@Iulian_Simonn 

After creating an App Registration in Azure Active Directory with permissions like this:

I'm able to connect to Teams using:

$tenantName = ""  
$clientId = ""
$clientSecret = ""
$username = ""
$password = ""

$uri = "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token"

$body = @{  
   Grant_Type    = "password";
   Scope         = "https://graph.microsoft.com/.default"  
   Client_Id     = $clientId;
   Client_Secret = $clientSecret;
   Username      = $username; 
   Password      = $password; 
}   
$graphTokenResponse = Invoke-RestMethod -Method POST -Uri $uri -Body $body
$graphToken = $graphTokenResponse.access_token

$body = @{  
   Grant_Type    = "password"  # client_credentials
   Scope         = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default"
   Client_Id     = $clientId  
   Client_Secret = $clientSecret  
   Username      = $username  
   Password      = $password  
}   
$teamsTokenResponse = Invoke-RestMethod -Method POST -Uri $uri -Body $body
$teamsToken = $teamsTokenResponse.access_token

Connect-MicrosoftTeams -AccessTokens @($graphToken, $teamsToken)

Get-CsCallQueue

Disconnect-MicrosoftTeams

But the Get-CsCallQueue call fails with:

I've had the same problem with several different versions of the MicrosoftTeams modules...

Including:
Install-Module -Name MicrosoftTeams -RequiredVersion 2.3.2-preview -AllowPrerelease

Install-Module -Name MicrosoftTeams -RequiredVersion 3.0.0

Install-Module -Name MicrosoftTeams -RequiredVersion 3.1.1

PS> Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
Connect-MicrosoftTeams : Object reference not set to an instance of an object.
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], NullReferenceException
+ FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams

Connect-MicrosoftTeams : Object reference not set to an instance of an object.
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams​

Hi@sjackson340 

As written here - i have running code (with Delegated Permissions)

https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-m...

Using Delegated Permissions does not make sense - i totally agree :)

I had a Ticket open at Microsoft #28612860. It was closed with the ETA of Mid April for the Fix. So we will see.

Tested a code with Application Permissions with Teams PowerShell Module 4.1.0 - still does not work.

Regards

Andres

@Ronar85  and @Andres Bohren 

Thanks for the link and comments. Still cannot get it working...

#Install-Modules
Install-Module JWTDetails #Not needed - just for debug
Install-Module MSAL.PS -MaximumVersion 4.36.1.2 -acceptlicense -SkipPublisherCheck -force
Install-Module MicrosoftTeams -MaximumVersion 3.0.0 -force

#Import Modules
Import-module -name JWTDetails
Import-Module MSAL.PS -MaximumVersion 4.36.1.2
Import-Module MicrosoftTeams -MaximumVersion 3.0.0
Get-Module

#Clear TokenCache
Clear-MsalTokenCache

#Prep
Add-Type -AssemblyName System.Web
$ImpersonationUPN="Email address removed"
$TenantID="TENANTNAME-OR-TENANTID"
$ApplicationID="REDACTED"
$ImpersonationUPN="Email address removed"
$ClientSecret="REDACTED" 

#TeamsAccessToken
$Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" 
$Token = Get-MsalToken -ClientId $ApplicationID -TenantId $TenantId -Scope $Scope -ClientSecret $(ConvertTo-SecureString -String $ClientSecret -AsPlainText -force)
$TeamsAccessToken = $Token.AccessToken
Get-JWTDetails $TeamsAccessToken
 
#GraphAccessToken
$Scope = "https://graph.microsoft.com/.default"
$Token = Get-MsalToken -ClientId $ApplicationID -TenantId $TenantId -Scope $Scope -ClientSecret $(ConvertTo-SecureString -String $ClientSecret -AsPlainText -force)
$GraphAccessToken = $Token.AccessToken
Get-JWTDetails $GraphAccessToken
 

#Connect To MS TEAMS
Connect-MicrosoftTeams -AccessTokens @($GraphAccessToken,$TeamsAccessToken) -AccountId $($impersonatedUser.id) -verbose #Error: Parameter set cannot be resolved using the specified named parameters.
Connect-MicrosoftTeams -LogLevel Verbose -LogFilePath %temp%\Connect-MSTeams.log -AccessTokens @($GraphAccessToken,$TeamsAccessToken)
notepad %temp%\Connect-MSTeams.log 

Debug:

2022-04-04T13:55:38.2302931Z,Error ,Connect-MicrosoftTeams.ProcessRecord,
System.NullReferenceException - Object reference not set to an instance of an object.. at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.GetTokenClaimValue(JsonWebToken webToken, String value)
 at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.ProcessProvidedAccessTokens(AzureAccount account, String tenantId)
 at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.AcquireAccessToken(AzureAccount account, AzureEnvironment environment, String tenantId, SecureString password, AuthenticationFlow authFlow)
 at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.Login(AzureAccount account, AzureEnvironment environment, String tenantId, SecureString password, AuthenticationFlow authFlow)

Hi @sjackson340 ,

the part using a ClientID, ClientSecret, Username & Password worked for me, after changing the AppRegistrations Role Memberships and API Permissions.

