MicrosoftDocs
diff --git a/‎exchange/docs-conceptual/app-only-auth-powershell-v2.md
Lines changed: 19 additions & 15 deletions b/‎exchange/docs-conceptual/app-only-auth-powershell-v2.md
Lines changed: 19 additions & 15 deletions
diff --git a/‎exchange/docs-conceptual/connect-to-exchange-online-powershell.md
Lines changed: 13 additions & 10 deletions b/‎exchange/docs-conceptual/connect-to-exchange-online-powershell.md
Lines changed: 13 additions & 10 deletions
diff --git a/‎exchange/docs-conceptual/connect-to-exchange-online-protection-powershell.md
Lines changed: 12 additions & 9 deletions b/‎exchange/docs-conceptual/connect-to-exchange-online-protection-powershell.md
Lines changed: 12 additions & 9 deletions
@@ -13,7 +13,6 @@ ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
 search.appverid: MET150
-ROBOTS: NOINDEX, NOFOLLOW
 description: "Learn about using the Exchange Online V2 module in scripts and other long-running tasks with modern authentication and app-only authentication."
 ---
 
@@ -50,6 +49,9 @@ The following examples show how to use the Exchange Online PowerShell V2 module
 
   When you use the _Certificate_ parameter, the certificate does not need to be installed on the computer where you are running the command. This parameter is applicable for scenarios where the certificate object is stored remotely and fetched at runtime during script execution.
 
+> [!TIP]
+> In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the  _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
+
 ## How does it work?
 
 The EXO V2 module uses the Active Directory Authentication Library to fetch an app-only token using the application Id, tenant Id (organization), and certificate thumbprint. The application object provisioned inside Azure AD has a Directory Role assigned to it, which is returned in the access token. Exchange Online configures the session RBAC using the directory role information that's available in the token.
@@ -121,25 +123,27 @@ If you encounter problems, check the [required permssions](https://docs.microsof
 
 You need to assign the API permission `Exchange.ManageAsApp` so the application can manage Exchange Online. API permissions are required because they have consent flow enabled, which allows auditing (directory roles don't have consent flow).
 
-1. Select **API permissions**.
-
-2. In the **Configured permissions** page that appears, click **Add permission**.
-
-3. In the flyout that appears, select **Exchange**.
-
-   ![Select Exchange API permssions](media/app-only-auth-exchange-api-perms.png)
-
-4. In the flyout that appears, click **Application permissions**.
+1. Select **Manifest** in the left-hand navigation under **Manage**.
 
-5. In the **Select permissions** section that appears on the page, expand **Exchange** and select **Exchange.ManageAsApp**
+2. Locate the `requiredResourceAccess` property in the manifest, and add the following inside the square brackets (`[]`):
 
-   ![Select Exchange.ManageAsApp permssions](media/app-only-auth-exchange-manageasapp.png)
+   ```json
+   {
+       "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
+       "resourceAccess": [
+           {
+               "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
+               "type": "Role"
+           }
+       ]
+   }
+   ```
 
-   When you're finished, click **Add permissions**.
+3. Select **Save**.
 
-6. Back on the **Configured permissions** page that appears, click **Grant admin consent for \<tenant name\>**, and select **Yes** in the dialog that appears.
+4. Select **API permissions** under **Manage**. Confirm that the **Exchange.ManageAsApp** permission is listed.
 
-7. Close the flyout when you're finished.
+5. Select **Grant admin consent for org** and accept the consent dialog.
 
 ## Step 3: Generate a self-signed certificate
 
 
@@ -34,9 +34,9 @@ To use the older Exchange Online Remote PowerShell Module to connect to Exchange
 > [!TIP]
 > Having problems? Ask in the [Exchange Online](https://go.microsoft.com/fwlink/p/?linkId=267542) forum.
 
-## Connect to Exchange Online PowerShell using MFA
+## Connect to Exchange Online PowerShell using MFA and modern authentication
 
-If your account uses multi-factor authentication, use the steps in this section. Otherwise, skip to the [Connect to Exchange Online PowerShell without using MFA](#connect-to-exchange-online-powershell-without-using-mfa) section.
+If your account uses multi-factor authentication, use the steps in this section. Otherwise, skip to the [Connect to Exchange Online PowerShell using modern authentication](#connect-to-exchange-online-powershell-using-modern-authentication) section.
 
