Forum Discussion
Authenticating with an access token Connect-MicrosoftTeams
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
I am pretty sure that this is the same problem that I am having.
This is what I am doing.
For my test added a new user to my tenant with the global admin role and is configured it to use MFA. This is the only user that in the tenant that is configured this way.
In AzureAD I then added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.
I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.
$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"
$clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"
$tenantName = "mydomain.onmicrosoft.com"
$resource = "https://graph.microsoft.com/"
$tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $clientId
Client_Secret = $clientSecret
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody
Import-Module MicrosoftTeams
Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.netWhatever command I try to run fails with the following error:
Get-CsCloudMeetingPolicy
Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22
+ $remoteSession = & (Get-CsOnlineSessionCommand)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException
+ FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession
``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument
that is not null or empty, and then try the command again.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38
+ ... -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommandWhen I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
Is this the same issue, or should I open a separate thread?
Note that there is a 2.3.2 preview (available on the https://www.powershellgallery.com/packages/MicrosoftTeams/2.3.1) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.
We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.
I've got the 2.3.2 preview installed and I am now getting this error:
PS C:\Users\Administrator> Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -AccountId XXXX@XXXX Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeamsI used "https://graph.microsoft.com/.default" as the scope for the graph access token, what should l use as the scope for the teams access token, any ideas?
- I've got it work using "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" as the scope for the Teams access token. It is not fully tested yet, but I'm getting past the error with Connect-MicrosoftTeams.
- Thanks, would be really interested to view your findings.
They have now added release notes for for 2.3.2 preview release. - et01267 that is really great! I'm keen to try this out.
