Manage Remote PowerShell Access to Exchange Online

I’ve discussed in a previous article what a useful tool Windows PowerShell can be for managing your Exchange Online infrastructure. Although using PowerShell can make administering Exchange a lot easier, it is also something you probably don’t want all of your users having access to. Did you know that — by default — all of the accounts created in Exchange Online have PowerShell access? So how can you manage access to remote PowerShell in your organization?

Determine a User’s PowerShell Access to Exchange Online

1. Let’s start by seeing which users have remote PowerShell access. If we want to see the status for our entire organization we can use a command with this syntax:

​ Get-User -ResultSize Unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled

In the image below, you can see that every user is Remote PowerShell enabled. Yikes!!! Note that the image is blurred to protect the privacy of the innocent here.

Manage Remote PowerShell Access to Exchange Online

 Default Exchange Online accounts have PowerShell access enabled. (Image: J. Peter Bruzzese)

2. If you want to see all users who have access either enabled or disabled, then the command looks a little different:

​ Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq <$true | $false>}

3. Note: You have to choose one or the other so if you want it to be true, then you would write the command:

​ Get-User –ResultSize Unlimited –Filter {RemotePowerShellEnabled –eq $true}

4. To check the status of a single user, where the response returns true or false, the command looks like this:

​ Get-User <User Identity> | Format-List RemotePowerShellEnabled

Please note that User Identity could be the persons name in quotes (ie “Robert Williams”) or their email identity (ie. [email protected]) used interchangeably in that space.

5. For example, this command will show the status for Robert Williams:

​ Get-User "Robert Williams" | Format-List RemotePowerShellEnabled

How to disable remote user PowerShell access to Exchange Online

1. Now that we know the status of our users, we will want to get down to managing who has remote Shell access and who does not. First we will try disabling access for a single user:

​ Set-User <User Identity> -RemotePowerShellEnabled $false

2. Here is the command you would use if you wanted to disable the user [email protected]:

​ Set-User [email protected] -RemotePowerShellEnabled $false

3. Enabling access uses the same syntax with one small change at the end:

​ Set-User <User Identity> -RemotePowerShellEnabled $true

4. Depending on the size of your organization, it may not be practical to disable this user by user. If all of the users you would like to disable share a unique attribute, such as department, then you can easily disable remote Shell access using a filter with the following syntax:

​ <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter> | Set-User -RemotePowerShellEnabled $false

5. If you wanted to make sure that all of the users in the accounting department do not have remote Shell access, then you might use this command:

​ Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Department -eq 'Accounting')} | Set-User -RemotePowerShellEnabled $false

6. What if the users you are looking to disable do not share a single, unique attribute? In such a case where filters are difficult to use, then you can manage remote Shell access using a list in the form of a text file. The text file must be formatted so that there is one user listed on each line by email address. It should look something like this:

[email protected]

[email protected]

[email protected]

Once you have a list ready then run a command with this syntax:

​ Get-Content <text file> | Set-User -RemotePowerShellEnabled $false

An example command would look something like this:

​ Get-Content "C:AdminDisableRemotePSList.txt" | Set-User -RemotePowerShellEnabled $false

Managing PowerShell Access to Exchange Online

There is some good news in all of this. Although it’s true that remote PowerShell is a feature enabled for all users by default in Office 365, that doesn’t mean that users will have any more ability if they connect than has been assigned to them through role-based access control (RBAC). RBAC has underlying role groups with assigned roles that allow for very specific permission sets. Any individual cannot just poke around and make changes to your environment without the right permissions. Nevertheless, access is a starting point for many bad things to occur, so why even allow the possibility of access? Don’t! Jump in, make some changes to access, and never worry about this again.

Just one thing. Don’t make the mistake of removing your access.  😉