 1. In a Windows PowerShell window, load the EXO V2 module by running the following command:
 
@@ -84,7 +84,7 @@ If your account uses multi-factor authentication, use the steps in this section.
    **This example connects to Exchange Online PowerShell to manage another tenant**:
 
    ```powershell
-   Connect-ExchangeOnline -UserPrincipalName [email protected] -DelegatedOrganization adatum.onmicrosoft.com
+   Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true -DelegatedOrganization adatum.onmicrosoft.com
    ```
 
 For detailed syntax and parameter information, see [Connect-ExchangeOnline](https://docs.microsoft.com/powershell/module/exchange/connect-exchangeonline).
@@ -96,7 +96,7 @@ For detailed syntax and parameter information, see [Connect-ExchangeOnline](http
 Disconnect-ExchangeOnline
 ```
 
-## Connect to Exchange Online PowerShell without using MFA
+## Connect to Exchange Online PowerShell using modern authentication
 
 If your account doesn't use multi-factor authentication, use the steps in this section.
 
@@ -110,21 +110,24 @@ If your account doesn't use multi-factor authentication, use the steps in this s
 
 2. Run the following command:
 
+   > [!NOTE]
+   > You can skip this step and omit the _Credential_ parameter in the next step to be prompted to enter the username and password after you run the **Connect-ExchangeOnline** command. If you omit the _Credential_ parameter and include the _UserPrincipalName_ parameter in the next step, you're only prompted to enter the password after you run the **Connect-ExchangeOnline** command.
+
    ```powershell
    $UserCredential = Get-Credential
    ```
 
    In the **Windows PowerShell Credential Request** dialog box that appears, type your work or school account and password, and then click **OK**.
 
-3. The command that you need to run uses the following syntax:
+3. The last command that you need to run uses the following syntax:
 
    ```powershell
-   Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
+   Connect-ExchangeOnline [-Credential $UserCredential] -ShowProgress $true [-ShowBanner:$false] [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
    ```
 
    - When you use the _ExchangeEnvironmentName_ parameter, you don't need use the _ConnectionUri_ or _AzureADAuthorizationEndPointUrl_ parameters. For more information, see the parameter descriptions in [Connect-ExchangeOnline](https://docs.microsoft.com/powershell/module/exchange/connect-exchangeonline).
    - The _DelegatedOrganization_ parameter specifies the customer organization that you want to manage as an authorized Microsoft Partner. For more information, see [Partners](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/partners).
-   - If you're behind a proxy server, run this command first: `$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>`, where \<Value\> is `IEConfig`, `WinHttpConfig`, or `AutoDetect`. Then, use the _PSSessionOption_ parameter with the value `$ProxyOptions`. For more information, see [New-PSSessionOption](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption).
+   - If you're behind a proxy server, store the output of the [New-PSSessionOption](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption) cmdlet in a variable (for example, `$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value> [-ProxyAuthentication <Value>] [-ProxyCredential <Value>]`). Then, use the variable (`$ProxyOptions`) as the value for the _PSSessionOption_ parameter.
 
    **Connect to Exchange Online PowerShell in a Microsoft 365 or Microsoft 365 GCC organization**:
 
@@ -159,7 +162,7 @@ If your account doesn't use multi-factor authentication, use the steps in this s
 For detailed syntax and parameter information, see [Connect-ExchangeOnline](https://docs.microsoft.com/powershell/module/exchange/connect-exchangeonline).
 
 > [!NOTE]
-> Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.
+> Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command:
 
 ```powershell
 Disconnect-ExchangeOnline
@@ -171,11 +174,11 @@ The Exchange Online cmdlets are imported into your local Windows PowerShell sess
 
 If you receive errors, check the following requirements:
 
-- A common problem is an incorrect password. Run the three steps again and pay close attention to the user name and password you enter in Step 1.
+- A common problem is an incorrect password. Run the three steps again and pay close attention to the username and password that you use.
 
 - To help prevent denial-of-service (DoS) attacks, you're limited to five open remote PowerShell connections to Exchange Online.
 
-- The account you use to connect to must be enabled for remote PowerShell. For more information, see [Enable or disable access to Exchange Online PowerShell](disable-access-to-exchange-online-powershell.md).
+- The account that you use to connect to must be enabled for remote PowerShell. For more information, see [Enable or disable access to Exchange Online PowerShell](disable-access-to-exchange-online-powershell.md).
 
 - TCP port 80 traffic needs to be open between your local computer and Microsoft 365. It's probably open, but it's something to consider if your organization has a restrictive internet access policy.
 
 
@@ -34,9 +34,9 @@ To use the older, less secure remote PowerShell connection instructions that [wi
 > [!TIP]
 > Having problems? Ask for help in the [Exchange Online Protection](https://go.microsoft.com/fwlink/p/?linkId=285351) forum.
 
-## Connect to Exchange Online Protection PowerShell using MFA
+## Connect to Exchange Online Protection PowerShell using MFA and modern authentication
 
-If your account uses multi-factor authentication, use the steps in this section. Otherwise, skip to the [Connect to Exchange Online Protection PowerShell without using MFA](#connect-to-exchange-online-protection-powershell-without-using-mfa) section.
+If your account uses multi-factor authentication, use the steps in this section. Otherwise, skip to the [Connect to Exchange Online Protection PowerShell using modern authentication](#connect-to-exchange-online-protection-powershell-using-modern-authentication) section.
 
 1. In a Windows PowerShell window, load the EXO V2 module by running the following command:
 
@@ -77,7 +77,7 @@ For detailed syntax and parameter information, see [Connect-IPPSSession](https:/
 Disconnect-ExchangeOnline
 ```
 
