🚀 Executive Summary
TL;DR: Microsoft is deprecating Basic Authentication for Exchange Online PowerShell, causing existing scripts using `New-PSSession -Authentication Basic` to fail with ‘Access is denied’ errors. The solution involves migrating to Modern Authentication using the `ExchangeOnlineManagement v3 module` and `Connect-ExchangeOnline`, ideally refactoring scripts to use faster, REST API-backed `EXO` cmdlets for a future-proof approach.
🎯 Key Takeaways
- Basic Authentication for Exchange Online PowerShell is being phased out, making scripts that rely on `New-PSSession -Authentication Basic` non-functional.
- The `ExchangeOnlineManagement v3 module` and its `Connect-ExchangeOnline` cmdlet provide the new standard for Modern Authentication, leveraging REST API calls for improved performance and reliability.
- Solutions range from a quick fix (`Connect-ExchangeOnline`), a permanent refactor to `EXO` cmdlets for optimal performance, to a temporary compatibility option (`Connect-ExchangeOnline -UseRPSSession`) for legacy scripts.
Microsoft is deprecating Basic Auth for Exchange Online PowerShell, causing old scripts using `New-PSSession` to fail. Learn why this is happening and discover three solutions, from a quick fix to a permanent, future-proof rewrite.
That 3 AM Alert: Why Your Exchange Online Scripts Are Suddenly Failing
I still remember the pager alert. It was 3:17 AM on a Tuesday. The on-call engineer was stumped. Our automated user offboarding script, a trusty PowerShell workhorse that had run flawlessly for years, was suddenly throwing a wall of red text. The error? “Access is denied.” Panic starts to set in. Did someone revoke the service account’s permissions? Is it a Conditional Access policy gone rogue? Nope. After a frantic hour of troubleshooting, we found the culprit: a silent, background change by Microsoft that finally caught up to us. And I’m willing to bet it’s about to catch up to you, too.
So, What’s Actually Happening Here? The “Why” Behind the Pain
Let’s get straight to it. Microsoft is killing Basic Authentication for Exchange Online. This is a good thing for security, but it’s a nightmare for legacy automation. For years, we all connected to Exchange Online using a method that looked something like this:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameCheckingThat -Authentication Basic part is the ticking time bomb. It’s being phased out, and when it’s gone for your tenant, any script using this method will simply stop working. The new way forward is Modern Authentication via the ExchangeOnlineManagement v3 module, which uses REST API calls under the hood instead of the old Remote PowerShell (RPS) protocol.
The Fixes: From Duct Tape to a New Engine
You’ve got options, ranging from a quick patch to get you through the day to a proper, long-term solution. Let’s walk through them.
Solution 1: The ‘Get Me Through the Night’ Quick Fix
This is the fastest way to get your scripts running again. The idea is to install the new module and use the new connection cmdlet, but let Microsoft’s backward-compatibility magic handle the rest. It’s a bit of a hack, but it works in a pinch.
- Install the new module: Open PowerShell as an Administrator and run this. You only need to do this once.
Install-Module -Name ExchangeOnlineManagement -Force - Update your script’s connection block: Replace your entire
New-PSSessionblock with a single, modern line.# The old way is now commented out or deleted # $Session = New-PSSession ... # Import-PSSession $Session ... # The new, simple way Connect-ExchangeOnline
For most simple scripts, this just works. The Connect-ExchangeOnline cmdlet will pop a modern auth window for you to sign in, and it creates a temporary, backward-compatible session. Your old Get-Mailbox and Set-Mailbox commands will likely function as they did before.
Warning: This is a temporary fix. You’re still relying on the old Remote PowerShell protocol in the background. It’s slower and will eventually be fully deprecated. Use this to stop the bleeding, but plan to implement the permanent fix.
Solution 2: The ‘Do It Right’ Permanent Fix
This is the solution you should be aiming for. It involves not only changing how you connect but also updating your scripts to use the new, faster, REST-API-backed cmdlets. These are typically prefixed with “EXO” (e.g., Get-EXOMailbox).
Why bother? They are significantly faster and more reliable, especially when pulling large datasets. A Get-Mailbox that used to take 10 minutes might now take 30 seconds with Get-EXOMailbox.
Here’s how you’d refactor a simple script:
| Old Way (Legacy Script) | New Way (Refactored Script) |
|
|
The core logic of your script doesn’t change, but you’re switching out the data-gathering cmdlets. This is the future-proof path.
Solution 3: The ‘I Have No Choice’ Nuclear Option
Okay, so you have a monstrous, 2000-line script that was written by an intern five years ago. It’s got complex, nested logic, and rewriting it all to use the new EXO cmdlets would take weeks. You’re stuck. We’ve all been there.
For this scenario, there’s an escape hatch: the -UseRPSSession switch. This forces the modern Connect-ExchangeOnline cmdlet to create a full, old-school Remote PowerShell session, just like Import-PSSession did. It gives you access to all the old cmdlets, not just the ones with EXO equivalents.
# This connects using modern auth, but gives you an old-style session
Connect-ExchangeOnline -UseRPSSession
# Now your entire old script should work as-is, with no changes needed to cmdlets.
Get-MessageTrace -StartDate "10/25/2023" -EndDate "10/26/2023"Darian’s Pro Tip: Treat the
-UseRPSSessionswitch like a deal with the devil. It will save you today, but you’re inheriting all the performance and reliability problems of the old protocol. Microsoft has made it clear this is a compatibility feature, not a long-term solution. Use it to buy yourself time to properly rewrite the script (Solution 2), and document it as technical debt.
So there you have it. Don’t let that 3 AM alert catch you off guard. Get ahead of this, audit your scripts, and start updating your connection methods. Your future, well-rested self will thank you.
🤖 Frequently Asked Questions
âť“ Why are my Exchange Online PowerShell scripts suddenly failing with ‘Access is denied’?
Your scripts are likely failing because Microsoft is deprecating Basic Authentication for Exchange Online PowerShell. Scripts using `New-PSSession` with `-Authentication Basic` are no longer supported and will cease to function.
âť“ How does `Connect-ExchangeOnline` compare to `Connect-ExchangeOnline -UseRPSSession`?
`Connect-ExchangeOnline` (without `-UseRPSSession`) establishes a modern authentication session, primarily utilizing faster REST API-backed `EXO` cmdlets. `Connect-ExchangeOnline -UseRPSSession` also uses modern authentication but forces the creation of an old-style Remote PowerShell (RPS) session, allowing all legacy cmdlets to work, though it inherits the performance and reliability issues of the older protocol.
âť“ What is a common implementation pitfall when migrating Exchange Online PowerShell scripts?
A common pitfall is treating the quick fix (`Connect-ExchangeOnline` without refactoring) or the `-UseRPSSession` switch as permanent solutions. While they get scripts running, they don’t fully leverage the performance benefits of the new REST-API-backed `EXO` cmdlets and may still rely on the eventually deprecated Remote PowerShell protocol. The recommended solution is to refactor scripts to use `EXO` cmdlets for long-term reliability and speed.
Leave a Reply