Powershell New-CsOnlineSession with AccessToken

Copper Contributor

Hello guys,
I am trying to run 'New-CsOnlineSession' with -OAuthAccessToken parameter in a Powershell script.
The oauth token comes from a WebApp that authenticates the user. This WebApp uses Microsoft Identity Platform so the user accepts our app to access user's resorces.
The WebApp uses OAuth2 to communicate with Microsoft Identity Platform.
This WebApp is registered in the Azure Portal.

The problem is that I cannot create the session and the error is: "OAuthAccessToken has invalid audience"

I've tried to use -OverrideAccessTokenResourceUri parameter too, in conjunction with OAuthAccessToken, but it doesn't allow the script to get a session.


When I use New-CsOnlineSession with user/password, everything works fine, I can import the session and use the commands perfectly.

Logs:

 

VERBOSE: OAuthAccessToken is provided.
VERBOSE: Determining domain to administer
VERBOSE: AdminDomain = 'xxxxxxxx.onmicrosoft.com'
VERBOSE: Discovering PowerShell endpoint URI
VERBOSE: TargetUri = 'https://admin1e.online.lync.com/OcsPowershellOAuth'
VERBOSE: AuthUri = 'https://login.windows.net/common/oauth2/authorize', ClientId = 7716031e-6f8b-45a4-b82b-922b1af0fbb4
VERBOSE: Validating authentication token.
New-CsOnlineSession : OAuthAccessToken has invalid audience 00000003-0000-0000-c000-000000000000, expected
https://admin1e.online.lync.com/OcsPowershellOAuth.
At G:\server-8000.ps1:20 char:12
+ $session = New-CsOnlineSession -OAuthAccessToken $token -Verbose -Deb ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-CsOnlineSession

 

 

Thanks in advance for any help.

 

Hernan

 

6 Replies

@hernan-invosys is there a reason why you should still be using these cmdlets? As they are now incorporated in the MicrosoftTeams module since 1.1.3-Preview. The latter supporting a wider variety of authentication methods. Still there might be a reason not to switch that I am unaware of... Thanks for your insight.

Hello @SjoerdV

Thanks for you message.

I'm using New-CsOnlineSession because this way I get Get-CsOnlineUser which is the unique cmdlet that returns the info I need: OnPremLineURI. This is the Phone Number column that is shown on https://admin.teams.microsoft.com/users . 

No other connection or cmdlet gives this info as result. I've tried installing different modules but no one returns that phone number (they return some numbers but not this one specifically): MicrosoftTeams (1.1.4), MSOnline, AzureAD. Even Microsoft Graph API

 

@hernan-invosys ah yes, I felt somewhat 'disappointed' when I noticed the absence of the Get-CsOnlineUser cmdlet in the MicrosoftTeams module. If only that would be there I could abandon having an additional module installed. Btw. running Connect-CSOnline as provided by the current MicrosoftTeams Module (1.1.3/4 and the 1.0.0.25 test version) gives me a lot of authentication issues in combination with other modules. There is still some work to be done, as it seems ;)

@hernan-invosysHave you been able to get past this issue?

@hernan-invosysHi Hernan, I bet your getting invalid audience because the app permissions do not give access to the Sfbo API. Only the Skype API (client), or Graph API. Both (and all other API's as you noted) does not give the required commands needed for telephony based requests (URI, PSTN Gateway, ect.)

@hernan-invosys  Hi, would you able to solve your issue. I am also facing the same problem.