Authenticating with an access token Connect-MicrosoftTeams

PhoneMe007 · ‎Mar 24 2021

Has anyone tried authenticating with an access token (using -AadAccessToken or -MsAccessToken)? The old version of New-CsOnlineSession had an -OAuthAccessToken param, which accepted a jwt with the PS permissions in the scope, which one could obtain silently, and so avoid login.

New-CsOnlineSession has been dropped and the SfB Connector is end of life in July and Connect-MicrosoftTeams does appear to support token for the telephony functions.

etteammate · ‎May 19 2021

@Sridevi-MSFT So what do you suggest until the AccessToken method works?

We are currently unable to manage the Teams/SFB using any auth method we have available (except for direct, user-present auth which doesn't work in an automated environment).

What is the currently-supported method for using (e.g.) "Get-CsOnlineUser" (or what is the equivalent cmdlet that should work with the available Connect-MicrosoftTeams authentication methods)?

priyachads · ‎May 19 2021

Thanks Sridevi!

guyfrancis · ‎May 20 2021

I am also getting the same issue. Skype for Business Online Powershell connections are blocked, and the Teams Powershell module which replaces them does not work. Are there any workarounds or do we have to wait and hope that version 3.0.0 fixes the issue?
Would it be possible to unblock the Skype for Business Online Powershell connections until this issue is resolved?

JimmyBelizaire · ‎May 21 2021

Hi,

I have same issue as the others there. I can't do what i have to do for Teams Voice.

syedafzalali · ‎May 21 2021

@Sridevi-MSFT

Can you please suggest an alternative method if new "Connect-MicrosoftTeams" does not work using -AadAccessToken for executing Get-CsTenant or SFB commands?

We are blocked and not sure when the fix of 3.0.x will come ? Please help.

syedafzalali · ‎May 21 2021

Microsoft retired SFB but did not support the -AadAccessToken. Is there any other way for now to deal with this situation?

PhoneMe007 · ‎May 21 2021

My understanding is that we'll need to wait for 3.x to see if this resolves the situation. From the released notes it sounds reasonably positive. Interesting that the release notes came ahead of delivery, when ordinarily they lag a few weeks behind. So perhaps this was reactive instead of proactive, based on the chatter....

PhoneMe007 · ‎May 21 2021

@Sridevi-MSFT do you have a ballpark figure on a release date for 3.0? May, Q2, Q3... This will assist with expectation management. Are you also saying this will be a definitive fix in 3.0, like for like in terms of token authentication? Thanks very much as always.

Simon Shaw · ‎May 24 2021

@PhoneMe007

I am pretty sure that this is the same problem that I am having.

This is what I am doing.

For my test added a new user to my tenant with the global admin role and is configured it to use MFA. This is the only user that in the tenant that is configured this way.
In AzureAD I then added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.

I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.

$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"  
$clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"  
$tenantName = "mydomain.onmicrosoft.com"  
$resource = "https://graph.microsoft.com/"  
$tokenBody = @{  
   Grant_Type    = "client_credentials"  
   Scope         = "https://graph.microsoft.com/.default"  
   Client_Id     = $clientId  
   Client_Secret = $clientSecret  
}   
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody  
Import-Module MicrosoftTeams
Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.net

Whatever command I try to run fails with the following error:

Get-CsCloudMeetingPolicy
   Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.
   At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22
   +     $remoteSession = & (Get-CsOnlineSessionCommand)
   +                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException
   + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession
 ``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument
   that is not null or empty, and then try the command again.
  At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38
 + ...    -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...
 +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
 + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

When I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
Is this the same issue, or should I open a separate thread?

et01267 · ‎May 24 2021

That is certainly the issue we are facing. Connect-MicrosoftTeams has never worked with this sort of authentication, though it is supposed to work and the eventual 3.0 version might possibly fix it, finally.

Up until now we have been doing something trickier using New-PsSession and Import-PsSession which was working (and seemed to provide the missing "Session" that your error is complaining about). Sadly, this approach has evidently been deprecated and now only works intermittently or with specific tenants (or maybe specific back-end lync servers). Microsoft has clearly removed a working feature before they have a working replacement.

Interestingly, when it works, we get the following warning message instead of an error:

WARNING: Your tenant has been granted exception to use Skype For Business Online connector till June 15 2021. Your organization must replace the Skype for Business Online PowerShell connector module with the Teams PowerShell Module prior to that date. Please visit https://aka.ms/sfbocon2tpm for supported options.

Cedeng · ‎May 25 2021

We are facing the same issues here. Somehow the S4B OnlineConnector got removed without providing a working alternative solution to change policies scriptbased.

PhoneMe007 · ‎May 25 2021

Appears to be the same and potentially fixed with 3.0 release, which we hope will appear this week...

et01267 · ‎May 26 2021

Note that there is a 2.3.2 preview (available on the 2.3.1 download page) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.

We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.

SajAccess4 · ‎May 26 2021

@et01267 that is really great! I'm keen to try this out.

PhoneMe007 · ‎May 26 2021

Thanks, would be really interested to view your findings.

They have now added release notes for for 2.3.2 preview release.

guyfrancis · ‎May 27 2021

I've got the 2.3.2 preview installed and I am now getting this error:

PS C:\Users\Administrator> Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -AccountId XXXX@XXXX
Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException
    + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams

Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-MicrosoftTeams], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams

I used "https://graph.microsoft.com/.default" as the scope for the graph access token, what should l use as the scope for the teams access token, any ideas?

PhoneMe007 · ‎May 27 2021

@guyfrancis

If I supply the tokens without securing them, I get an error about invalid audience too, which we have seen in the past when trying to use wrong tokens (e.g. using a graph token for sfb calls)

The error message is interesting though. When I supply a graph token and a sfb token, it says:
Invalid audiences xxxxxxxx-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens

(It seems you have to supply a minimum of 2 tokens, or else you get a different error asking to supply a graph + a teams token)

Anyway, when I supply a graph token + a random Azure AD token (intentionally incorrect), it gives the same error as above. When I supply a sfb token with a Azure AD token, it says:

Invalid audiences https://graph.microsoft.com,xxxxxxxx-9aa8-4d74-927d-1f4a14a0b239 found in
the provided tokens

aplay9 · ‎May 27 2021

@PhoneMe007 I'm seeing this same behavior. My understanding is that the newest version was deprecating the AAD tokens, but it appears to still require them. But then when they are provided it complains that the audience is incorrect.

guyfrancis · ‎May 28 2021

I've got it work using "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" as the scope for the Teams access token. It is not fully tested yet, but I'm getting past the error with Connect-MicrosoftTeams.

Simon Shaw · ‎May 28 2021

@guyfrancis Connect-MicrosoftTeams also works for me, however after that has succeeded all cmdlets that I try to run return the original error.
Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets....

Authenticating with an access token Connect-MicrosoftTeams

Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Re: Authenticating with an access token Connect-MicrosoftTeams

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Authenticating with an access token Connect-MicrosoftTeams