Forum Discussion
Authenticating with an access token Connect-MicrosoftTeams
New-CsOnlineSession has been dropped and the SfB Connector is end of life in July and Connect-MicrosoftTeams does appear to support token for the telephony functions.
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
- NMLVSBrass ContributorFYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid- Andres-BohrenSteel ContributorNMLVS good to hear that
- usman83Copper Contributor
Hi,
We were successfully using Microsoft Teams powershell using Access Tokens. But today we are faced with strange issue:
We are getting error during authentication: Connect-MicrosoftTeams
The provided tokens must have less than 180 seconds difference in the time range of expiration. System.Management.Automation.RemoteException: The provided tokens must have less than 180 seconds difference in the time range of expiration.
We have checked the access tokens expiry, they do differ by more then 180 seconds. We are using Refresh tokens to generate Access tokens. This is done automatically using .NET code, both access tokens are fetched within few milliseconds, yet the expiry differs. And when we use these tokens we get above error.
Has anyone experienced this?
Regards,
Muhammad Usman
- SajAccess4Copper Contributor
- BJMUKCopper ContributorI see 2.6.2-prerelease was added a couple of days ago, however it seems pretty broken. Was this version supposed to resolve this issue (expiry time mismatch)?
- serge2021Copper ContributorI don't see how one or another version of Teams PowerShell client app can make a difference here.
Access tokens are handed out by the Microsoft Identity Platform.
- SjoerdVIron Contributor
Update: Still no improvement on the App Only (Unattended) front in the latest MicrosoftTeams 3.0.0. module. The only reported working method is by using Delegate permissions as stated in the Docs under 'AccessTokens' parameter directions.
If someone has an ETA on setting CS policies in an unattended (or dare I say DSC manner), please post here- nikolasxCopper Contributorhttps://github.com/MicrosoftDocs/office-docs-powershell/issues/8623#issuecomment-993611923
This was just posted in a Github issue. Apparently Microsoft is aware of the issue and the ETA is March 2022.- Iulian_SimonnCopper ContributorHi everyone, I just tested the new PS Teams module 3.1.1. I still get the same error (Connect-MicrosoftTeams : Object reference not set to an instance of an object.),
I hope they will fix it on March...
- Andres-BohrenSteel Contributor
MicrosoftTeams PowerShell Module 4.0.0 has been released
https://www.powershellgallery.com/packages/MicrosoftTeams/4.0.0
I've tested it with App Only Authentication (Certificate / ClientSecret). Still does not workIn my Microsoft Case [Case #:28612860] they said that the ETA will be early Q2 2022. I guess we still have to wait.
Regards Andres
- sjackson340Copper Contributor
I've had the same problem with several different versions of the MicrosoftTeams modules...
Including:
Install-Module -Name MicrosoftTeams -RequiredVersion 2.3.2-preview -AllowPrereleaseInstall-Module -Name MicrosoftTeams -RequiredVersion 3.0.0
Install-Module -Name MicrosoftTeams -RequiredVersion 3.1.1
Install-Module -Name MicrosoftTeams -RequiredVersion 4.0.0Install-Module -Name MicrosoftTeams -RequiredVersion 4.0.1-preview -AllowPrerelease
My tokens are correct:PS> $($graphToken | Get-JWTDetails).Roles | sort
AppCatalog.Read.All
AppCatalog.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
People.Read.All
Schedule.Read.All
Schedule.ReadWrite.All
Team.ReadBasic.All
TeamSettings.Read.All
User.Read.All
UserShiftPreferences.Read.All
UserShiftPreferences.ReadWrite.AllPS> $($teamsToken | Get-JWTDetails).Roles | sort
application_access
application_access_custom_sba_appliance
All of them give me this:PS> Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") Connect-MicrosoftTeams : Object reference not set to an instance of an object. At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], NullReferenceException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams Connect-MicrosoftTeams : Object reference not set to an instance of an object. At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], NullReferenceException + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams​
Logged it here too: https://github.com/MicrosoftDocs/office-docs-powershell/issues/9188- Andres-BohrenSteel Contributor
As written here - i have running code (with Delegated Permissions)
Using Delegated Permissions does not make sense - i totally agree 🙂
I had a Ticket open at Microsoft #28612860. It was closed with the ETA of Mid April for the Fix. So we will see.
