Guide to Microsoft 365 Remote PowerShell Connections

June 18, 2019 / 5 minutes of reading / PowerShell
Working remotely from a MacBook on a table overlooking a mountain view.

Guide to Microsoft 365 Remote PowerShell Connections

Microsoft 365 allows admins to connect to via PowerShell to their environments. Some advanced features require the use of PowerShell scripting. You can use this guide to connect to Exchange Online, SharePoint Online, and Microsoft Entra ID or other services by importing the correct online PowerShell module . This guide walks you through connecting and disconnect through a Microsoft 365 remote PowerShell connection. There are 6 steps in the whole process.

  • Open a Administrative PowerShell console window
  • Verify your PowerShell Module is installed (optional step)
  • Install or update the PowerShell module (optional step)
  • Import the PowerShell cmdlets
  • Connect to the Microsoft 365 servers
  • Disconnect

Step 1: Open PowerShell with administrative privileges

Several ways to do this. In Windows 10 and 11 simply right click on the Start menu and select “Windows PowerShell (Admin)” or use the following command in the Run window ()

powershell -Command "Start-Process powershell -Verb RunAs"

Step 2: Verify your PowerShell Module is installed

Use the Get-Module command in your Admin PowerShell window. See the example below:

Exchange online (EXO) module

Get-Module -Name ExchangeOnlineManagement -ListAvailable

At the time of this update the current version is 3.9.0 but you could see other versions depending on your usage. For example PowerShell v5 requires an older version. See the troubleshooting section below.

SharePoint online module

Microsoft entra ID module

Step 3: Install or upgrading PowerShell modules

Original Microsoft documentation

This is the command line reference from Microsoft. This page is for reprinted for historic purposes for people that don’t upgrade their servers but still need to know how to troubleshoot.

Reprint section

Microsoft 365 allows for remote PowerShell connections to configure and manage your organization. Some features can only be configured using a remote PowerShell connection.

There are two methods to use PowerShell to connect to a remote systems not part of your domain. Which method you use depends if you have Multi-Factor Authentication enabled or not for your user account.

For using PowerShell on remote system see this {link disabled}

To start a remote session

Only Basic Authentication

  1. Open a PowerShell Window
  2. You need to run three commands
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <insert URL from the table below> -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
Office 365 connectionConnectionUri Value
Normalhttps://outlook.office365.com/powershell-liveid/
US Government Community Cloud Highhttps://outlook.office365.us/powershell-liveid/
Office 365 Germanyhttps://outlook.office.de/powershell-liveid/
Office 365 21Vianethttps://partner.outlook.cn/PowerShell

MFA enabled for Office 365

You need a browser with ClickOnce support, like Edge or IE.

  1. Open the Exchange Admin Center in Office 365
  2. Go to click the Hybrid section
  3. Click on configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.
  4. New window appears, click Install

You only need to do the above steps once, after that you can access the

  1. Open the Exchange Online Remote PowerShell Module. Found in Start > Microsoft Corporation > Microsoft Exchange Online Remote PowerShell Module
  2. Run the command
Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
Office 365 ConnectionUri parameter valueConnectionUri parameter value
NormalNot UsedNot Used
Office 365 GCC Highhttps://outlook.office365.us/powershell-liveidhttps://login.microsoftonline.us/common
Office 365 DoDhttps://webmail.apps.mil/powershell-liveidhttps://login.microsoftonline.us/common
Office 365 Germanyhttps://outlook.office.de/PowerShell-LiveIDhttps://login.microsoftonline.de/common
  1. The verification windows open, enter your login, password and code when prompted

To end a remote session

When you are done run this command to kill the remote session and free up the connection. Failure to clear your session will result in your session staying open until it expires, which could cause you to reach the remote session limit for your server.

Basic Authentication session

Remove-PSSession $Session

MFA session

Get-PSSession | Remove-PSSession

What to change when behind a proxy server

For Basic Authentication

  • Open a PowerShell windows
  • Run these four commands
$ProxyOptions = New-PSSessionOption -ProxyAccessType AutoDetect

There are three values for ProxyAccessType parameter: IEConfig, WinHttpConfig, or AutoDetect. The last one works with most but some servers need help.

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <insert URL> -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption $ProxyOptions
Import-PSSession $Session -DisableNameChecking

Troubleshooting

Error: “Files cannot be loaded…”

Full error message reads “Files cannot be loaded because running scripts is disabled on this system. Provide a valid certificate with which to sign the files”

  1. Open a administrator elevated PowerShell (aka “Run as Administrator”)
  2. Execute the following command
Set-ExecutionPolicy RemoteSigned

You need to do this only once on a system

Error Access Denied

Office 365 Delegated Access Permission (DAP) partners cannot connect to their customer tenant organizations in Exchange Online PowerShell. It will not work with delegated authentication.

The most common issue is either your username or password are wrong. Use notepad to copy and paste into the fields to double check everything is correct.

If your using Office 365 make sure your account has permissions as an Exchange Administrator by logging into the portal. If you have access via the portal but not PowerShell your PowerShell access could be disabled, but first triple check that username and password.

Error: Cannot Connect

Port 80 and 443 needs to be open between you and the server. Also double check the connection URL and make sure its typed correctly.

Error: The WinRM client cannot process the request.

Full error message “The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.”

WinRM needs to be running for you to check. Servers by default have the service running, Client systems by default have it turned off.

  1. Open a elevated Command Prompt
  2. Run this command
winrm get winrm/config/client/auth

Look for the value Basic = true, if its listed as false run this command

winrm set winrm/config/client/auth @{Basic="true"}

Did you get a clue?

If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.

This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.

{fin}

Reference

All Site Tags

3D Modding Access Denied ADFS Apache Authentication Cable Systems Claims Based Authentication Coding Command Line Content Management Systems dcdiag DHCP dirty tricks DNN Error Examples Hacking HTML Hyper-V IIS Installation Linux Logs-n-Logging LSA Main Page More Research Patching Performance PHP PowerShell Protocols reference Registry Security Servers SharePoint SSL Testing Time Tips and Tricks TLS Tools Troubleshooting Windows WordPress

Scroll to Top