Forum Discussion
Authenticating with an access token Connect-MicrosoftTeams
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
Note that there is a 2.3.2 preview (available on the https://www.powershellgallery.com/packages/MicrosoftTeams/2.3.1) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.
We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.
I've got the 2.3.2 preview installed and I am now getting this error:
PS C:\Users\Administrator> Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -AccountId XXXX@XXXX Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeamsI used "https://graph.microsoft.com/.default" as the scope for the graph access token, what should l use as the scope for the teams access token, any ideas?
- I've got it work using "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" as the scope for the Teams access token. It is not fully tested yet, but I'm getting past the error with Connect-MicrosoftTeams.
- Thank you! This is the furthest I have gotten so far, however even now that I have both tokens and can successfully connect and run eg. Get-Team, the voice cmdlets like Get-CsOnlineUser still give a permissions error "Connecting to remote server api.interfaces.records.teams.microsoft.com failed with the following error message : Access is denied.". Any idea which permissions should be granted for this to work?
If I supply the tokens without securing them, I get an error about invalid audience too, which we have seen in the past when trying to use wrong tokens (e.g. using a graph token for sfb calls)
The error message is interesting though. When I supply a graph token and a sfb token, it says:
Invalid audiences xxxxxxxx-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens(It seems you have to supply a minimum of 2 tokens, or else you get a different error asking to supply a graph + a teams token)
Anyway, when I supply a graph token + a random Azure AD token (intentionally incorrect), it gives the same error as above. When I supply a sfb token with a Azure AD token, it says:
Invalid audiences https://graph.microsoft.com,xxxxxxxx-9aa8-4d74-927d-1f4a14a0b239 found in
the provided tokensPhoneMe007 I'm seeing this same behavior. My understanding is that the newest version was deprecating the AAD tokens, but it appears to still require them. But then when they are provided it complains that the audience is incorrect.
- Thanks, would be really interested to view your findings.
They have now added release notes for for 2.3.2 preview release. - et01267 that is really great! I'm keen to try this out.
