Update your Exchange Online PowerShell module to V3 before it’s too late

avatar Posted on by

[Update]: This blog post was first published on January 27, 2023. However, Microsoft changed the deprecation timeline and added an option to postpone the death of RPS a little bit. I’ll show you just how to do it in your tenant.

To run scripts and cmdlets in Exchange Online, you need to connect to your organization with PowerShell. If you’re still using New-PSSession or a legacy ExchangeOnlineManagement module, you need to update your methods, and do it quick. I’ll show you how to update Exchange Online PowerShell module to EXO V3 module, why the change is needed and how much time you have left.

PS ExO V3 Module - update before it's too late

When to update

Microsoft announced (and later changed the timeline) that they will start to block RPS (Remote PowerShell) Protocol in Exchange Online. Here’s the timeline of RPS deprecation:

  • April 1, 2023 – New tenants have RPS blocked by default. It can be re-enabled until June 15, 2023.
  • May 2023 – RPS gets disabled for tenants which never used it and haven’t used the diagnostic tool to prolong its life.
  • June 15, 2023 – that’s when RPS starts getting blocked even if it had been used in your tenant. And if the tenant was created after April 1, 2023, that’s when your opportunity to re-enable RPS ends.
  • July 1, 2023 – All new tenants have RPS blocked without a way to re-enable it.
  • October 2023 – Final end of the line for RPS. It’s when Microsoft starts blocking it for every tenant.

To translate it to simpler terms, you will need to use Exchange Online Management PowerShell V3 module soon if you haven’t already. If you do not take any steps before June 15, 2023, you might lose connection to your admin’s toolbox and your Exchange Online scripts might stop working. And the final deadline for switching to Exchange Online Management PowerShell V3 module is October 2023.

After this point, you won’t be able to use the -UseRPSSession switch while connecting to Exchange Online with the Connect-ExchangeOnline cmdlet. The parameter grants you access to all existing (remote) PS cmdlets in Exchange Online PowerShell.

You should introduce the new, more secure and reliable ways to manage your Exchange Online with PowerShell. Blocking Remote PowerShell makes your tenant more secure. The problem is that your company might still be using hundreds of scripts that rely on RPS. Some third-party tools might use RPS to configure some settings in your tenant as well. That’s why Microsoft gave admins a way to delay the inevitable. You can use the Microsoft admin center to prolong support for RPS in Exchange Online for your tenant until the end of September 2023.

How to enable Remote PowerShell in Exchange Online

Switching to newer methods takes time. That’s why Microsoft introduced a tool that allows global admins to keep RPS enabled until later or re-enable it if it’s already been blocked. Here’s how it works:

  1. Use this link to open the Microsoft 365 admin center with the RPS diagnostic tool opened. Click Run Tests.
Exchange Online PowerShell RPS diagnostic tool
  1. After a short while, you will get information whether Exchange Online PowerShell RPS is blocked in your tenant or not. Tick the checkbox and click Update to either postpone the RPS block or re-enable it until the end of September 2023.
RPS protocol blocked

How to prepare for the change

Even if you resort to the temporary fix, you still need to prepare for RPS’s end of life. If you’re using PowerShell to manage Exchange Online, you need to use the relatively new v3 Exchange Online Management module. The module is in Global Availability now and it’s best to install it right now.

Update Exchange Online PowerShell module

This Microsoft article states that the V2 Exchange Online Management module is dying. This official guide recommends you uninstall the old EXO module and then install the new one. I’m sure there is a valid reason to push admins down this path, but I find it easier to simply update the old module. The only side-effect of this method was that I’ve seen a double IntelliSense suggestion for e.g. Connect-ExchangeOnline. The side effect prevailed for about 5 minutes after restarting the Windows PowerShell ISE, so I wouldn’t exactly call it troublesome.

So, to update the Exchange Online PowerShell module, simply run your Exchange Online PowerShell console with admin permissions and use the following cmdlet:

Update-Module -Name ExchangeOnlineManagement

Once you agree to everything, the new and shiny V3 module should install in a moment.

EXO V3 Module - confirm installation from PSGallery

If, for some reason, you’re unable to run an update this way, you can uninstall the old module with:

Uninstall-Module ExchangeOnlineManagement

and install a new one from the PowerShell gallery.

How to connect to Exchange Online with PowerShell

In short, you need to use Connect-ExchangeOnline and stop using New-PSSession for Exchange Online connections. That’s old news, though. I’ve recommended switching to the new method long ago in How to connect to Exchange Online with PowerShell.

The new method supports MFA, is more secure and, most importantly, will work after July 1, 2023.

About Exchange Online PowerShell V3 module

Now that you’re ready for the upcoming change, there’s the question of why the change is needed. What’s the big deal? How is the V3 module better?

The change can be summed up with one keyword: security. RPS (Remote PowerShell) Protocol used in New-PSSession or with the -UseRPSSession switch requires Basic authentication in WinRM on the client computer.

Some time ago, I posted about how Microsoft planned (and executed) blocking basic authentication in Microsoft 365. Despite all those long-going efforts, there are still some loose ends. While the V3 module ties some of them (like the need to enable basic authentication in WinRM for ExO connections), there are still some left. Let me quote the Microsoft’s page:

“… All cmdlets in Security & Compliance PowerShell still rely on the remote PowerShell session, so PowerShell on your client computer requires Basic authentication in WinRM to successfully use the Connect-IPPSSession cmdlet.”

It’s quite reassuring to know that (according to the 106112 Microsoft 365 roadmap item) Microsoft plans to support certificate-based authentication (CBA) for eDiscovery PowerShell.

Anyway, forcing admins to switch to EXO V3 module is a good step forward.

Another thing is that V3 (like the V2 module) is backed by the REST API. However, according to this Microsoft’s website, the new, REST API-powered cmdlets have the same names and work just like their legacy equivalents. What’s more, they should have better security, performance and reliability. Theoretically, there’s no need to update any scripts after you change the way you connect to PowerShell. However, if you come across any problems, or have any concerns, Microsoft provides a dedicated email address to hear them: [email protected].

Tools for Exchange Server

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.