Having issues with a script to connect to exchange. The below script will work in vscode on a particular machine. But when I run the same script from the same machine in a elevated command window like this pwsh c:\temp\test.ps1 it is getting an authentication error and won’t connect. The user/pass is the same in both situations. Does anyone have any idea of what is happening here? If not is there a way to diagnosis why the connection is failing?

Create a PSCredential object

    $credential = New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString '$captions' -AsPlainText -Force))

    # Load the Exchange Online PowerShell module
    Import-Module ExchangeOnlineManagement

    # Connect to Exchange Online
    Connect-ExchangeOnline -Credential $credential -ShowProgress $true

Provide an error message

It might be different versions of the module.
Also does it work interactively? I generally don’t use the credential parameter. For scripts I use cert based auth instead

yes it does work interactively. Do you have a link that explains cert based auth instead or a quick example?

Error Acquiring Token:
System.Exception: In the case of a Federated user(that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant)
ID3242: The security token could not be authenticated or authorized.The user does not exist or has entered the wrong passwordInnerException : There was an error parsing WS-Trust response from the endpoint. This may occur if there is an issue with your ADFS configuration. See https://aka.ms/msal-net-iwa-troubleshooting for more details. Error Message: Federated service at returned error: Authentication Failure

If you need the inner exception let me know. I extracted some specific error links for privacy reasons. I broke the script down to just connecting. Could this be a policy or user configuration on azure causing this?

Again the script works fine from vscode on the same machine.

Have you checked the version(s) of the exchange online management module just to double check they are the same? I’m sure they are but may be worth checking. FWIW the issue with using PScredential is you can’t really protect an account with MFA, and you’re essentially using that for ‘unattended’ scripts, which is why cert based auth is much better. The idea is you have a certificate installed on your system with a private key, and the application you create and have given permissions too has the certificate’s public key. You can use that cert (it can be self-signed) to then authenticate against said app, allowing you to build unattended scripts/modules.

Based on the error and the context given - I have a feeling you are somehow pulling the creds from some place and its possible the context switching may be causing issues. For example, if you have a normal account that you generated credentials on and then used Export-CLIXML to save those (encrypted) creds locally, only the account that ran the Export-CLIXML command can decrypt them. So if you did something like that, then are launching PS as an admin with a different user account, it can no longer decrypt those creds, and it might end up with an error like this (though I’d expect an error getting the PW to begin with would happen, however I don’t know how the code before it is written and it could be continuing or ignoring an error).

That’s where I’d start, and I’d be debugging the process line by line.

Or, if you don’t want to bother, just use Cert based auth (app authentication) and be done with it, as it’s more secure and super easy to setup.

between the command prompt and vscode they are running the same version of online exchange management

I guess my question here is if the script resides in the same file and the only difference is where you call it from vscode or command prompt why would the authentication method to online exchange management be causing an issue? Is there a way to see what’s happening under the hood of the Connect-ExchangeOnline -Credential $credential -ShowProgress $true attempt?

I can’t confirm if that’s the only difference. I live by ‘trust but verify’ but I can’t verify anything on your system. You definitely mentioned different contexts (running in admin vs non admin mode) but there’s something else going on clearly that’s causing the issue. We can’t really troubleshoot that easily. What you know is there’s something different and I provided some steps I’d personally take. You can try the verbose parameter but I’m not sure if that would help or not. The error acts like its a bad password, so again I’d look to see how you’re acquiring that password and if you’re running it in different contexts, see if that’s impactful. Run through the code manually line by line in both contexts and check the values of the variables. You’re going to find the issue if you do that. Like I said, my guess is, it has something to do with how those credentials are being acquired. I’m assuming they are not being stored in clear text. In my experience, most people use the Export-CLIXML and Import-CLIXML to handle stuff like this, because when you export a pscred using that command it actually encrypts it as the user running the command.

If you’re looking for additional help from us you’ll need to provide the script in question, otherwise you’ll have to debug with some of the tips I’ve provided.

Thank you so much for the information. I just found the issue today, and in essence it would equate to a bad password. But it boiled down to power shell syntax error. I appreciate all the advice I received it helped me troubleshoot the issue.

Great to hear.

You may share the exact solution here with the world to help others looking for a solution for the same or a similar issue.

Awesome, glad to hear it!