Used Parts of the code @Andres Bohren  mentioned here (https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-m... :(

$tenantName = "<REMOVEDNAME>.onmicrosoft.com"  
$clientId = "<APPREGISTRATION ID>"
$clientSecret = "<APPREGISTRATIONSECRET>"
$username = "<MYSERVICEUSER>@<REMOVEDNAME>.onmicrosoft.com"
$password = "<MYPWD>"

$uri = "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token"

$body = @{  
   Grant_Type    = "password";
   #Grant_Type    = "client_credentials";
   Scope         = "https://graph.microsoft.com/.default"  
   Client_Id     = $clientId;
   Client_Secret = $clientSecret;
   Username      = $username; 
   Password      = $password; 
}   
$graphTokenResponse = Invoke-RestMethod -Method POST -Uri $uri -Body $body
$graphToken = $graphTokenResponse.access_token

$body = @{  
   Grant_Type    = "password"  # client_credentials
   #Grant_Type    = "client_credentials"
   Scope         = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default"
   Client_Id     = $clientId  
   Client_Secret = $clientSecret  
   Username      = $username  
   Password      = $password  
}   
$teamsTokenResponse = Invoke-RestMethod -Method POST -Uri $uri -Body $body
$teamsToken = $teamsTokenResponse.access_token

Connect-MicrosoftTeams -AccessTokens @($graphToken, $teamsToken)

The App Registration itself i've extented with the following Delegated Rights:

and as this step has to be done by Exchange Management (Dokumented by MS here), i've added the Appregistration to the Teams administrators, thinking, this cloud be the right step, as it's also needed for EXO Management. (i'm using the same AppRegistration for EXO Management)

After the connect...

... i was able to create new Teams...

.. and also Query the CSOnlineUser Data...

also the new Set-CSOnlineVoiceUser seems to work - but i've got no tenant numbers in my development tenant right now :) 

But i totally agree with @Andres Bohren statement, that this has to work with Application Permissions only in combination using a certificate as authenticator as well! Please guys @microsoft-msteams fix this!

BR 

@Ronar85 

Your statement about 'application-only permissions' seems a little confusing to me. Surely all of the following types of authentication should work; without mixing a combination of them up...

• ClientID/AppID and Secret
• Username and password (with specific MFA bypass configured)
• ClientID and Certificate

Happy to extend my code to use a username and password as well as ClientID and Secret.

Can you confirm any additional Azure Roles applied to the username in your last example?

@Robert Leist and @sjackson340 

I recently had a MS Case open to clarify the Timeline.

Answer from Microsoft:

Per the latest update,  if everything goes well, end of Sept 2022 is ETA and as well we recommended to have your tenant in preview rollout to prioritize feature enablement.

Regards

Andres

@Andres Bohren https://docs.microsoft.com/en-us/powershell/module/teams/connect-microsoftteams?view=teams-ps would indicate that certificatethumbprint was available at some point but removed in preview 2.4.1, is the expectation that this will be reintroduced then or am I as confused as normal?

Given basic auth goes away in October it’s pretty poor that the Teams module doesn’t seem to be able to auth via other means when MFA is enforced by conditional access (unless I’m missing a trick, which is very possible)

Tested with the newly released 4.7.0 Powershell Module (September 2022) - Microsoft Teams PowerShell Release Notes - Microsoft Teams | Microsoft Docs

Still unable to auth using token / appid only -

PS C:\Windows\system32> Connect-MicrosoftTeams -AccessTokens @($GraphAccessToken,$TeamsAccessToken)
Connect-MicrosoftTeams : Object reference not set to an instance of an object.

@pkecun 

I am facing same issue. Need to get access to MS Teams Powershell cmdlets via api permissions.

Is there any ETA on this?

@Vishal170  App-based authentication appears to be working as of MicrosoftTeams PowerShell module 4.7.1-preview.  MS Graph cmdlets work fine, however there still appear to be issues with CS cmdlets.  I now get the following error when I attempt to run Get-CsOnlineUser:

I get the same error regardless of whether the WinRM service is running on my local PC.