How to fix “Create Powershell Session is failed using OAuth” EXO v2 PowerShell error

By | 2022-02-28
0 Comment

Connecting to the Exchange Online service using the recent Exchange Online PowerShell V2 module presents a series of new features, including the option for using modern authentication and have the sign-in protected by Multi-Factor Authentication (MFA).

The added support for modern authentication in Exchange Online PowerShell V2 module (EXO V2) include all cmdlets and replaces Basic Authentication, although the client is still required to have Basic authentication enabled for WinRM.

Download EXO V2 module from PowerShell gallery:
https://www.powershellgallery.com/packages/ExchangeOnlineManagement/

Install and update the EXO V2 module:
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#install-and-maintain-the-exo-v2-module

When connecting to Exchange Online using the EXO V2 module, the following cmdlet may be used:

Connect-ExchangeOnline -UserPrincipalName <Cloud UPN> -ShowProgress $true

In some case the connection result in this error:

Create Powershell Session is failed using OAuth.

This indicate that the Basic authentication setting of WinRM is disabled, which prevents the client from properly authenticating.

Among the prerequisites for the EXO V2 module is that Basic authentication should be enabled for WinRM on the connecting client:

WinRM needs to allow Basic authentication (it’s enabled by default). We don’t send the username and password combination, but the Basic authentication header is required to send the session’s OAuth token, since the client-side WinRM implementation has no support for OAuth.

Verify this in the local Windows Registry (regedit.exe):

  • Open HKEY_LOCAL_MACHINE
  • Find the key:  \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client
  • Locate the DWORD item “AllowBasic

If the value of “AllowBasic” is either “0” (zero) or the information is missing altogether, then continue to the following resolution.


To resolve the error:

Enable Basic authentication for WinRM by running these commands in an elevated PowerShell prompt:

$WinRMClient = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client"
$Name = "AllowBasic"
$value = "1"
IF (!(Test-Path $WinRMClient)) {
   New-Item -Path $WinRMClient -Force | Out-Null
   New-ItemProperty -Path $WinRMClient -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
} ELSE {
   New-ItemProperty -Path $WinRMClient -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
}

Afterwards, verify that EXO v2 module connect properly.

 

References:

About the Exchange Online PowerShell V2 module
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.