Private/O365MFASupport/Connect-MDSIPPSSession.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
function Connect-MDSIPPSSession {
    <#
        .SYNOPSIS
            Connect-IPPSSession -ConnectionURI https://ps.compliance.protection.outlook.com/PowerShell-LiveId -AzureADAuthorizationEndpointUri https://login.windows.net/common
            NOTE: PSSessionOption accept object created using New-PSSessionOption
                  Please add -DelegatedOrganization para name and its value (domain name) if you want manage another tenant
 
        .DESCRIPTION
            This cmdlet allows you to connect to Exchange Online Protection Service
    #>

    [CmdletBinding()]
    param(
        # Connection Uri for the Remote PowerShell endpoint
        [string]$ConnectionUri = 'https://ps.compliance.protection.outlook.com/PowerShell-LiveId',

        # Azure AD Authorization endpoint Uri that can issue the OAuth2 access tokens
        [string]$AzureADAuthorizationEndpointUri = 'https://login.windows.net/common',

        # Delegated Organization Name
        [string]$DelegatedOrganization = '',

        # PowerShell session options to be used when opening the Remote PowerShell session
        [System.Management.Automation.Remoting.PSSessionOption]$PSSessionOption = $null,

        # Switch to bypass use of mailbox anchoring hint.
        [switch]$BypassMailboxAnchoring = $false
    )
    DynamicParam {
        if (($isCloudShell = IsCloudShellEnvironment) -eq $false) {
            $attributes = New-Object System.Management.Automation.ParameterAttribute
            $attributes.Mandatory = $false

            $attributeCollection = New-Object System.Collections.ObjectModel.Collection[System.Attribute]
            $attributeCollection.Add($attributes)

            # User Principal Name or email address of the user
            $UserPrincipalName = New-Object System.Management.Automation.RuntimeDefinedParameter('UserPrincipalName', [string], $attributeCollection)
            $UserPrincipalName.Value = ''
            # User Credential to Logon
            $Credential = New-Object System.Management.Automation.RuntimeDefinedParameter('Credential', [System.Management.Automation.PSCredential], $attributeCollection)
            $Credential.Value = $null

            $paramDictionary = New-object System.Management.Automation.RuntimeDefinedParameterDictionary
            $paramDictionary.Add('UserPrincipalName', $UserPrincipalName)
            $paramDictionary.Add('Credential', $Credential)
            return $paramDictionary
        }
        else {
            $attributes = New-Object System.Management.Automation.ParameterAttribute
            $attributes.Mandatory = $false

            $attributeCollection = New-Object System.Collections.ObjectModel.Collection[System.Attribute]
            $attributeCollection.Add($attributes)

            # Switch to MSI auth
            $Device = New-Object System.Management.Automation.RuntimeDefinedParameter('Device', [switch], $attributeCollection)
            $Device.Value = $false

            $paramDictionary = New-object System.Management.Automation.RuntimeDefinedParameterDictionary
            $paramDictionary.Add('Device', $Device)
            return $paramDictionary
        }
    }
    begin {
        $MFAExchangeModulePath = Get-MFAExchangeModulePath -ErrorAction Stop
        . "$MFAExchangeModulePath\CreateExoPSSession.ps1"
    }
    process {
        # Cleanup old ps sessions
        $ComputerName = 'ps.compliance.protection.outlook.com'
        If ((Get-PSSession).Where{$_.ComputerName -match $ComputerName}) {
            $WarningMsg = 'A previous connection to {0} has been removed.' -f $ComputerName
            Write-Warning $WarningMsg
        }

        [string]$newUri = $null

        if (-not [string]::IsNullOrWhiteSpace($DelegatedOrganization)) {
            [UriBuilder]$uriBuilder = New-Object -TypeName UriBuilder -ArgumentList $ConnectionUri
            [string]$queryToAppend = "DelegatedOrg={0}" -f $DelegatedOrganization

            if ($null -ne $uriBuilder.Query -and $uriBuilder.Query.Length -gt 0) {
                [string]$existingQuery = $uriBuilder.Query.Substring(1)
                $uriBuilder.Query = $existingQuery + "&" + $queryToAppend
            }
            else {
                $uriBuilder.Query = $queryToAppend
            }

            $newUri = $uriBuilder.ToString()
        }
        else {
            $newUri = $ConnectionUri
        }

        $connectEXOPSSessionSplat = @{
            BypassMailboxAnchoring          = $BypassMailboxAnchoring
            PSSessionOption                 = $PSSessionOption
            ConnectionUri                   = $newUri
            AzureADAuthorizationEndpointUri = $AzureADAuthorizationEndpointUri
        }

        if ($isCloudShell -eq $false) {
            If (-not [string]::IsNullOrWhiteSpace($UserPrincipalName.Value)) {
                $connectEXOPSSessionSplat.Add('UserPrincipalName', $UserPrincipalName.Value)
            }
            If (-not [string]::IsNullOrWhiteSpace($Credential.Value)) {
                $connectEXOPSSessionSplat.Add('Credential', $Credential.Value)
            }
            Connect-EXOPSSession @connectEXOPSSessionSplat
        }
        else {
            $newExoPSSessionSplat.Add('Device', $Device.Value)
            Connect-EXOPSSession @connectEXOPSSessionSplat
        }
    }
    end {}
}