Exchange Online MFA module updated to use refresh token

One frustration of the MFA module for connecting to Exchange Online is its inability to use the refresh token it gets from Azure AD.  As a result, you can use the session for 60 minutes before you are prompted again for credentials.  This makes it very difficult to run any scripts or long-running commands without it stopping mid-run to get your username and password, just to have it happen again 60 minutes later.

This limitation has been fixed starting with version 16.00.2015.000.  If you load the module from the desktop shortcut, the updated version is installed automatically.  (If you side-load the module, you’ll want to run the shortcut so it updates and be sure your code is loading the highest version.

The other requirement is that you must use the UserPrincipalName parameter when running Connect-ExoPsSession .  It is not a required parameter (like it is for Connect-AzureAD ), so you might be used to simply running the cmdlet and entering your UPN in the authentication form.  The reason for the UPN requirement is because, if you provide it in the authentication form, the cmdlet has no reference for which user’s refresh token to present when the access token expires.  It only knows which user authenticated in the first place if you provide the cmdlet with your username and let it pass it to the authentication form.

The other benefit you get with this fix is that, unlike using PowerShell remoting with Basic authentication, the module is able to silently reconnect after the session has been broken.  I successfully tested this by connecting one afternoon, changing networks and putting my laptop in sleep mode overnight, then running a cmdlet in the existing shell the next day.  I briefly saw the modern authentication prompt, it went away, then created a new implicit remoting connection and executed the cmdlet, all without having to type a username or password.

Even if you do not have MFA requirements, you may want to consider using the module to connect to Exchange Online for this added benefit.

Leave a Reply

Your email address will not be published. Required fields are marked *