MFA + partners

[ildjarnisdead]

When logged in as a user with MFA, I can't access tenant accounts.

[joshartwell]

This is due to modern auth being needed for MFA

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps

[jpope501tech]

We've run into the same issue. We've updated our PC's with the correct msonline and modern auth for MFA as joshartwell suggested but we get the argument that Connect-EXOPSSession is not recognized by the program. not sure if its changes microsoft has made but it would be nice to get some feedback. 😊

[jpope501tech]

When we try to use MFA for a client that uses it we get the following message: "The term "Connect-EXOPSSession" is not recognized. All the Pre-req's are squared away but just doesn't work otherwise. with MFA turned off for clients that do not have it active the tool works as it should. any thoughts?

[pok3r]

You need to download and install the mfa exchange module

From: jpope501tech notifications@github.com Sent: Monday, November 25, 2019 1:40 PM To: bwya77/O365-Admin-Center O365-Admin-Center@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [bwya77/O365-Admin-Center] MFA + partners (#17)

When we try to use MFA for a client that uses it we get the following message: "The term "Connect-EXOPSSession" is not recognized. All the Pre-req's are squared away but just doesn't work otherwise. with MFA turned off for clients that do not have it active the tool works as it should. any thoughts?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbwya77%2FO365-Admin-Center%2Fissues%2F17%3Femail_source%3Dnotifications%26email_token%3DAEF4MDCWLHGGRAGZWENPNVDQVQS2XA5CNFSM4IEYECLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFDR7OA%23issuecomment-558309304&data=02%7C01%7Cbrad%40thelazyadministrator.com%7C14903e9d4a134651041908d771df5316%7C6438b2c954e94fce9851f00c24b5dc1f%7C1%7C0%7C637103076309752509&sdata=B%2FpwvcKYutqwqHiZUYx544BNqBpI9PS%2Foz12BGeNh7c%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEF4MDCUF4RVDNJNF4G4EOLQVQS2XANCNFSM4IEYECLA&data=02%7C01%7Cbrad%40thelazyadministrator.com%7C14903e9d4a134651041908d771df5316%7C6438b2c954e94fce9851f00c24b5dc1f%7C1%7C0%7C637103076309752509&sdata=tBUfdYrI2XDSEaQzv%2F1j%2FurswgA2Vk4NrKik3BGXZ%2Bk%3D&reserved=0.

[jpope501tech]

Sorry, I probably should have clarified what have and have not done so far. All three PC's are running Windows 10 Pro 1903. The Models Vary between dell and HP.

We have unfortunately. Followed every Step on 3 separate PC's. The GUI still works for non-MFA clients but not those with MFA enabled. From what we can tell the GUI's MFA Path it's supposed to pull the CreateExoPSSession.ps1 file cannot find it. The Reg Key it's supposed to create for the path is C:\Users\user\AppData\Local\Apps\2.0\CTRMLWPT.7MR\6JXTN9XM.43M\micr..tion_5329ec537c0b4b5c_0010.0000_9fc624cd0073956e\

But the Path the Reg key the GUI creates points to is C:\Users\user\AppData\Local\Apps\2.0\CTRMLWPT.7MR\6JXTN9XM.43M\micr..tion_5329ec537c0b4b5c_0010.0000_9fc624cd0073956. Which doesn't exists on the computer. Manually setting the path reverts back and deleting the key recreates it to point to the wrong path again. The issue we're having is trying to get the path to stay put, which seems to be harder than we had thought it should be.

[kylemanta]

Anyone figure this out? Having the same problem with 2FA enabled accounts. EXOP module is installed, 2FA enabled in the app. I don't see any regkey modified though.

[jpope501tech]

Not yet. It seems like there's not much dev work anymore on this project. The original website, where in the past you would pay for it, stated that 5.0 was coming and that this would be remedied. However, all the links to purchase the product and such are now broken. So I can only assume that Microsoft was changing things and programming ceased as a result or they just ceased the project altogether. I am hoping for an update but not holding my breath.

One of our "Super techs", as i can him, took all the source files and re-compiled them so that it would work. Its just a PS command that launches the GUI but the window sizing is off and not very adjustable but it works when we need it. So i know it can be fixed, just not as easy as the instructions tell us. 😊

[kylemanta]

Thanks for responding and so quickly. So sounds like this project is dead? Is there an alternative free or inexpensive tool that provides similar functionality to this?

[jpope501tech]

Free? Possibly, but I have not found any. There are plenty of good purchasable options out there, but this was the best I've used. I would even purchase this if it was still a running project. Its simple and direct to use and a great way to learn PS in general.

[bwya77]

when you enable MFA it flips the following reg key to 1 Get-Item 'HKCU:\Software\O365 Admin Center' | New-ItemProperty -Name TFA -Value 1 -Force

It then will look for the MFA exchange module:

$Path = (Get-ChildItem -Recurse -Force "$env:LOCALAPPDATA\Apps\2.0" -ErrorAction SilentlyContinue | Where-Object { ($_.PSIsContainer -eq $false) -and ($_.Name -contains "Microsoft.Online.CSE.PSModule.Client.cdf-ms") }).Fullname
$CleanPath = ($Path.TrimEnd("\Microsoft.Online.CSE.PSModule.Client.cdf-ms")) + "\"

It will then save the path in the reg key for future use, if this is not present it wont be able to import the module and connect Get-Item 'HKCU:\Software\O365 Admin Center' | New-ItemProperty -Name 2FAPath -Value $CleanPath -Force

I have not had time to update this program in a while but I would love to clean it up and update it in the future. I made it open source to get help. Hope this helps in the mean time

[kylemanta]

It doesn't work. I even tried setting the path manually (both in the app and reigstry - the actual file patch end with an "e" that was not in the registry path the program stored). Bummer, it looked pretty good when I tried it with an account not using 2FA - but I'm going to enforce it on all accounts.