Hybrid Exchange PowerShell Tool Now Has Multifactor Authentication
IT pros managing Exchange Server and Exchange Online accounts via remote PowerShell now have the ability to protect those sessions with multifactor authentication.
Microsoft announced that capability this week with a new multifactor authentication option for the Office 365 Hybrid Configuration Wizard. The wizard is a configuration tool for organizations that use Exchange Server on premises and Exchange Online services delivered from Microsoft's datacenters. Microsoft built this wizard into Exchange Server 2016 and Exchange Server 2013 Cumulative Update 10 and greater. It will also work with some older Exchange Server versions, according to a Microsoft FAQ document.
Multifactor authentication is a secondary means of verifying a user's identity on top of a password. Typically, users must respond to an instant-message challenge or an automated phone call to verify their identities before gaining access. Until this week, that security protection wasn't available for users of the Office 365 Hybrid Configuration Wizard (HCW), but users have wanted the feature nonetheless, Microsoft's announcement explained:
Many Exchange Online customers wanted the extra level of security that is offered with Multi-Factor Authentication, which allows you to force the administrator account to use Multi-Factor Authentication. However, because of a limitation in Remote PowerShell, Exchange Online administrators could not connect with a Multi-Factor enabled account. In addition, as the Office 365 Hybrid Wizard also requires Remote PowerShell connections to Exchange Online, prior to now, the account you used to run the HCW could not be enabled for Multi-Factor Authentication.
IT pros can enable multifactor authentication for the wizard by downloading a new module from within the Exchange Online Admin Center, as described in Microsoft's announcement. There's one exception for "21 Vianet Greater China tenants," as they also will have to download a specific Office 365 Hybrid Configuration Wizard to get multifactor authentication protection.
To use the new capability, the accounts using multifactor authentication have to be "enabled for remote PowerShell." Moreover, "TCP Port 80 needs to be open" for the connection, a Microsoft TechNet article explained.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.