-## Connect to Exchange Online Protection PowerShell without using MFA
+## Connect to Exchange Online Protection PowerShell using modern authentication
 
 If your account doesn't use multi-factor authentication, use the steps in this section.
 
@@ -91,20 +91,23 @@ If your account doesn't use multi-factor authentication, use the steps in this s
 
 2. Run the following command:
 
+   > [!NOTE]
+   > You can skip this step and omit the _Credential_ parameter in the next step to be prompted to enter the username and password after you run the **Connect-IPPSSession** command. If you omit the _Credential_ parameter and include the _UserPrincipalName_ parameter in the next step, you're only prompted to enter the password after you run the **Connect-IPPSSession** command.
+
    ```powershell
    $UserCredential = Get-Credential
    ```
 
    In the **Windows PowerShell Credential Request** dialog box that appears, type your work or school account and password, and then click **OK**.
 
-3. The command that you need to run uses the following syntax:
+3. The last command that you need to run uses the following syntax:
 
    ```powershell
-   Connect-IPPSSession -Credential $UserCredential -ConnectionUri <URL> [-PSSessionOption $ProxyOptions]
+   Connect-IPPSSession [-Credential $UserCredential] -ConnectionUri <URL> [-PSSessionOption $ProxyOptions]
    ```
 
    - The required _ConnectionUri_ value depends on the nature of your Microsoft 365 organization. For more information, see the parameter description in [Connect-IPPSSession](https://docs.microsoft.com/powershell/module/exchange/connect-ippssession).
-   - If you're behind a proxy server, run this command first: `$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>`, where \<Value\> is `IEConfig`, `WinHttpConfig`, or `AutoDetect`. Then, use the _PSSessionOption_ parameter with the value `$ProxyOptions`. For more information, see [New-PSSessionOption](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption).
+   - If you're behind a proxy server, store the output of the [New-PSSessionOption](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption) cmdlet in a variable (for example, `$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value> [-ProxyAuthentication <Value>] [-ProxyCredential <Value>]`). Then, use the variable (`$ProxyOptions`) as the value for the _PSSessionOption_ parameter.
 
    **This example connects to Exchange Online Protection PowerShell in a Microsoft 365 organization**:
 
@@ -121,7 +124,7 @@ If your account doesn't use multi-factor authentication, use the steps in this s
 For detailed syntax and parameter information, see [Connect-IPPSSession](https://docs.microsoft.com/powershell/module/exchange/connect-exchangeonline).
 
 > [!NOTE]
-> Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.
+> Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command:
 
 ```powershell
 Disconnect-ExchangeOnline
@@ -133,13 +136,13 @@ The Exchange Online Protection Protection cmdlets are imported into your local W
 
 If you receive errors, check the following requirements:
 
-- A common problem is an incorrect password. Run the three steps again and pay close attention to the user name and password you enter in Step 1.
+- A common problem is an incorrect password. Run the three steps again and pay close attention to the username and password that you use.
 
 - To help prevent denial-of-service (DoS) attacks, you're limited to five open remote PowerShell connections to Exchange Online Protection.
 
 - TCP port 80 traffic needs to be open between your local computer and Microsoft 365. It's probably open, but it's something to consider if your organization has a restrictive Internet access policy.
 
-- The account you use to connect to Exchange Online Protection PowerShell must be represented as a [mail user in EOP](https://docs.microsoft.com/microsoft-365/security/office-365-security/manage-mail-users-in-eop) (created manually or by directory synchronization). If the account is not visible in the Exchange admin center (EAC) as a mail user at **Recipients** \> **Contacts**, you'll receive the following error when you try to connect:
+- The account that you use to connect to Exchange Online Protection PowerShell must be represented as a [mail user in EOP](https://docs.microsoft.com/microsoft-365/security/office-365-security/manage-mail-users-in-eop) (created manually or by directory synchronization). If the account is not visible in the Exchange admin center (EAC) as a mail user at **Recipients** \> **Contacts**, you'll receive the following error when you try to connect:
 
   > Import-PSSession : Running the Get-Command command in a remote session reported the following error: Processing data for a remote command failed with the following error message: The request for the Windows Remote Shell with ShellId <GUID> failed because the shell was not found on the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the correct ShellId or create a new shell and retry the operation.