{"id":840,"date":"2022-05-06T17:24:58","date_gmt":"2022-05-06T21:24:58","guid":{"rendered":"https:\/\/blog.markdepalma.com\/?p=840"},"modified":"2023-03-11T10:51:37","modified_gmt":"2023-03-11T15:51:37","slug":"running-sync-modernmailpublicfolders-ps1-with-modern-authentication","status":"publish","type":"post","link":"https:\/\/blog.markdepalma.com\/?p=840","title":{"rendered":"Running Sync-ModernMailPublicFolders.ps1 with Modern Authentication"},"content":{"rendered":"\n<p><strong>UPDATE: After years of Microsoft leaving users lost and confused, they finally decided to <a rel=\"noreferrer noopener\" href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/announcing-public-folder-migration-scripts-with-modern\/ba-p\/3382800\" target=\"_blank\">refactor and release a new version their script<\/a> (only a few days after I published this article). Their new script is now based on the EXO PS v2 module which uses Graph API and no longer uses EXO PS Remoting.<\/strong><\/p>\n\n\n\n<p>As part of an Exchange Online migration I was re-running a Public Folder sync that I initially ran two years ago when we still had basic authentication enabled from internal networks for Exchange Online. When I went to re-run I realized it was not going to work because we completely disabled basic authentication. I had recently created an unattended script that connects to Exchange Online using <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/msal-authentication-flows#integrated-windows-authentication-iwa\">MSAL and integrated Windows authentication (IWA)<\/a> and was able to use this methodology in this script without making any modifications to the script.<\/p>\n\n\n\n<p>To make this work we first need to install the MSAL.PS module:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Install-Module -Name 'MSAL.PS'<\/pre>\n\n\n\n<p>Next, we need to get an OAuth token for Exchange Online PowerShell, create a bearer token secure string, and create a basic credential from it along with our UPN. We will need to specify the client ID for Exchange Online PowerShell (612e1698-a44c-49a4-b66b-4188cc69cbaa) along with our tenant ID (I&#8217;m entering a fake one here). When prompted you will login with an account that has EXO administrative access:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$EXOToken = Get-MsalToken -ClientId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -TenantId '612e1698-a44c-49a4-b66b-4188cc69cbaa' -Scopes 'https:\/\/outlook.office365.com\/.default'\n\n$TokenSecureString = ConvertTo-SecureString \"Bearer $($EXOToken.AccessToken)\" -AsPlainText -Force\n\n$Credential = New-Object System.Management.Automation.PSCredential($EXOToken.Account.Username, $TokenSecureString)\n<\/pre>\n\n\n\n<p>Now we can execute the script, but we will need to use an alternate ConnectionUri so that we can make EXO do the basic -&gt; OAuth conversion:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\\Sync-ModernMailPublicFolders.ps1 -Credential $Credential -ConnectionUri 'https:\/\/outlook.office365.com\/powershell-liveid?BasicAuthToOAuthConversion=true' -CsvSummaryFile:sync_summary.csv<\/pre>\n\n\n\n<p>The script should have executed without an issue. No need to re-enable basic authentication!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>UPDATE: After years of Microsoft leaving users lost and confused, they finally decided to refactor and release a new version their script (only a few days after I published this article). Their new script is now based on the EXO PS v2 module which uses Graph API and no longer uses EXO PS Remoting. As [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[64,69,99,72,67,65],"tags":[193,194,198,199,197,200,121,195,49],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-exchange","category-o365","category-powershell","category-scripting","category-security","tag-basic-auth","tag-basic-authentication","tag-integrated-windows-authentication","tag-iwa","tag-migration","tag-modern-auth","tag-modern-authentication","tag-msal","tag-public-folders"],"_links":{"self":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=840"}],"version-history":[{"count":4,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions"}],"predecessor-version":[{"id":860,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions\/860"}],"wp:attachment":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}