Tested a code with Application Permissions with Teams PowerShell Module 4.1.0 - still does not work.
Regards
Andres
- Sridevi-MSFTMicrosoft
PhoneMe007, Can you please explain more briefly about the issue.
- PhoneMe007Brass ContributorNew-CsOnlineSession has an -OAuthAccessToken param, which accepted a jwt with the Powershell permissions in the scope, which we could obtain silently, and so avoid login to run the Powershell commands. This no longer works for Connect-MicrosoftTeams with any of the voice related cmdlets and functions. We can obtain the token but Powershell returns an error.
- SajAccess4Copper ContributorSridevi-MSFT Have you been able to find a solution?
- PhoneMe007Brass ContributorSimilarly lots of items are broken: https://twitter.com/AndresGorzelany/status/1377263616353824774?s=19
- teams1535MicrosoftHi PhoneMe007 could you please check with latest Powershell Teams module. It have the inbuilt sfb connecter features.
- KarstenSkuldbolCopper ContributorCan anyone in Microsoft please share some information on, when then cmdlet, Grant-CsOnlineVoiceRoutingPolicy, will be available with App Based Authentication using certificate?
Currently its only available in none-interactive scripts using Client Secret !!!!
- CseuzACopper ContributorI have experienced the same thing with Get-CsOnlineUser.
- M365061290Iron Contributorwhat is the use of releasing this powershell if it doesn't work
- PhonesNZCopper ContributorI am also finding that when connecting with access tokens the Get-CSOnlinePSTNGateway and anything that used to be connected via the new-csonlinesession no longer functions.
If you log in with Connect-MicrosoftTeams interactively then it will work, but this is undesirable for our automation requirements.
Module version 2.3.1- Sridevi-MSFTMicrosoftWe have implemented a fix which will be available when the 3.0.0 version is released.
- guyfrancisCopper ContributorI am also getting the same issue. Skype for Business Online Powershell connections are blocked, and the Teams Powershell module which replaces them does not work. Are there any workarounds or do we have to wait and hope that version 3.0.0 fixes the issue?
Would it be possible to unblock the Skype for Business Online Powershell connections until this issue is resolved?
- syedafzalaliCopper Contributor
Can you please suggest an alternative method if new "Connect-MicrosoftTeams" does not work using -AadAccessToken for executing Get-CsTenant or SFB commands?
We are blocked and not sure when the fix of 3.0.x will come ? Please help.
- Simon ShawCopper Contributor
I am pretty sure that this is the same problem that I am having.
This is what I am doing.
For my test added a new user to my tenant with the global admin role and is configured it to use MFA. This is the only user that in the tenant that is configured this way.
In AzureAD I then added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.
$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx" $clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx" $tenantName = "mydomain.onmicrosoft.com" $resource = "https://graph.microsoft.com/" $tokenBody = @{ Grant_Type = "client_credentials" Scope = "https://graph.microsoft.com/.default" Client_Id = $clientId Client_Secret = $clientSecret } $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody Import-Module MicrosoftTeams Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.net
Whatever command I try to run fails with the following error:
Get-CsCloudMeetingPolicy Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets. At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22 + $remoteSession = & (Get-CsOnlineSessionCommand) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession ``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38 + ... -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
When I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
Is this the same issue, or should I open a separate thread?- et01267Brass ContributorThat is certainly the issue we are facing. Connect-MicrosoftTeams has never worked with this sort of authentication, though it is supposed to work and the eventual 3.0 version might possibly fix it, finally.
Up until now we have been doing something trickier using New-PsSession and Import-PsSession which was working (and seemed to provide the missing "Session" that your error is complaining about). Sadly, this approach has evidently been deprecated and now only works intermittently or with specific tenants (or maybe specific back-end lync servers). Microsoft has clearly removed a working feature before they have a working replacement.
