Please note: The following PowerShell cmdlets illustrate what needs to be done to establish a successful PowerShell connection to Microsoft 365 Exchange Online. You can find the complete documentation and help for troubleshooting issues on the Microsoft website. In particular, the examples used here may not be as complete or up-to-date as the current software.

Requirements

The PowerShell examples assume that the user has administrative privileges. Run PowerShell as administrator. Use at least PowerShell version 5.1. If necessary, update the local PowerShell version.

This is how to check the local PowerShell version:

$PSVersionTable

Most cmdlets require external calls. In particular, the connection to Exchange Online must be enabled for remote PowerShell access. To install missing modules and the PackageProvider, you may be required to change the TSL version:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

To allow remote PowerShell access, you need to enable this function:

Enable-PSRemoting

You should only run signed external cmdlets and scripts. You need to confirm the start of the execution manually:

Set-ExecutionPolicy RemoteSigned

Certificates

When generating a self-signed certificate, you should copy the fingerprint from PowerShell and save it separately for use in other cmdlets or the ELOxc configuration.

This is how you create a certificate:

New-SelfSignedCertificate -DnsName "dns.name" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange

The DnsName parameter must not contain any wildcards. The ELOxc host certificate (Z3) requires the local fully qualified domain name (FQDN), whereas the app registration certificate (Z4) requires the Microsoft 365 tenant name. We recommend that you always save the fingerprint of new certificates.

In this example, 0C202737F8B809FAFA532C61E878F8DEEB385787 was used for Z3 and 2E5B4D92DFBE8CFB49CF57106534EC50B12E6974 was used for Z4. Since Z4 is required for app registration in Microsoft 365, you need to export it as CER file without private key:

$cert = Get-ChildItem -Path cert:\LocalMachine\My\2E5B4D92DFBE8CFB49CF57106534EC50B12E6974

$cert | Export-Certificate -FilePath C:\XcAppReg.cer

If you want to use the same certificate for the ELOxc web host and the app registration (Z3=Z4), generate the certificate with two values for DnsName.

In this case, you would need a new fingerprint (here: 9428F14E2E9A50DEC74D8EFD9D95DB5C3602F38D). You can check the DNS name in the local certificate store:

Install module for Exchange Online

First, you can check whether the Exchange Online module (ExchangeOnlineManagement module) is available locally:

Get-Module

If it is missing, you must download and install it. First install the PackageProvider for NuGet and import it. Afterwards, you need the PowerShellGet module.

This is how to install and import the PackageProvider:

Install-PackageProvider -Name NuGet -Force

Import-PackageProvider -Name NuGet

This is how to install the PowerShellGet module:

Install-Module PowershellGet -Force

Now you can install and import the module for Exchange Online:

Install-Module -Name ExchangeOnlineManagement

Import-Module -Name ExchangeOnlineManagement

Test module for Exchange Online

If the module for Exchange Online is installed, ELOxc imports it automatically at runtime. If the import is successful, the connection to Exchange Online can be established. Once you have set up the app registration, you can test the PowerShell connection manually. Use the app ID and the tenant from the registration:

Connect-ExchangeOnline -CertificateThumbPrint 2E5B4D92DFBE8CFB49CF57106534EC50B12E6974 -Organization "tenant.onmicrosoft.com" -AppID "cbfafa12-6c7-4586-a9c7-f94e923f1d26"

Once the connection is successfully established, you can test the two required Get-Mailbox and Get-MailboxPermission cmdlets:

Get-Mailbox -RecipientTypeDetails 'sharedmailbox' * | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select-Object -Property identity, user

You should disconnect active PowerShell connections at the end as follows:

Disconnect-ExchangeOnline

To prevent ELOxc from accessing specific mailboxes through the PowerShell connection, you can use New-ApplicationAccessPolicy. This requires an active PowerShell connection:

New-ApplicationAccessPolicy -AppId cbfafa12-36c7-4586-a9c7-f94e923f1d26 -PolicyScopeGroupId xc2@tenant.onmicrosoft.com -AccessRight DenyAccess -Description "Exclude xc2"