Skip to content

New-ExoPSSession : Create Powershell Session is failed using OAuth

New-ExoPSSession : Create Powershell Session is failed using OAuth

In this post we will look at the following error messages being displayed when a user tries to connect to Exchange Online Management or Security Center using PowerShell.

“New-ExoPSSession : Create Powershell Session is failed using OAuth”

Text
Description automatically generated

To start troubleshooting this error above, I had a look at the Prerequisites for the EXO V2 PowerShell module.

Based on the information provided on the document, Microsoft recommends that Client Basic Auth for WinRM should be enabled.

WinRM needs to allow Basic authentication (it’s enabled by default). We don’t send the username and password combination, but the Basic authentication header is required to send the session’s OAuth token, since the client-side WinRM implementation has no support for OAuth.

To continue to with the troubleshooting, we need to review what WinRM policies has been applied to the device. To do this run the following.

winrm get winrm/config/client/auth

Text
Description automatically generated

As we can see from the above image, Basic Auth is set to “false” which indicated that it has been disabled.

Internally we have recently moved to Microsoft Security Baselines for EndPoint devices. One of the configuration options in Security Baseline is “Remote Management”. Under this section you will see the below configuration for WinRM.

Graphical user interface, text, application, email
Description automatically generated

The interesting part of this is when you look at the “Client Basic Authentication” settings, you can either have it On or Off only. The option for “Not Configurated” acts the same as “Disabled

Text
Description automatically generated

In order to resolve the error, we are experiencing, we need to set the “Basic Authentication” policy to “Enabled

Now that we have enabled the policy, we need to run a sync from our EndPoints by opening the “Company Portal” app on your Windows device.

Graphical user interface, text, application, email
Description automatically generated

Once the Sync has completed, run the following PowerShell again to verify if the WinRM policy has been updated on the device.

winrm get winrm/config/client/auth

Text
Description automatically generated

As you can see from the above image, the policy now allows for Client Basic Authentication.

Lastly let’s rerun our PowerShell Sessions and see if we still get the same error.

As you can see, we now have a successful connection to Microsoft Security and Compliance PowerShell Session.

Text
Description automatically generated

If you are an Administrator in your environment, you might want to consider creating a separate Baseline for Administrators which allows for Client Basic Authentication and the rest of the organization ca still have this setting Disabled.

Sharing is caring!

Published inUncategorized

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *