Using a managed service identity to call into SharePoint Online. Possible?
Hi All, I have been playing around with Managed Service Identity in Azure Logic Apps and Azure Function Apps. I think it is the best thing since sliced bread and am trying to enable various scenarios, one of which is using the MSI to get an app-only token and call into SharePoint Online. Using Logic Apps, I generated a managed service identity for my app, and granted it Sites.readwrite.All on the SharePoint application. When then using the HTTP action I was able to call REST endpoints while using Managed Service Identity as Authentication and using https://<tenant>.sharepoint.com as the audience. I then though I'd take it a step further and create a function app and follow the same pattern. I created the app, generated the MSI, added it the Sites.readwrite.All role same way I did with the Logic App. I then used the code below to retrieve an access token and try and generate a clientcontext: #r "Newtonsoft.Json" using Newtonsoft.Json; using System; using System.Net; using System.Net.Http; using System.Net.Http.Headers; using Microsoft.SharePoint.Client; public static void Run(string input, TraceWriter log) { string resource = "https://<tenant>.sharepoint.com"; string apiversion = "2017-09-01"; using (var client = new HttpClient()) { client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET")); var response = client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion)).Result; var responseContent = response.Content; string responseString = responseContent.ReadAsStringAsync().Result.ToString(); var json = JsonConvert.DeserializeObject<dynamic>(responseString); string accesstoken = json.access_token.ToString() ClientContext ctx = new ClientContext("<siteurl>"); ctx.AuthenticationMode = ClientAuthenticationMode.Anonymous; ctx.FormDigestHandlingEnabled = false; ctx.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e){ e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accesstoken; }; Web web = ctx.Web; ctx.Load(web); ctx.ExecuteQuery(); log.Info(web.Id.ToString()); } } The bearer token is generated, but requests fail with a 401 access denied (reason="There has been an error authenticating the request.";category="invalid_client") I have tried to change the audience to 00000003-0000-0ff1-ce00-000000000000/<tenant>.sharepoint.com@<tenantid>" but that gives a different 401 error, basically stating it cannot validate the audience uri. ("error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown.). I have also replace the CSOM call with a REST call mimicking the same call I did using the Logic App. My understanding of oauth 2 is not good enough to understand why I'm running into an issue and where to look next. Why is the Logic App call using the HTTP action working, and why is the Function App not working?? Anyone?
MSI's that won't install
I've got a small estate but one that's entirely remote working only - so I'm reliant on InTune to get updates pushed out to remediate CVE's for basically anything and everything. This has thrown up a few hurdles over the last 2 years but I've managed to resolve most of them with only minimal faffing around. I've got 3 products right now though where the MSI's just absolutely will NOT play ball. One is from Microsoft - the ODBC \ OLE drivers installers. 4 MSI's all told (ODBC v17 & v18, OLE v18 & v19) The other is NodeJS. I've done everything I can think of, but yet I still get either outright failures with precious little by way of logs (I'm looking at you Microsoft ODBC/OLE teams). Or I get conflicting errors. Node.JS for example, from the log: MSI (s) (04:E0) [14:11:06:005]: Product: Node.js -- Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine. Log on as administrator and then retry this installation. Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine. Log on as administrator and then retry this installation. But yet the MSI for Node.JS flags as 'Device' only: Anyone else successfully managed to get these deploying via InTune, and if so, how?
Teams Wide Machine Installer - "ProductLanguage" option
Hello, I try to install the Teams Wide Machine Installer (MSI file) with the option ProductLanguage="1036" for the French language but I have the error below : If I remove the argument ProductLanguage, the installation works correctly but Teams is in English by default for each users. Here is my command-line used : msiexec /i "%~dp0Teams_windows_x64.msi" ProductLanguage="1036" OPTIONS="noAutoStart=true" /qn /norestart ALLUSERS="1" Did you already encounter this issue ? Thank you !
Windows 11 insider develop does not install program. exe
Hello, I introduce myself as new with a problem in the version developer windows. I tried to download a finished program in . exe: "macrium reflect home" without results. The error is that the windows installer service does not start, but it updates and lets you download other programs. I tried to start the service manually, make a rep with sfc /scannow, delete temporary files and download this tool: "https://download.microsoft.com/download/7/E/9/7E9188C0-2511-4B01-8B4E-0A641EC2F600/MicrosoftProgram_Install_and_Uninstall.meta.diagcab ". But nothing has worked, because in the windows registry I still have the error that does not start windows installer or rather called: "msiexec.exe" I hope someone can give me a solution without making a downgrade to install this program. Thank you very much and a greeting
MSI Elevated privilege request
Hi, I have been using Intune to try and stop staff being able to install without entering Admin Credentials, it is working for .exe as each user is a standard user, but whatever I try for .msi files either does nothing, or it blocks the install completely and also stops the intune apps installing when setting up the machines. Does anyone have any tips for me?
Update of MSI download
Could the MSI downloads for x86 & X64 (Teams Machine-Wide Installer) please be updated as a matter of urgency? My Teams client on my PC was updated from version 1.4.0.11161 to 1.4.0.13073 on June 3rd, but the MSI download links: http://aka.ms/teams64bitmsi http://aka.ms/teams32bitmsi Are still downloading version 1.4.0.11161. Before anyone asks why it matters, this is for regular maintenance of VDI environments... Thanks, Jonathan
