Remote powershell sessions can only be established with interactively entered credentials?

Question

I'm trying to automate a powershell script which gathers data from O365. I've got a special limited user setup with the privileges required on O365 and also with local logon allowed on the server so that I can "run-as" that user (which I do for all the scripts below. I have verified different, expected errors when running as other users).

The script works fine interactively when credentials are set like this and the session opened:

$cred  = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic –AllowRedirection         

However, if I create the credentials file for automation with:

Get-Credential | Export-Clixml -Path C:\batch\${env:USERNAME}_cred.xml

And then access from the script via:

$cred = Import-Clixml -Path C:\batch\${env:USERNAME}_cred.xml
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic –AllowRedirection 

The credential file load appears to succeed. I then get "Access Denied" on the session open, and then of course the rest of the script fails due to the session being null. I'm cutting and pasting the password in all cases (plus have tried many, MANY times including hand typing) so I don't think it's a simple typo issue. Seems more like something I'm fundamentally misunderstanding about powershell. Ultimately I'd like to not just have the credentials automated, but also have it run from task scheduler if there's any special settings above and beyond that I also need.

Answer 1

Does the account in question have MFA enabled? If so, you might try this.

This script:

• Downloads Exchange Online Remote PowerShell Module
• Installs Exchange Online PowerShell Module
• Connects Exchange Online PowerShell using MFA

Or, you can perform these manually. More information, including a detailed walk-through, is available here:

https://o365reports.com/2019/04/17/connect-exchange-online-using-mfa/

Answer 2

I was able to get this working, in my environment at least, by including a call to Import-PSSession:

$Credential = Import-Clixml -Path D:\Modules\O365Credentials.xml
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
Get-Mailbox

Answer 3

I don't see anything wrong from your code from PowerShell perspective. I have tested the way you are creating credentials within a company domain and I was able to create new session by importing credential XML file that was created by exporting the credentials the way you did. I then assume it might be MS Exchange related.

I can suggest alternatives for you to try:

# First we need to get the encrypted password:
$TempCred = Get-Credential
# provide credentials to the prompt

# now the encryption to be saved in a file
$TempCred.Password | ConvertFrom-SecureString | Set-Content C:\mypass.txt

This was the encrypted version of your password is saved as a text.

In your automation script you can now do this:

 $username = "yourusername"
 $password = Get-Content C:\mypass.txt | ConvertTo-SecureString
 $cred = New-Object System.Management.Automation.PsCredential($username, $password)
 $session = New-PSSession -Credential $cred .....

I am not sure if this works in your case, it worked in my company domain. Once again it worked for me the XML version too. I am just providing alternatives to try if you are not keen to find out as to why the XML way did not work.