Kloudless Blog

Tutorials, case studies and how-tos from our experts

Authorizing Office 365 PowerShell commands with OAuth

Read more about that on our previous blog post here. Our initial support for remote PowerShell requests relied on Basic Authentication using the admin’s Office 365 email address and password. However, several Office 365 admins follow best practices that encourage the use of Multi-Factor Authentication with Exchange Online PowerShell. Our engineers recently took up the challenge of introducing support for authorizing PowerShell cmdlets with Bearer tokens instead! This lets us avoid storing passwords, as well as follows the modern authentication flow supported by Office 365. The latest release of Kloudless Enterprise includes support for this capability along with several enhancements to improve performance of PowerShell queries, such as multi-threaded PowerShell processes and background job management.

Authorizing PowerShell commands with OAuth

For an inside look into how the authorization process works, check out our PSMSOAuth PowerShell module here. Your users can install and run it as shown below:
    Install-Module -Name PSMSOAuth
    Import-Module PSMSOAuth
    Get-PSMSOAuthCodes
This prompts the user for authorization credentials twice and then displays the authorization codes required to exchange with Office 365 for an access token to access the account. You can then either guide the user through the regular Kloudless OAuth authorization flow (docs) or simply make an Account Import request (docs) with the authorization codes to connect the account. The account can now receive PowerShell commands to execute via the Kloudless pass-through API. You can read more about connecting to accounts with MFA enabled on Microsoft’s docs here. Check out example API requests you can execute on our previous blog post here.

Performance Enhancements

One of the challenges connecting to Office 365 PowerShell is the limit on the number of concurrent sessions allowed. Microsoft caps the number of sessions at three. This makes it necessary to strictly manage timeouts as well as open sessions to avoid running out of connections when making several API requests, especially concurrent ones. In addition, a PowerShell process can only execute a single command at a time, unless the command is set up to execute in the background. Kloudless utilizes a job queue that feeds PowerShell commands to background workers managing individual PowerShell processes, each of which manage multiple commands simultaneously. This greatly improves the performance and scalability of remote PowerShell requests while maintaining per-account isolation guarantees.

Extensibility

The Kloudless PowerShell interface has been architected to support connecting to a variety of services provided by Microsoft through a common API request format powered by our pass-through APIs. Your application can manage any Office 365 or Azure customer’s tenant through a REST API rather than dropping to the shell. Let us handle that for you! Have any questions or feedback? We’d love to hear from you at support@kloudless.com!

Published By

Vinod Chandru