There are two methods to use PowerShell to connect to a remote systems not part of your domain, typically used when connection to Office 365 Exchange Online.
The method used depends if you have Multi-Factor Authentication enabled or not.
For using PowerShell on remote system see this {link disabled}
To start a remote session
Only Basic Authentication
- Open a PowerShell Window
- You need to run three commands
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <insert URL from the table below> -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
Office 365 connection | ConnectionUri Value |
Normal | https://outlook.office365.com/powershell-liveid/ |
US Government Community Cloud High | https://outlook.office365.us/powershell-liveid/ |
Office 365 Germany | https://outlook.office.de/powershell-liveid/ |
Office 365 21Vianet | https://partner.outlook.cn/PowerShell |
MFA enabled for Office 365
You need a browser with ClickOnce support, like Edge or IE.
- Open the Exchange Admin Center in Office 365
- Go to click the Hybrid section
- Click on configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.
- New window appears, click Install
You only need to do the above steps once, after that you can access the
- Open the Exchange Online Remote PowerShell Module. Found in Start > Microsoft Corporation > Microsoft Exchange Online Remote PowerShell Module
- Run the command
Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
Office 365 | ConnectionUri parameter value | ConnectionUri parameter value |
Normal | Not Used | Not Used |
Office 365 GCC High | https://outlook.office365.us/powershell-liveid | https://login.microsoftonline.us/common |
Office 365 DoD | https://webmail.apps.mil/powershell-liveid | https://login.microsoftonline.us/common |
Office 365 Germany | https://outlook.office.de/PowerShell-LiveID | https://login.microsoftonline.de/common |
- The verification windows open, enter your login, password and code when prompted
To end a remote session
When you are done run this command to kill the remote session and free up the connection. Failure to clear your session will result in your session staying open until it expires, which could cause you to reach the remote session limit for your server.
Basic Authentication session
Remove-PSSession $Session
MFA session
Get-PSSession | Remove-PSSession
What to change when behind a proxy server
For Basic Authentication
- Open a PowerShell windows
- Run these four commands
$ProxyOptions = New-PSSessionOption -ProxyAccessType AutoDetect
There are three values for ProxyAccessType parameter: IEConfig, WinHttpConfig, or AutoDetect. The last one works with most but some servers need help.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <insert URL> -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption $ProxyOptions
Import-PSSession $Session -DisableNameChecking
Troubleshooting
Error: “Files cannot be loaded…”
Full error message reads “Files cannot be loaded because running scripts is disabled on this system. Provide a valid certificate with which to sign the files”
- Open a administrator elevated PowerShell (aka “Run as Administrator”)
- Execute the following command
Set-ExecutionPolicy RemoteSigned
You need to do this only once on a system
Error Access Denied
Office 365 Delegated Access Permission (DAP) partners cannot connect to their customer tenant organizations in Exchange Online PowerShell. It will not work with delegated authentication.
The most common issue is either your username or password are wrong. Use notepad to copy and paste into the fields to double check everything is correct.
If your using Office 365 make sure your account has permissions as an Exchange Administrator by logging into the portal. If you have access via the portal but not PowerShell your PowerShell access could be disabled, but first triple check that username and password.
Error: Cannot Connect
Port 80 and 443 needs to be open between you and the server. Also double check the connection URL and make sure its typed correctly.
Error: The WinRM client cannot process the request.
Full error message “The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.”
WinRM needs to be running for you to check. Servers by default have the service running, Client systems by default have it turned off.
- Open a elevated Command Prompt
- Run this command
winrm get winrm/config/client/auth
Look for the value Basic = true, if its listed as false run this command
winrm set winrm/config/client/auth @{Basic="true"}
References
- https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell
- https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell
- https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/disable-access-to-exchange-online-powershell
- https://docs.microsoft.com/en-us/powershell/exchange/exchange-server/find-exchange-cmdlet-permissions
Did you get a clue?
If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.
This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.
{fin}