Unattended access to Exchange Online using a privileged account with MFA enforced

Last Updated on

1 min read

I published a PowerShell Gallery script, that will get you through this headache in a jiffy.

UPDATE: Microsoft has patched this hole it seems.
But lets rejoice, because the Exchange Online Management v2 module supports certificate based authentication, so that is much better.

For scheduled tasks or Azure Automation, connecting to Exchange Online has been a must if you are a semi-large company.

But with new security measures like Conditional Access and MFA enforcement coming into their rightful place in most organizations, a lot of these scripts have broken.

A quick fix is just to exclude the account or setup conditions in Conditional Access that would allow a non MFA connection for unattended scripts.

But connecting without exclusions, and keeping the enforcement in place – has been something that has driven many admins to tears.

So I created a sample Runbook that can get you started, using a little known hack to create a new service account, that will bypass MFA even though it is enforced.

The Runbook script can easily be converted to on-premise use for scheduled tasks.

Be aware that as soon as you try to connect with this account interactively, it will break and MFA will block your scripts.

Here is the link to the PowerShell Gallery: