Running on-prem script against 365 without storing plaintext creds

Ladies and Gents,

Looking to run a script on an on-prem server to collect audit logs from Exchange online without storing credentials in the script.

Was wondering what the current best practice for this is, or if anyone knows how to do it? Have stumbled across Azure automation, but not sure that will be able to run from on-prem or not and my google-fu isn’t conclusive.

Has anyone done this and could point me in the right direction? One of our local PowerBI guys has been using his own AD user account at the moment and that’s clearly BAD.

Cheers!

Depending on what exactly you want to do and which PowerShell modules you are going to use, the best way would be to use certificates. You would create an enterprise application in Entra, there you can set what exactly your script is allowed to do and you would associate a (self signed) certificate with that app which your script uses to connect.

Basically it is pulling audit logs from Exchange online.

So I’m guessing you’re using the Exchange Online PowerShell Module, so basically you’ll want to follow App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell | Microsoft Learn

Above the Setup process you’ll find the different ways how to set the certificate for connecting to ExO

Thanks!

It’s not actually me trying to do it but one of our PowerBI devs. I’ll chat with him about it tomorrow.

Thanks!