Exchange Online Shell – Connect with Certificate

Exchange Online Management Shell can now be connected by utilizing certificate.

You can call it as APP only authentication that you have already experienced with SharePoint online.

This feature is currently in public preview (2.0.3-Preview), good thing about it is that when you connect Exchange Shell using this method then Conditional Access policies are not applied so unattended automations can run without issues.

You need to first install or update the existing version of Exchange Online management Shell on your computer.

Install-Module -Name ExchangeOnlineManagement -AllowPrerelease -Force


Now Register the APP in Azure AD as its APP based authentication that will be used.

Go to à Azure Active Directory à App registration



New Registration, choose any name you want such as Exchange-Shell and Register.

Now assign the permissions by clicking API permissions and selecting Exchange

Permission: Exchange.ManageAsApp

Click on Grant Admin Access and hit yes.

Now next step is to generate a Self-Signed certificate using Powershell which you need to upload to this application.

Use the Script Create-SelfSignedCertificate.ps1

.\Create-SelfSignedCertificate.ps1 -CommonName “Techwizard-Exchange” -StartDate 2020-09-20 -EndDate 2021-09-19

Now upload this certificate to the Azure AD application that you have created.


Now we have to assign the exchange Role to this application so that it can use exchange cmdlets.

Currently below Roles are supported.

  • Global administrator
  • Compliance administrator
  • Security reader
  • Security administrator
  • Helpdesk administrator
  • Exchange administrator
  • Global Reader

Go to Azure AD à Roles and Administrators à Select Exchange Administrator Role.

Click on Assignments and select the APP and hit ADD.

Now we are done with the prerequisites , lets connect to the Exchange Shell now.

Connect-ExchangeOnline -CertificateFilePath “C:\data\Techwizard-Exchange.pfx” -CertificatePassword (ConvertTo-SecureString -String “CertPassword” -AsPlainText -Force) -AppID “b77578bd-b422-4679-a7d6-5b64642fe5b” -Organization “”

APPID à you can get it from overview of the APP that you have registered, password is the password you entered while generating the certificate.

Now I am connected using certificate-based authentication as Exchange Administrator Role using APP only authentication.

Reference:  App-only authentication for unattended scripts in the EXO V2 module


Thanks for reading….

Tech Wizard


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s