Custom PSCredential object to log into o365 powershell

A little background…we have a PAM (privileged access management) solution called Cyberark that rotates our admin credentials and provides a secure portal for RDP, SSH etc. I am programmatically trying to check out the password through the rest request and pass those creds into the custom PS object so I can log into O365.

$url = "https://cyberark/vault/mycredslocation"
$response = Invoke-RestMethod -uri $url

$password = ConvertTo-SecureString $response.content -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential($response.UserName + "", $password)

Set-ExecutionPolicy RemoteSigned

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber

Error message is:
New-PSSession : The WinRM client cannot process the request. Requests must include user name and password when Basic or Digest authentication mechanism is used. Add the user name and password or change the
authentication mechanism and try the request again.
At C:\Scripts\users\aim2.ps1:13 char:12

  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
  •        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidArgument: (https://outlook…proxymethod=rps:Uri) [New-PSSession], PSInvalidOperationException
    • FullyQualifiedErrorId : CreateRemoteRunspaceFailed,Microsoft.PowerShell.Commands.NewPSSessionCommand

Import-PSSession : Cannot validate argument on parameter ‘Session’. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\Scripts\users\aim2.ps1:14 char:18

  • Import-PSSession $Session -AllowClobber
  •              ~~~~~~~~
    • CategoryInfo : InvalidData: (:slight_smile: [Import-PSSession], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand

I have tried the different types of authentication mechanisms and still get various errors. I have verified the proper username and password are being checked out. I have also used this code to connect to other servers and it works fine.

I tried the other various O365 services (connect-msol, and skype) and got this error with Skype:
You must specify a user principal name in the format of User@Domain.Com.

So this might be an issue with the way I am appending the domain name to the username

I think you’re right in regards to the username build. I would check the value of your “$cred” variable to confirm what is actually being passed through. Additionally, it may help to separate the build:

$url = "https://cyberark/vault/mycredslocation"
$response = Invoke-RestMethod -uri $url

$password = ConvertTo-SecureString $response.content -AsPlainText -Force
$username = "$($response.username)"

$cred = New-Object System.Management.Automation.PSCredential($username, $password)

That worked!

Can you explain to me what the $ in front of “$($response.username)” is?

In this case, the first “$” is being used as part of a sub-expression operator that allows us to define the expanded string that is ‘$response.username’+ ‘@domain’. I like to think of it like defining a new variable made up of multiple parts. Here is some more info about it: