MC515529 Microsoft 365 Suite, Microsoft 365 Experts
From Microsoft Corporation
Technical Bulletin MC515529 · Published Feb 15, 2023
Message Summary
We are announcing eDiscovery PowerShell cmdlet’s official support for certificate-based authentication (CBA).
This message is associated with Microsoft 365 Roadmap ID 106112.
When this will happen:
Rollout will begin in late February and is expected to be complete by late March.
How this will affect your organization:
Many organizations rely on unattended scripts built using the security and compliance PowerShell cmdlet to automate eDiscovery workflow. In the past, any unattended script relied on basic authentication techniques where it required the user to store the username and password in a local file or in a secret vault accessed at run-time. This method is no longer recommended as it poses the risk of stolen credentials. See Deprecation of Basic authentication in Exchange Online.
eDiscovery cmdlets will support CBA or app-only authentication as described in this article by end of February 2023. It supports unattended script and automation scenarios by using Azure AD apps and self-signed certificates. Certificate-based authentication provides admins the ability to run scripts without the need to create service-accounts or store credentials locally.
We encourage all eDiscovery users who rely on basic authentication with their unattended script to migrate the script authentication to use CBA as soon as possible. Please note that Service Principal will be needed to run eDiscovery cmdlets. Refer to this article for the steps.
Note:
- This change will affect the authentication method of your organization’s eDiscovery unattended script.
- After basic authentication is changed to CBA your script should be more secure against potential attackers who may be interested in stealing your locally stored credentials.
What you need to do to prepare:
Assess if the changes will change your organization’s eDiscovery automation workflow. If so, you may wish to update internal documentation and script authentication and provide training to all eDiscovery users in your organization.
Get started with eDiscovery in the Microsoft Purview compliance portal:
- Microsoft Purview compliance portal for WW and GCC cloud environments
- Microsoft Purview compliance portal for GCC-High cloud environments
- Microsoft Purview compliance portal for DoD cloud environments
Learn more: App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell