Forum Discussion
Authenticating with an access token Connect-MicrosoftTeams
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
Note that in typical microsoft fashion they only say that the AccessTokens expiry diff time has increased, but not by how much. Note that the difference in two simultaneously obtained tokens can be up to 30 minutes -- is the difference criterion larger than that? Who knows? Also, who's to say that tomorrow the ESTS guys won't change their token production rules again. Why do these guys persist in checking expiry time difference at all? Why not just check that both tokens are currently valid? Unbelievable.
I have now running Code:
#Install-Module
#Install-Module JWTDetails #Not needed - just for debug
Install-Module MSAL.PS -MaximumVersion 4.36.1.2
Install-Module MicrosoftTeams -MaximumVersion 3.0.0
#Import Modules
Import-Module MicrosoftTeams -MaximumVersion 3.0.0
Import-Module MSAL.PS -MaximumVersion 4.36.1.2
#Clear Tokencache
Clear-MsalTokenCache
#Variables
$TenantId = "icewolfch.onmicrosoft.com"
$AppID = "546f064a-baa2-4eb9-8b68-70c79b91942b" #TeamsPS
#TeamsAccessToken
$Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default"
$Token = Get-MsalToken -ClientId $AppID -TenantId $TenantId -Scope $Scope -Interactive
$TeamsAccessToken = $Token.AccessToken
#GraphAccessToken
$Scope = "https://graph.microsoft.com/.default"
$Token = Get-MsalToken -ClientId $AppID -TenantId $TenantId -Scope $Scope -Interactive
$GraphAccessToken = $Token.AccessToken
#Get-JWTDetails $TeamsAccessToken
#Get-JWTDetails $GraphAccessToken
#Connect
$AccessTokens = @($GraphAccessToken,$TeamsAccessToken)
Connect-MicrosoftTeams -AccessTokens $AccessTokens
#Get Team and CsOnlineUser
Get-Team
Get-CsOnlineUser -Identity a.bohren@icewolf.ch | fl *Ent*,*host*,*voice*, *um*
et01267 Does this mean you're using a user account to authenticate such as in the Resource Owner Password Credentials flow?
I'm trying to set up some automated scripts with the MicrosoftTeams module and they need to run without the context of a user. Normally I would use the Client Credentials flow and application permissions but this doesn't seem possible right now: it reports those two object reference errors. I suspect Connect-MicrosoftTeams depends on the "upn" attribute of the access token which doesn't exist for access tokens generated via Client Credentials flow since that flow doesn't include a user.
I tried to set up ROPC by granting the necessary permissions with admin consent and adding a new user to the Owners of the application and this at least allowed me to run Connect-MicrosoftTeams successfully but then every commandlet returns a 403. I suspect this is because the tenant I'm using requires MFA and according to the documentation that's incompatible with ROPC.
- These are delegated permissions. We also use application permissions but not with PowerShell.
I've tried the same as you. Application Authentication with Certificate or Client Secret.
Same result: "Object reference not set to an instance of an object."
Can not understand how Microsoft thinks that Automation works 🙂
Would be nice if there where some consistency across diffrent M365 Management Modules
#AzureAD
Connect-AzureAD -ApplicationId $AppID -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId
#ExchangeOnline
Connect-ExchangeOnline -AppID $AppID -CertificateThumbprint $CertificateThumbprint -Organization $TenantIdRegards
Andres Bohren
- Thank you for the script. I've tested it with your settings and it worked for me as well. However when I tried to use application permissions instead of delegated permissions and acquired the tokens using application certificate-based authentication silently instead of the interactive user authentication I got the "Connect-MicrosoftTeams : Object reference not set to an instance of an object." error mentioned before. I did that because I need to use MicrosoftTeams PowerShell module in an unattended script which works whether MFA is activated on the tenant or not. Does that mean with the removed CertificateThumbprint parameter, Microsoft completely removed app-based authentication without user impersonation?
- We obtain tokens in our Java core server code via the Graph SDK and then pass these via a Rest call to our Powershell server (springboot on a linux VM) that takes the tokens and constructs the Powershell script and runs it on the Linux box. So the code would not be that illuminating for this audience.
Hi Andreas,
Thanks for you help.
I registered a new App with the same configuration as shown in your previous response, but I am still getting an error. What am I missing?
