58 | +
|
| 59 | +## How does it work? |
| 60 | +
|
| 61 | +The EXO V2 module uses the Active Directory Authentication Library to fetch an app-only token using the application Id, tenant Id & certificate thumbprint. The application object provisioned inside Azure AD has a Directory Role assigned to it, which is returned in the access token. Exchange Online configures the session RBAC using the directory role information that's available in the token. |
| 62 | +
|
| 63 | +## Setup app-only authentication |
| 64 | +
|
| 65 | +An initial onboarding is required for authentication using application objects. Application and service principal are used interchangeably, but an application is like a class object while a service principal is like an instance of the class. You can learn more about this at [Application and service principal objects in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals). |
| 66 | +
|
| 67 | +For a detailed visual flow bout creating applications in Azure AD, see <https://aka.ms/azuread-app>. |
| 68 | +
|
| 69 | +1. Register the application in Azure AD at <https://portal.azure.com>. |
| 70 | +
|
| 71 | +2. Assign permissions to access Exchange Online. |
| 72 | +
|
| 73 | + An application object has the default permission `User.Read`. For the application object to access Exchange Online resources, it needs to have the Application permission `Exchange.ManageAsApp`. |
| 74 | +
|
| 75 | +3. Attach a certificate. |
| 76 | +
|
| 77 | + - For app-only authentication in Azure AD, you typically use a certificate to request access. Anyone who has the certificate and its private key can use the app, and the permissions granted to the app. |
| 78 | +
|
| 79 | + - Create and configure a self-signed X.509 certificate, which will be used to authenticate your Application against Azure AD, while requesting the app-only access token. |
| 80 | +
|
| 81 | + - This is similar to generating a password for user accounts. The certificate can be self-signed as well. See the [Appendix](#appendix) section later in this topic for instructions for generating certificates in PowerShell. |
| 82 | +
|
| 83 | +4. Assign RBAC roles |
| 84 | +
|
| 85 | + The application needs to have the appropriate RBAC roles assigned. Because the apps are provisioned in Azure AD, you can use any of the built-in roles. The following roles are supported: |
| 86 | +
|
| 87 | + - Global administrator |
| 88 | + - Compliance administrator |
| 89 | + - Security reader |
| 90 | + - Security administrator |
| 91 | + - Helpdesk administrator |
| 92 | +
|
| 93 | +## Roadmap |
| 94 | +
|
| 95 | +App-only authentication is currently supported for the legacy remote PowerShell cmdlets that you access by using the **Connect-ExchangeOnline** cmdlet in the EXO V2 module. It doesn't work with the 9 new EXO V2 cmdlets in the module (for example, Get-EXOMailbox), nor does it work with Office 365 Security & Compliance Center PowerShell cmdlets that you access by using the **ConnectIPPSSession** cmdlet. |
| 96 | +
|
| 97 | +The following list describes other items that we're working on: |
| 98 | +
|
| 99 | +- Support for passing the certificate as a byte array. |
| 100 | +- Support for more built-in RBAC roles (Exchange Service Admin, Global Reader, Recipient Admin) |
| 101 | +- Custom RBAC and mailbox scoping using Azure AD administrative units. |
| 102 | +- Delegation support in app-only scenarios |
| 103 | +- Support for Security & Compliance Center PowerShell cmdlets. |
| 104 | +
|
| 105 | +## Appendix |
| 106 | +
|
| 107 | +### Step 1: Application registration in Azure AD |
| 108 | +
|
| 109 | +If you encounter problems, check the [required permssions](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#required-permissions) to verify that your account can create the identity. |
| 110 | +
|
| 111 | +1. Go to the Azure AD portal at <https://portal.azure.com/> and sign in with your Azure AD account. |
| 112 | +
|
| 113 | +2. Under **Manage Azure Active Directory**, click **View**. |
| 114 | +
|
| 115 | +3. Under **Manage**, select **App registrations** and then click **New registration**. |
| 116 | +
|
| 117 | +4. In the **Register an application** page that appears, configure the following settings: |
| 118 | +
|
