Feature permissions in Exchange Online
September 14, 2020Tutorial: Join a new Windows 10 device with Azure AD during a first run
September 16, 20205 minutes to read
The Exchange Online PowerShell V2 module (abbreviated as the EXO V2 module) uses modern authentication and works with multi-factor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell. For more information about the EXO V2 module, see About the Exchange Online PowerShell V2 module.
This topic contains instructions for how to connect to Exchange Online PowerShell using the EXO V2 module with or without MFA.
To use the older, less secure remote PowerShell connection instructions that will eventually be deprecated, see Basic auth – Connect to Exchange Online PowerShell.
To use the older Exchange Online Remote PowerShell Module to connect to Exchange Online PowerShell using MFA, see V1 module – Connect to Exchange Online PowerShell using MFA. Note that this older version of the module will eventually be retired.
What do you need to know before you begin?
- The requirements for installing and using the EXO V2 module are described in Install and maintain the EXO V2 module.
- If your organization is on-premises Exchange, and you have Exchange Enterprise CAL with Services licenses for EOP, your EOP PowerShell connection instructions are the same as Exchange Online PowerShell as described in this topic.
Having problems? Ask in the Exchange Online forum.
Connect to Exchange Online PowerShell using MFA
If your account uses multi-factor authentication, use the steps in this section. Otherwise, skip to the Connect to Exchange Online PowerShell without using MFA section.
- In a Windows PowerShell window, load the EXO V2 module by running the following command:
Import-Module ExchangeOnlineManagement2. The command that you need to run uses the following syntax:
Connect-ExchangeOnline -UserPrincipalName <UPN> -ShowProgress $true [-ConnectionUri <URL>] [-AzureADAuthorizationEndPointUri <URL>] [-DelegatedOrganization <String>]- <UPN> is your account in user principal name format (for example,
navin@contoso.com). - The required ConnectionUri and AzureADAuthorizationEndPointUrl values depend on the nature of your Microsoft 365 organization. For more information, see the parameter descriptions in Connect-ExchangeOnline.
- The DelegatedOrganization parameter specifies the customer organization that you want to manage as an authorized Microsoft Partner. For more information, see Partners.
This example connects to Exchange Online PowerShell in a Microsoft 365 or Microsoft 365 GCC organization:
Connect-ExchangeOnline -UserPrincipalName navin@contoso.com -ShowProgress $trueThis example connects to Exchange Online PowerShell in an Office 365 Germany organization:
Connect-ExchangeOnline -UserPrincipalName lukas@fabrikam.de -ShowProgress $true -ConnectionUri https://outlook.office.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.de/commonThis example connects to Exchange Online PowerShell in a Microsoft GCC High organization:
Connect-ExchangeOnline -UserPrincipalName laura@blueyonderairlines.us -ShowProgress $true -ConnectionUri https://outlook.office365.us/powershell-liveid -AzureADAuthorizationEndPointUri https://login.microsoftonline.us/commonThis example connects to Exchange Online PowerShell in a Microsoft 365 DoD organization:
Connect-ExchangeOnline -UserPrincipalName julia@adatum.mil -ShowProgress $true -ConnectionUri https://webmail.apps.mil/powershell-liveid -AzureADAuthorizationEndPointUri https://login.microsoftonline.us/commonThis example connects to Exchange Online PowerShell to manage another tenant:
Connect-ExchangeOnline -UserPrincipalName navin@contoso.com -DelegatedOrganization adatum.onmicrosoft.comFor detailed syntax and parameter information, see Connect-ExchangeOnline.
Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you’ll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.
Connect to Exchange Online PowerShell without using MFA
If your account doesn’t use multi-factor authentication, use the steps in this section.
- In a Windows PowerShell window, load the EXO V2 module by running the following command:
Import-Module ExchangeOnlineManagement2. Run the following command:
$UserCredential = Get-CredentialIn the Windows PowerShell Credential Request dialog box that appears, type your work or school account and password, and then click OK.
3. The command that you need to run uses the following syntax:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true [-ConnectionUri <URL>] [-DelegatedOrganization <String>]- The required ConnectionUri value depends on the nature of your Microsoft 365 organization. For more information, see the parameter description in Connect-ExchangeOnline.
- The DelegatedOrganization parameter specifies the customer organization that you want to manage as an authorized Microsoft Partner. For more information, see Partners.
Connect to Exchange Online PowerShell in a Microsoft 365 or Microsoft 365 GCC organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $trueConnect to Exchange Online PowerShell in an Office 365 Germany organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true -ConnectionUri https://outlook.office.de/powershell-liveid/Connect to Exchange Online PowerShell in an Office 365 operated by 21Vianet organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true -ConnectionUri https://partner.outlook.cn/PowerShellConnect to Exchange Online PowerShell in a Microsoft 365 GCC High organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true -ConnectionUri https://outlook.office365.us/powershell-liveid/Connect to Exchange Online PowerShell in a Microsoft 365 DoD organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true -ConnectionUri https://webmail.apps.mil/powershell-liveidFor detailed syntax and parameter information, see Connect-ExchangeOnline.
Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you’ll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.PowerShellCopy
Disconnect-ExchangeOnlineHow do you know this worked?
The Exchange Online cmdlets are imported into your local Windows PowerShell session and tracked by a progress bar. If you don’t receive any errors, you connected successfully. A quick test is to run an Exchange Online PowerShell cmdlet, for example, Get-Mailbox, and see the results.
If you receive errors, check the following requirements:
- A common problem is an incorrect password. Run the three steps again and pay close attention to the user name and password you enter in Step 1.
- To help prevent denial-of-service (DoS) attacks, you’re limited to three open remote PowerShell connections to your Exchange Online organization.
- The account you use to connect to must be enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.
- TCP port 80 traffic needs to be open between your local computer and Microsoft 365. It’s probably open, but it’s something to consider if your organization has a restrictive internet access policy.
- If your organization uses federated authentication, and your identity provider (IDP) and/or security token service (STS) isn’t publicly available, you can’t use a federated account to connect to Exchange Online PowerShell. Instead, create and use a non-federated account in Microsoft 365 to connect to Exchange Online PowerShell.
