type
status
date
slug
summary
tags
category
icon
password
URL
Since Microsoft has made multifactor authentication (MFA) mandatory for connecting to Exchange Online, running commands has become challenging. If you followed my previous article, you have all the building blocks needed to connect to Exchange Online with PowerShell using an app registration. In this post, you will learn how to leverage Azure Automation to schedule your Exchange Online scripts.
- New Roadmap
- Fewer Editions
- More Security
Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.
To complete this article, you will need an Azure Automation account (this requires an active Azure subscription). This process does not need to be completed in the same tenant in which the application registration was created. For example, if you are an administrator of multiple tenants, you can complete the app registration process for several client tenants and then set up the Azure Automation account for your own tenant.
From the Azure Portal, find Automation Accounts.
Choose Create.
Create an Automation account
The required fields here are similar to most Azure resources. You need to select or create settings such as Resource group, the Region where your Automation account will be created, and resource tags.
Configure the Automation account
You can leave all the advanced options as default.
Automation Account deployed
Once it's deployed, go to your Automation account, and scroll down to find Certificates.
Upload a certificate to Automation accounts
Choose to upload the PFX file of the certificate created for the app registration.
Make sure the name you choose allows you to identify the certificate easily.
Upload PFX file to Azure Automation
Next, we will install additional PowerShell modules for our Automation Account.
Navigate to Modules, and click Add a module.
Install PowerShell modules
There are multiple steps for installing a module, and several modules to install.
From the Add a module page, we will choose to browse the PowerShell gallery. We will also set the runtime version to 5.1.
Click the Click here to browse from gallery link and search for ExchangeOnlineManagement. Select the result.
Click Select to accept the module choice.
Finally, choose Import to complete the process.
Repeat this process for the following modules in the order in which they are written:
PackageManagement
PowerShellGet
The PowerShellGet module has a dependency on PackageManagement, so it must be installed completely before attempting to install PowerShellGet.
Once the modules are installed, we can create a runbook. A runbook is essentially a PowerShell script.
Under Runbooks, choose Create a runbook.
Give your runbook a name, make sure to choose PowerShell and 5.1 as the Runbook type and Runtime version, and enter a description. This example runbook will connect to Exchange Online and list all the mailboxes.
If you're familiar with PowerShell ISE or VSCode, the runbook editor will be quite familiar to you.
If you expand ASSETS, you will see the certificate and variable we added earlier.
In the right-hand pane, enter the following code, changing the values to suit your environment.
Click Test to enter the runbook Test screen.
When you're ready, click Start, and Azure Automation will process the runbook.
If all is well, your test will come back without any errors, and you will see an output of mailbox information.
Now that we have successfully connected to Exchange Online and run a command, let's set up a management task.
For example, my tenant has dictated that all mailboxes will have ActiveSync, IMAP, Pop3, and SMTP disabled. In addition, access from Windows Mail is disabled. We can achieve all of these goals using Set-CASMailbox, but without automation, we would need to run these commands every time a new mailbox is added. If we add the following to our runbook, we can then schedule it to run daily or hourly to apply these settings.
Here is a screenshot showing our mailboxes before the runbook is executed.
To schedule the runbook, it must first be published. In the editor, click the Publish button.
Once published, navigate to the schedule.
Click Add a schedule. Then choose to link a schedule to your Runbook.
If this is your first time creating a schedule, you will need to define one; otherwise, you can select a preexisting schedule. I am going to define an hourly schedule.
Choose Create, then click OK to accept the schedule assignment. You will be taken to the Schedule screen of your runbook, which shows the next time your runbook will execute.
All you need to do is sit back and wait for it to run.
When the scheduled time arrives, your runbook will execute and be visible under the Jobs section.
All we need to do now is check that our mailboxes have had the relevant settings changed. If we run our PowerShell query again, we will see that the protocols have now been disabled.
You now have the means to automate Exchange Online Management tasks.
- Author:NetSec
- URL:https://51sec.org/article/f89d01e1-c105-4c77-be89-b678e31b2533
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!