| 119 | + - **Name**: Enter something descriptive. |
| 120 | +
|
| 121 | + - **Supported account types**: Select **Accounts in this organizational directory only (Microsoft)**. |
| 122 | +
|
| 123 | + - **Redirect URI (optional)**: In the first box, select **Web**. In the second box, enter the URI where the access token is sent. |
| 124 | +
|
| 125 | + Note that you can't create credentials for [native applications](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-native-client-application), because you can't use that type for automated applications. |
| 126 | +
|
| 127 | +  |
| 128 | +
|
| 129 | + When you're finished, click **Register**. |
| 130 | +
|
| 131 | + Leave the page that appears open. You'll use it in the next step. |
| 132 | +
|
| 133 | +## Step 2: Assign API permissions to the application |
| 134 | +
|
| 135 | +You need to assign the API permission `Exchange.ManageAsApp` so the application can manage Exchange Online. API permissions are required because they have consent flow enabled, which allows auditing (directory roles don't have consent flow). |
| 136 | +
|
| 137 | +1. Select **API permissions**. |
| 138 | +
|
| 139 | +2. In the **Configured permissions** page that appears, click **Add permission**. |
| 140 | +
|
| 141 | +3. In the flyout that appears, select **Exchange**. |
| 142 | +
|
| 143 | +  |
| 144 | +
|
| 145 | +4. In the flyout that appears, click **Application permissions**. |
| 146 | +
|
| 147 | +5. In the **Select permissions** section that appears on the page, expand **Exchange** and select **Exchange.ManageAsApp** |
| 148 | +
|
| 149 | +  |
| 150 | +
|
| 151 | + When you're finished, click **Add permissions**. |
| 152 | +
|
| 153 | +6. Back on the **Configured permissions** page that appears, click **Grant admin consent for <\tenant name\>**, and select **Yes** in the dialog that appears. |
| 154 | +
|
| 155 | +7. Close the flyout when you're finished. |
| 156 | +
|
| 157 | +### Step 3: Generate a self-signed certificate |
| 158 | +
|
| 159 | +Create a self-signed x.509 certificate using one of the following methods: |
| 160 | +
|
| 161 | +- Use the [Create-SelfSignedCertificate script](https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1): |
| 162 | +
|
| 163 | + ```powershell |
| 164 | + .\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2020-04-01 -EndDate 2022-04-01 |
| 165 | + ``` |
| 166 | + |
| 167 | +- Use the **makecert.exe** tool from the Windows SDK. |
| 168 | + |
| 169 | +### Step 4: Attach the certificate to the Azure AD application |
| 170 | + |
| 171 | +After you register the certificate with your application, you can use the public key (.pfx file) or the thumbprint for authentication. |
| 172 | + |
| 173 | +1. In the Azure AD portal under **Manage Azure Active Directory**, click **View**. |
| 174 | + |
| 175 | +2. Under **Manage**, select **App registrations**. |
| 176 | + |
| 177 | +3. On the **App registrations** page that appears, select your application. |
| 178 | + |
| 179 | +4. Under **Manage**, select **Certificates & secrets**. |
| 180 | + |
| 181 | +5. On the **Certificates & secrets** page that opens, click **Upload certificate**. |
| 182 | + |
| 183 | +  |
| 184 | + |
| 185 | +6. In the dialog that appears, browse to the self-signed certificate you created in the previous Step, and then click **Add**. |
| 186 | + |
| 187 | +### Step 5: Assign a role to the application |
| 188 | + |
| 189 | +Azure AD has more than 50 admin roles available. For app-only authentication in Exchange Online, we currently support the previously mentioned roles: |
| 190 | + |
| 191 | +- Global administrator |
| 192 | +- Compliance administrator |
| 193 | +- Security reader |
| 194 | +- Security administrator |
| 195 | +- Helpdesk administrator |
| 196 | + |
| 197 | +1. In the Azure AD portal under **Manage Azure Active Directory**, click **View**. |
| 198 | + |
| 199 | +2. Under **Manage**, select **Roles and administrators**. |
| 200 | + |
| 201 | +3. Select one of the supported roles. On the **Assignments** page that appears, click **Add assignments** |
| 202 | + |
| 203 | +4. In the **Add assignments** flyout that appears, find and select the application, and then click **Add**. |
| 204 | + |
| 205 | +  |
0 commit comments