Monday, October 16, 2017

Using PowerShell with MFA to Administer US Government Tenants on Office 365

In this post, I will show you how to connect to a US Government GCC High Office 365 Tenant using PowerShell with credentials that have multi-factor authentication (MFA) enabled.

Background

To meet the unique and evolving requirements of contractors who are holding or processing U.S. Department of Defense controlled unclassified information (CUI) or are subject to International Traffic in Arms Regulations (ITAR), Microsoft offers "GCC High" Office 365 tenants. These tenants are designed to meet special regulatory, compliance and audit requirements and are physically segregated from commercial environments. Currently, Microsoft also has similar setups configured specifically for Germany and China. GCC High tenants are different than the standard GCC tenants and contain a different set of features. The full service description can be found here: https://technet.microsoft.com/en-us/library/mt774581.aspx.

The four service endpoints we will connect to are:
  • Azure Active Directory
  • Exchange Online
  • Skype for Business Online
  • SharePoint Online
The instructions below demonstrate how to connect to the endpoints using PowerShell with an account that has MFA enabled. In each case, the command to connect to the tenant will trigger a modern authentication screen that will prompt for credentials and facilitate authentication with other factors (e.g., text, app notification, etc...)

Azure Active Directory

Follow the steps below to connect to Office 365 using the Azure Active Directory PowerShell module:
 Install-Module AzureAD
  • Run the following PowerShell command in the Azure Active Directory PowerShell window to connect to your tenant. Note that the command includes a parameter: "AzureEnvironment" which is set to "AzureUSGovernment". This identifies it as a GCC High Tenant and directs the request appropriately.
  Connect-AzureAD -AzureEnvironment AzureUSGovernment

Exchange Online

Follow the steps below to connect to Office 365 using the Exchange Online PowerShell module:
  • Navigate to the Exchange Online Administration Center for your GCC High Tenant here: https://outlook.office365.us/ecp/?ExchClientVer=15
  • In the Exchange Online Administration Center, navigate to the Hybrid section. Under "Setup", click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for MFA.
  • Follow the prompts to install the Microsoft Exchange Online PowerShell Module
  • Run the following command in the Exchange Online PowerShell window to connect to your GCC High tenant with MFA enabled credentials. Replace <name@domain> with your login admin credentials. Note that the ConnectionUri is what redirects the login to the appropriate hardware for GCC High Tenants.
 Connect-EXOPSSession -UserPrincipalName <name@domain> -ConnectionUri https://outlook.office365.us/PowerShell-LiveID

Skype For Business Online

Follow the steps below to connect to Office 365 using the Skype for Business Online PowerShell module:
  • Download and install the Skype for Business Online Connector Module: http://go.microsoft.com/fwlink/?LinkId=294688
  • Run the following commands from any PowerShell window to import the connector module and connect to Skype for Business Online. Replace the <OnMicrosoft Domain Name> with the tenant domain name that was created when you setup your tenant (e.g., contoso.onmicrosoft.com). Do not use a custom tenant domain name.
Import-Module LyncOnlineConnector
$session = New-CSOnlineSession -verbose overrideAdminDomain <OnMicrosoft Domain Name>
Import-PSSession $session

SharePoint Online

Follow the steps below to connect to Office 365 using the SharePoint Online PowerShell module:
  • Download and install the SharePoint Online PowerShell Module: https://www.microsoft.com/en-us/download/details.aspx?id=35588
  • Run the command below from the SharePoint Online PowerShell window to connect to SharePoint Online. Replace <TenantName> with your tenant name (e.g., https://contoso-admin.sharepoint.us). The URL, combined with the region directs the request to your GCC high tenant.
 Connect-SPOService -Url https://<TenantName>-admin.sharepoint.us -Region ITAR

Summary

The above instructions will allow you to connect to the various admin components of a GCC High US Government Office 365 Tenant with an MFA enabled account.

No comments:

Post a Comment