Office-365-Extractor icon indicating copy to clipboard operation
Office-365-Extractor copied to clipboard

Published 20 hours ago verified publisher icon PwC-IR

No Multi-factor authentication (MFA) support

Open Simon-Charest opened this issue 3 years ago • 3 comments

Replace:

$UserCredential = Get-Credential Connect-ExchangeOnline -Credential $UserCredential

... by this:

Connect-ExchangeOnline

And add this, at the end:

Disconnect-ExchangeOnline -Confirm:$false

Related issue: https://github.com/jrentenaar/Office-365-Extractor/issues/9

Simon-Charest avatar Apr 09 '21 16:04 Simon-Charest

Hey Simon, thanks for your suggestion on improving the code.

Did you test your code with longer running scripts? The problem we face with MFA is that after 60 min the MFA token is not valid anymore resulting the script to give an error due to no valid successful login session.

Microsoft documentation says the following about it: When you use the Exchange Online Remote PowerShell Module, your session will end after one hour, which can be problematic for long-running scripts or processes.

We are not aware of a way around this issue yet. During our investigations we use one of the the following two workarounds:

  1. What we do at most of our clients is request a new user account with only the "View-Only Audit Logs" privileges/role and MFA disabled for that account. With this account you can then extract the Unified Audit Log.
  2. Add the IP-address of the machine performing the acquisition to the trusted IP list. If the IP-address is on this list, it will not ask for MFA when logging in. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

PwC-IR avatar Apr 12 '21 08:04 PwC-IR

Hi Joey,

We've had no issues running your tool (as a local Administrator and with a Global Administrator account on the tenant), with Connect-ExchangeOnline, for days. The token must be cached and refreshed every now and then. We do get this message every once in a while, but it doesn't seem to affect the fetching/data in any way:

"Creating a new Remote PowerShell session using Modern Authentication for implicit remoting of "Search-UnifiedAuditLog" command ..."

Regards,

Simon

Simon-Charest avatar Apr 12 '21 12:04 Simon-Charest

Judging from Simon-Charest's response, his suggested code update would resolve the issue. Have you had any time to test his approach? Supporting MFA seems like an essential feature considering we're dealing with security here...

SUBnet192 avatar Feb 21 '22 19:02 SUBnet192