The Hybrid Configuration Wizard (HCW) update that was released in April 2022 provides a free product key at no additional charge to customers who run Microsoft Exchange Server 2019 hybrid servers. Additionally, we have enabled support for using MFA-enabled administrator credentials for Hybrid Agent cmdlets.
MFA support for Hybrid Agent cmdlets
The Hybrid Management PowerShell module is installed by HCW to the following location on the computer on which the agent is installed:
-
\Program Files\Microsoft Hybrid Service\
The module now works together with MFA-enabled administrator accounts. This module exposes following cmdlets that can now be used together with MFA.
Get-HybridAgent |
To view the installed Hybrid Agents |
Update-HybridApplication |
To edit parameters such as the target URI of the hybrid application |
Get-HybridApplication |
To view all hybrid applications in the tenant |
Remove-HybridApplication |
To remove a specific hybrid application |
To use these cmdlets for MFA-enabled administrator accounts, admins must use the latest HybridManagement.psm1 file. You can download this file through HCW at \Program Files\Microsoft Hybrid Service\ through a rerun, or directly from https://aka.ms/HybridAgentPSM.
How to use MFA-enabled accounts with Hybrid Agent cmdlets
Import the Hybrid Management module. Run the following cmdlet at an elevated Windows PowerShell prompt:
- Import-Module .\HybridManagement.psm1
Notice that the new cmdlets use a userPrincipalName (UPN) parameter instead of the Credential parameter. For example, admins previously provided credentials in the following manner by using the Get-HybridAgent cmdlet:
-
Get-HybridAgent -Credential (Get-Credential)
After this change, if the admin has an MFA-enabled account, the userPrincipalName parameter is used to provide the admin's UPN:
-
Get-HybridAgent -userPrincipalName alan@contoso.com
After you import the new module, existing cmdlets can be used together with MFA-enabled administrator credentials. The following table lists some cmdlet examples.
Using MFA-enabled account |
Using basic authentication |
---|---|
Get-HybridAgent -userPrincipalName <tenant admin UPN> |
Get-HybridAgent -Credential (Get-Credential) |
Get-HybridApplication -userPrincipalName <tenant admin UPN> -appId <GUID> |
Get-HybridApplication -credential (Get-Credential) -appId <GUID> |
Remove-HybridApplication -userPrincipalName <tenant admin UPN> -appId <GUID> |
Remove-HybridApplication -credential (Get-Credential) -appId <GUID> |
New-HybridApplication -userPrincipalName <tenant admin UPN> -targetUri “Server FQDN. For eg: https://contoso.exhybrid.com” |
New-HybridApplication -credential (Get-Credential) -targetUri “Server FQDN. For eg: https://contoso.exhybrid.com” |
Update-HybridApplication -appId <GUID> -targetUri “Server FQDN. For eg: https://contoso.exhybrid.com” -userPrincipalName <tenant admin UPN> |
Update-HybridApplication -appId <GUID> -targetUri “Server FQDN. For eg: https://contoso.exhybrid.com” -credential(Get-Credential) |
Issues that are fixed in this update
-
The Hybrid Wizard does not sync with some retention tags and policies during an Organization Configuration Transfer process.
-
Instead of the expected TargetOwaURL value of http://outlook.office.com/mail, the HCW adds a wrong value of http://outlook.com/owa//FederatedDomain.