Mar 24 2021 04:38 PM
May 19 2021 08:26 AM
@Sridevi-MSFT So what do you suggest until the AccessToken method works?
We are currently unable to manage the Teams/SFB using any auth method we have available (except for direct, user-present auth which doesn't work in an automated environment).
What is the currently-supported method for using (e.g.) "Get-CsOnlineUser" (or what is the equivalent cmdlet that should work with the available Connect-MicrosoftTeams authentication methods)?
May 19 2021 10:06 AM
May 20 2021 09:48 AM
May 21 2021 02:57 AM
Hi,
I have same issue as the others there. I can't do what i have to do for Teams Voice.
May 21 2021 02:24 PM
Can you please suggest an alternative method if new "Connect-MicrosoftTeams" does not work using -AadAccessToken for executing Get-CsTenant or SFB commands?
We are blocked and not sure when the fix of 3.0.x will come ? Please help.
May 21 2021 02:26 PM
May 21 2021 04:43 PM
May 21 2021 04:58 PM
May 24 2021 09:32 AM
I am pretty sure that this is the same problem that I am having.
This is what I am doing.
For my test added a new user to my tenant with the global admin role and is configured it to use MFA. This is the only user that in the tenant that is configured this way.
In AzureAD I then added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.
I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.
$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"
$clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"
$tenantName = "mydomain.onmicrosoft.com"
$resource = "https://graph.microsoft.com/"
$tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $clientId
Client_Secret = $clientSecret
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody
Import-Module MicrosoftTeams
Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.net
Whatever command I try to run fails with the following error:
Get-CsCloudMeetingPolicy
Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22
+ $remoteSession = & (Get-CsOnlineSessionCommand)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException
+ FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession
``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument
that is not null or empty, and then try the command again.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38
+ ... -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
When I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
Is this the same issue, or should I open a separate thread?
May 24 2021 10:34 AM
May 25 2021 05:13 AM
We are facing the same issues here. Somehow the S4B OnlineConnector got removed without providing a working alternative solution to change policies scriptbased.
May 25 2021 04:49 PM
May 26 2021 06:01 AM
Note that there is a 2.3.2 preview (available on the 2.3.1 download page) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.
We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.
May 26 2021 01:16 PM
May 26 2021 04:05 PM
May 27 2021 02:21 AM
I've got the 2.3.2 preview installed and I am now getting this error:
PS C:\Users\Administrator> Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -AccountId XXXX@XXXX
Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException
+ FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams
Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams
I used "https://graph.microsoft.com/.default" as the scope for the graph access token, what should l use as the scope for the teams access token, any ideas?
May 27 2021 03:11 AM
If I supply the tokens without securing them, I get an error about invalid audience too, which we have seen in the past when trying to use wrong tokens (e.g. using a graph token for sfb calls)
The error message is interesting though. When I supply a graph token and a sfb token, it says:
Invalid audiences xxxxxxxx-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens
(It seems you have to supply a minimum of 2 tokens, or else you get a different error asking to supply a graph + a teams token)
Anyway, when I supply a graph token + a random Azure AD token (intentionally incorrect), it gives the same error as above. When I supply a sfb token with a Azure AD token, it says:
Invalid audiences https://graph.microsoft.com,xxxxxxxx-9aa8-4d74-927d-1f4a14a0b239 found in
the provided tokens
May 27 2021 12:56 PM
@PhoneMe007 I'm seeing this same behavior. My understanding is that the newest version was deprecating the AAD tokens, but it appears to still require them. But then when they are provided it complains that the audience is incorrect.
May 28 2021 01:37 AM
May 28 2021 01:46 AM