Interestingly, when it works, we get the following warning message instead of an error:
WARNING: Your tenant has been granted exception to use Skype For Business Online connector till June 15 2021. Your organization must replace the Skype for Business Online PowerShell connector module with the Teams PowerShell Module prior to that date. Please visit https://aka.ms/sfbocon2tpm for supported options.- CedengCopper Contributor
We are facing the same issues here. Somehow the S4B OnlineConnector got removed without providing a working alternative solution to change policies scriptbased.
- PhoneMe007Brass ContributorAppears to be the same and potentially fixed with 3.0 release, which we hope will appear this week...
- et01267Brass Contributor
Note that there is a 2.3.2 preview (available on the 2.3.1 download page) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.
We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.
- SHWDAndrewBakerCopper Contributor
I'm trying to setup something similar in Softerra Adaxes, but I'm not getting very far
$clientId = "" $clientSecret = "" $tenantName = "tenant.onmicrosoft.com" $tenantNameshort = "" $tenantIdCode = "" $graphResource = "https://graph.microsoft.com/" $graphtokenBody = @{ Grant_Type = "client_credentials" Scope = "https://graph.microsoft.com/.default" Client_Id = $clientId Client_Secret = $clientSecret } $graphTokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $graphtokenBody $teamsResource = "https://api.interfaces.records.teams.microsoft.com" $teamstokenBody = @{ Grant_Type = "client_credentials" Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" Client_Id = $clientId Client_Secret = $clientSecret } $TeamsTokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $teamstokenBody Connect-MicrosoftTeams -TenantId $tenantId -AccessTokens @($graphTokenResponse.access_token,$TeamsTokenResponse.access_token)
I get this error:
Connect-MicrosoftTeams : Not supported tenant type. At C:\scripts\connect-teams.ps1:27 char:1 + Connect-MicrosoftTeams -TenantId $tenantId -AccessTokens @($graphToke ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams
If I try something along the lines of
Connect-MicrosoftTeams -TenantId $tenantId -ClientId $clientId -Certificatethumbprint $certificateThumbprint
I get the following:
Connecting to remote server api.interfaces.records.teams.microsoft.com failed with the following error message : The WinRM client cannot process the request....
- Andres-BohrenSteel ContributorAny Updates on this Topic?
https://docs.microsoft.com/en-us/powershell/module/teams/connect-microsoftteams?view=teams-ps
$graphtoken = #Get MSGraph Token for following for resource "https://graph.microsoft.com" and scopes "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
$teamstoken = #Get Teams resource token for resource id "48ac35b8-9aa8-4d74-927d-1f4a14a0b239" and scope "user_impersonation";
Connect-MicrosoftTeams -AccessTokens @($graphtoken, $teamstoken) -AccountId $adminaccount
Account Environment Tenant TenantId
------- ----------- ------------------------------------ ------------------------------------
user@contoso.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Specifies a access tokens for "MSGraph" and "Skype and Teams Tenant Admin API" resources. This new parameter is added in version 2.3.2-preview.
Following steps must be performed by Tenant Admin in the Azure portal when using your own application.
Steps to configure the AAD application.
Go to Azure portal and go to App Registrations.
Create or select the existing application.
Add the following permission to this Application.
Click API permissions.
Click Add a permission.
Click on the Microsoft MS Graph, and then select Delegated Permission.
Add the following permissions: "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
Next, we need to add "Skype and Teams Tenant Admin API" resource permission. Click Add a permission.
Navigate to "APIs my organization uses"
Search for "Skype and Teams Tenant Admin API".
Add all the listed permissions.
Grant admin consent to both MS Graph and "Skype and Teams Tenant Admin API" name.- danielandrewbrowneCopper ContributorThey seems to have gone backwards with release 2.5.0. I used to be able to use
Connect-MicrosoftTeams -AccessTokens @($graphtoken, $teamstoken) -Verbose -AccountId "user@domain.com"
to at least access the new cmdlets, but now I get
Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.