New-ExoPSSession : Create Powershell Session is failed using OAuth
In this post we will look at the following error messages being displayed when a user tries to connect to Exchange Online Management or Security Center using PowerShell.
“New-ExoPSSession : Create Powershell Session is failed using OAuth”
To start troubleshooting this error above, I had a look at the Prerequisites for the EXO V2 PowerShell module.
Based on the information provided on the document, Microsoft recommends that Client Basic Auth for WinRM should be enabled.
WinRM needs to allow Basic authentication (it’s enabled by default). We don’t send the username and password combination, but the Basic authentication header is required to send the session’s OAuth token, since the client-side WinRM implementation has no support for OAuth.
To continue to with the troubleshooting, we need to review what WinRM policies has been applied to the device. To do this run the following.
winrm get winrm/config/client/auth
As we can see from the above image, Basic Auth is set to “false” which indicated that it has been disabled.
Internally we have recently moved to Microsoft Security Baselines for EndPoint devices. One of the configuration options in Security Baseline is “Remote Management”. Under this section you will see the below configuration for WinRM.
The interesting part of this is when you look at the “Client Basic Authentication” settings, you can either have it On or Off only. The option for “Not Configurated” acts the same as “Disabled”
In order to resolve the error, we are experiencing, we need to set the “Basic Authentication” policy to “Enabled”
Now that we have enabled the policy, we need to run a sync from our EndPoints by opening the “Company Portal” app on your Windows device.
Once the Sync has completed, run the following PowerShell again to verify if the WinRM policy has been updated on the device.
winrm get winrm/config/client/auth
As you can see from the above image, the policy now allows for Client Basic Authentication.
Lastly let’s rerun our PowerShell Sessions and see if we still get the same error.
As you can see, we now have a successful connection to Microsoft Security and Compliance PowerShell Session.
If you are an Administrator in your environment, you might want to consider creating a separate Baseline for Administrators which allows for Client Basic Authentication and the rest of the organization ca still have this setting Disabled.
Be First to Comment