search cancel

O365 Exchange administrators using PowerShell getting "Connecting to remote server outlook.office365.com failed" errors with WSS Agent active

book

Article ID: 242903

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing internet via WSS using WSS Agents.

Exchange administrators using Powershell to modify O365 Outlook settings via Powershell fail to connect the exchange server when WSS agent is active on systems.

Exchange administrators report following "Connecting to remote server outlook.office365.com failed" error using powershell commandlets:

Accessing outlook.office365.com via browser work, so it is not a standard connectivity issue.

PCAPs show no connectivity errors at TCP/TLS layer when users experience issue.

Cannot get HAR file generated as Powershell cannot log the request details, but Fiddler can do the same job.

Cause

Conditional access enabled for Office 365 setup, requiring all access into the services come through from the same egress Ip address.

Problem with this setup is that the login goes through one network path and Powershell REST call made through another, resulting in O365 seeing different egress IP address
- Login to login.microsoftonline.com forced through on premise VPN server and out to O365
- Access to O365 Apps can go through WSS

Environment

WSS Agent on Windows and MacOS.

Powershell used to manage O365 Exchange setup.

Users taking multiple paths into O365 (via VPN server for O365 autentication, and via WSS for O365 Applications).

Resolution

Disable conditional access on Powershell, or make sure all O365 traffic goes via the same routes.

With the above setup, O365 Powershell plugin version 2.0.3 (older code) did not enable conditional access evaluation post auth. We uninstalled the ExchangeOnlineManagement powershell module and install the 2.0.3 module instead and all worked fine.

Additional Information

Key information was obtained via Fiddler when Powershell issue seen. We could see HTTPS requests into O365 endpoints, with a valid OAuth Bearer Token, that triggered 401 (Authentication required) responses as shown below:

{"error":{"code":"InstantIPEnforcementCheckFailed","message":"Instant IP Enforcement check failed, 'New or Unknown IP.  Interaction required. '","innerError":{"oAuthEventOperationId":"694eadd0-e931-4ed3-88a8-38b4d7a8c723","oAuthEventcV":"OVKeEI2ZOIfZMC5VsRq1/Q.1.1","errorUrl":"https://aka.ms/autherrors#error-InsufficientClaims","requestId":"3548a6ac-97fe-482c-b949-690a817aec31","date":"2022-05-18T08:25:48"}}}

We clearly see an IP enforcement check failed with "Instant IP Enforcement check failed, 'New or Unknown IP.  Interaction required". The OAuth token that was set at auth time came through via the VPN environment, but when the same token was sent to the O365 Application,it came from a different egress IP address and failed.

Attachments