Defense

Create PowerShell Session is failed using OAuth

When connecting to Exchange online (there was a reason I needed to do this) I had the following error:

I did some googling that luckily someone has already posted how to fix this:

https://www.vansurksum.com/2021/03/11/create-powershell-session-is-failed-using-oauth-when-using-the-exchange-online-v2-powershell-module/

It turns out WINRM’s ability to use BASIC client authentication is disabled as part of the standard Windows 10 hardening baseline deployed via Intune.

To fix these we need to re-enable BASIC client side WINRM authentication.

Configuring this policy and refreshing the client config enabled Exchange Online authentication work.

Summary

When hardening environments, it is often the case that something will ‘break’. The hardening process for systems is rarely (or ever!) a one attempt deployment, an iterative process should be planned for.

Out of the box there are a range of considerations to be made to MDM/Windows Client policies such as Bitlocker to go configuraiton, SMB hardening and loads more configurations that you need to considr and test for in your environment.

Overcoming this connection error was the first step in enabling a cool feature in Exchange Online – the use of plus sign aliases (+).

Here is what i wanted to run!

https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/plus-addressing-in-exchange-online

winrm quickconfig
Install-module -name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Connect-ExchangeOnline -UserPrincipalName emailaddress[.]com

Get-OrganizationConfig | Select -Property AllowPlusAddressInRecipients

Set-OrganizationConfig -AllowPlusAddressInRecipients $true

Get-OrganizationConfig | Select -Property AllowPlusAddressInRecipients

Disconnect-ExchangeOnline

With the MDM policy configured, and using an account with global administrator rights I was able to configre the use of plus signs.

Leave a Reply