Access Denied (No soup for you!)

I’ve been using this script to streamline my connection to the Exchange Online Shell, and it’s been working well for me – until recently when I ran into this weird “Access Denied” error:

As you can imagine, I started out by troubleshooting issues with my account, trying to figure out why I was being denied access, including stuff like what this article talks about (bad username/password, not being an Exchange Online admin).

I knew however, that this was not my issue – I confirmed my password, and my account was a global admin in Office 365. Turns out, the issue was caused not by any specific access being denied on my user account, but more specifically because I was connecting to an Exchange Online tenant that was configured for Multi Factor Authentication! If you’re getting the access denied error connecting through the old way, it’s time for a bit of a change.

The Fix:

There are two ways to resolve this issue, depending on how you want to use your scripts – I use the connection script above quite frequently in my other scripts to connect to Exchange Online, and so I wanted to be able to keep using it.

Fix 1: Use an account that is not enabled for MFA

The first fix is more of a workaround than a fix – simply use a global admin account (or an account with the Exchange Admin role) that is not enabled for multi-factor authentication. This is a good place to set up a cloud only admin account, and connect using admin-user@tenantdomain.onmicrosoft.com, or simply use an on-prem account with MFA disabled – either/or.

Connect using MFA:

If instead you want to start connecting to the Exchange Online shell using MFA and Modern Auth, you’ll need to install the Exchange Online Remote PowerShell Module, and follow the instructions here.

You know you’re using the right module, because it has a blue Exchange icon, and it also gives you this information in yellow text when it loads.

Like it says, you initiate a connection by using Connect-EXOPSSession, like so:

You can see that you’re greeted by a Modern Auth prompt instead of your typical basic auth prompt:

Which then passes on to your MFA approval flow:

For the record, if you’re still getting this credential prompt:

You’re still using basic auth in your connection and are going to run into the “Access Denied” error.

So, there you go – the problem is not with your account, but how you’re connecting to the Exchange Online Shell. Using one of these two options here should get you up and running, and back into your admin shell. I haven’t yet updated my management scripts to leverage this new module, so I’m still using an account with MFA disabled – but that’s up next!