New-MsalClientApplication : Cannot convert argument "builder", with value: "Microsoft.Identity.Client.PublicClientApplicationBuilder", for "WithDesktopFeatures" to type "Microsoft.Identity.Client.PublicClientApplicationBuilder": "Cannot convert the "Microsoft.Identity.Client.PublicClientApplicationBuilder" value of type "Microsoft.Identity.Client.PublicClientApplicationBuilder" to type "Microsoft.Identity.Client.PublicClientApplicationBuilder"." At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Select-MsalClientApplication.ps1:56 char:29 + ... plication = New-MsalClientApplication -ErrorAction Stop @paramNewMsal ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-MsalClientApplication], MethodException + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument,New-MsalClientApplication The property 'AppConfig' cannot be found on this object. Verify that the property exists. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Select-MsalClientApplication.ps1:88 char:9 + Write-Debug ('Adding Application with ClientId [{0}] and Redi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException + FullyQualifiedErrorId : PropertyNotFoundStrict Add-MsalClientApplication : Cannot bind argument to parameter 'PublicClientApplication' because it is null. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Select-MsalClientApplication.ps1:89 char:35 + Add-MsalClientApplication $ClientApplication + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Add-MsalClientApplication], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Add-MsalClientApplication You cannot call a method on a null-valued expression. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:258 char:21 + ... $AquireTokenParameters = $PublicClientApplication.Acquire ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:264 char:68 + ... r]::Zero) { [void] $AquireTokenParameters.WithParentActivityOrWindow( ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull The variable '$AquireTokenParameters' cannot be retrieved because it has not been set. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:338 char:45 + ... elseif ($TenantId) { [void] $AquireTokenParameters.WithAut ... + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException + FullyQualifiedErrorId : VariableIsUndefined The property 'ClientId' cannot be found on this object. Verify that the property exists. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:343 char:17 + ... Write-Debug ('Aquiring Token for Application with ClientI ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException + FullyQualifiedErrorId : PropertyNotFoundStrict The variable '$AquireTokenParameters' cannot be retrieved because it has not been set. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:385 char:280 + ... lureAuthenticationError' -TargetObject $AquireTokenParameters -ErrorA ... + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException + FullyQualifiedErrorId : VariableIsUndefinedSimon Shaw
This is my ConfigurationAs far as I understand I have the correct versions and the correct permissions, I also updated the AppId in the script to the clientId of the App in the azure portal
PS C:\WINDOWS\system32> get-module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Binary 2.0.2.135 AzureAD {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredO... Script 1.0.2 JWTDetails Get-JWTDetails Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con... Manifest 3.0.0.0 Microsoft.PowerShell.Security {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl... Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} Manifest 3.0.0.0 Microsoft.WSMan.Management {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, En... Script 3.0.0 MicrosoftTeams {Add-TeamChannelUser, Add-TeamUser, Connect-MicrosoftTeams... Script 4.36.1.2 MSAL.PS {Add-MsalClientApplication, Clear-MsalTokenCache, Enable-M... Script 1.4.7 PackageManagement {Find-Package, Find-PackageProvider, Get-Package, Get-Pack... Script 2.2.5 PowerShellGet {Find-Command, Find-DscResource, Find-Module, Find-RoleCap... Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS... Script 0.0 SetMSTeamsReleaseEnvironmentAre you using exact this Version of MSAL.PS?
Import-Module MSAL.PS -MaximumVersion 4.36.1.2
#Have you set the Variables to your Azuere AD Tenant and APP Registration
$TenantId = "icewolfch.onmicrosoft.com"
$AppID = "546f064a-baa2-4eb9-8b68-70c79b91942b" #TeamsPSDoes your App have these Permissions?
#Delegated Permissions "Microsoft Graph"
AppCatalog.ReadWrite.All, Group.ReadWrite.All, User.Read.All#Delegated Permissions "Skype and Teams Tenant Admin API"
user_impersonationRegards
Andres
I get the following error when I run the command
$Token = Get-MsalToken -ClientId $AppID -TenantId $TenantId -Scope $Scope -Interactive
Any idea what could be the cause of this?
New-MsalClientApplication : Cannot convert argument "builder", with value: "Microsoft.Identity.Client.PublicClientApplicationBuilder", for "WithDesktopFeatures" to type "Microsoft.Identity.Client.PublicClientApplicationBuilder": "Cannot convert the "Microsoft.Identity.Client.PublicClientApplicationBuilder" value of type "Microsoft.Identity.Client.PublicClientApplicationBuilder" to type "Microsoft.Identity.Client.PublicClientApplicationBuilder"." At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Select-MsalClientApplication.ps1:56 char:29 + ... plication = New-MsalClientApplication -ErrorAction Stop @paramNewMsal ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-MsalClientApplication], MethodException + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument,New-MsalClientApplication The property 'AppConfig' cannot be found on this object. Verify that the property exists. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Select-MsalClientApplication.ps1:88 char:9 + Write-Debug ('Adding Application with ClientId [{0}] and Redi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException + FullyQualifiedErrorId : PropertyNotFoundStrict Add-MsalClientApplication : Cannot bind argument to parameter 'PublicClientApplication' because it is null. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Select-MsalClientApplication.ps1:89 char:35 + Add-MsalClientApplication $ClientApplication + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Add-MsalClientApplication], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Add-MsalClientApplication You cannot call a method on a null-valued expression. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:258 char:21 + ... $AquireTokenParameters = $PublicClientApplication.Acquire ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull You cannot call a method on a null-valued expression. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:264 char:68 + ... r]::Zero) { [void] $AquireTokenParameters.WithParentActivityOrWindow( ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull The variable '$AquireTokenParameters' cannot be retrieved because it has not been set. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:338 char:45 + ... elseif ($TenantId) { [void] $AquireTokenParameters.WithAut ... + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException + FullyQualifiedErrorId : VariableIsUndefined The property 'ClientId' cannot be found on this object. Verify that the property exists. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:343 char:17 + ... Write-Debug ('Aquiring Token for Application with ClientI ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException + FullyQualifiedErrorId : PropertyNotFoundStrict The variable '$AquireTokenParameters' cannot be retrieved because it has not been set. At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.36.1.2\Get-MsalToken.ps1:385 char:280 + ... lureAuthenticationError' -TargetObject $AquireTokenParameters -ErrorA ... + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException + FullyQualifiedErrorId : VariableIsUndefinedWould you mind sharing your code how you aqire the tokens?
I've been running in the "Token must be less than 180 Seconds" with the MicrosoftTeams 2.6.0 Version.
Since upgradet to MicrosoftTeams 3.0.0 this does not happen anymore.
Regards
Andres
- Thanks for the script. However that may just mean that you got lucky with the token expiry. I see that you have the JWT detail commands commented out. I'd suggest running this 1000 times (with those lines uncommented) to see if the token timing causes a failure. Then we could work out the confidence metric based on the results, but really what we need is an unequivocal statement of what new logic regarding token timing has been implemented. Is that too much to ask? As it is, I think we will stick with our current code.
