Failed to create EXO session - unexpected character encountered while parsing value: F.

[xathon]

The script Get-O365Light failed after authenticating, both from the Docker container and the Linux pwsh.

Output:

PS /mnt/host/output> Get-O365Light -StartDate $startdate -Enddate $enddate -Debug                                                                           

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DF[...]VZ to authenticate.
Get-O365Light: [email protected] does not have the required permissions to get Office 365 Unified Audit Logs : doees not have the 'View-Only Audit Logs' role on https://admin.exchange.microsoft.com/. See https://learn.microsoft.com/en-us/purview/audit-log-search?view=o365-worldwide#before-you-search-the-audit-log. Cannot continue                                                                                               

And the logfile:

2024-04-18 13:02:50, INFO, Asking Oauth token for EXO
2024-04-18 13:03:37, INFO, Fetching all operations from the subset, this is the default configuration
2024-04-18 13:03:37, INFO, Asking Oauth silent token renewal for EXO
2024-04-18 13:03:37, INFO, Checking permissions for [email protected]
2024-04-18 13:03:37, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying  - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:04:37, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying  - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:06:37, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying  - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:09:38, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying  - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:13:38, ERROR, Failed to create EXO session EXO_0f3b[...]834c 4 times - aborting
2024-04-18 13:13:38, ERROR, [email protected] does not have the required permissions to get Office 365 Unified Audit Logs : doees not have the 'View-Only Audit Logs' role on https://admin.exchange.microsoft.com/. See https://learn.microsoft.com/en-us/purview/audit-log-search?view=o365-worldwide#before-you-search-the-audit-log. Cannot continue

The permissions in Entra / Exchange are definitely correct, since I was able to run the commands that the script runs on my own:

PS> Connect-ExchangeOnline -UserPrincipalName [email protected]
(success)
PS> $sessionName  = [guid]::NewGuid().ToString() 
PS> $Alloperations= @() 
PS> $myObject = [PSCustomObject]@{    
>>         GroupName= "Exchange";                                                                                                                                                                                                                                                                                           
>>         Operations = '"Add-MailboxPermission", "AddFolderPermissions", "Add-RecipientPermission", "Remove-RecipientPermission", "New-InboxRule", "Set-InboxRule", "Set-TransportRule", "New-TransportRule", "Hard Delete user", "Remove-MailboxPermission", "RemoveFolderPermissions", "UpdateInboxRules", "Set-CASMailbox", "Set-Mailbox","SearchCreated", "SearchExported","MailboxLogin"'                                                                                                                                                                                                                                                         
>>         }
PS> $Alloperations += $myObject   
[do this for all the other objects]
PS> foreach ($operationsset in $Alloperations) {                                                                                                                                                                                                                                                                          
>>     Get-LargeUnifiedAuditLog -StartDate $startdate -EndDate $enddate -outputfile test2.txt -requesttype "Operations" -sessionName $sessionName -logfile test2.log -Operations $operationsset.Operations                                                                                                                      
>> } 
[this generates the correct output]

Unfortunately I wasn't able to find out what value:F was expected to be, or what the unexpected character was.

[EmilienCourt]

Hi,

Sorry, I've missed this issue :-(.

I've investigated, and it turns out MFA App ID has been deprecated since the 03/31/2024. This was the method we used to connect to Exchange Online.

The new recommended method is to register an application into Entra ID. We are currently thinking of ways to implement that as smoothly as possible.

Thanks a lot for pointing this issue, I will keep you updated.

[xathon]

Wouldn't it just be possible to call the Connect-ExchangeOnline command without anything else? Then you could just login with your user and from there on it should work if your user has the right permissions. From how I understand it, this is how the invictus-ir Extractor suite does it, as an example. https://github.com/invictus-ir/Microsoft-Extractor-Suite/blob/731ec82dfa1e242bff7dad28ad0a7500ecc0a17d/Scripts/Connect.ps1

[EmilienCourt]

Hi,

This would be indeed a possibility.

However, this would raise several issues :

• this is not the recommended way, according to the documentation : https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps (they point at using an application)

• I have been confirmed by Microsoft that the way going forward for this use case is to use an application

• handling login / logout / timeout would be much harder, especially if the user uses MFA

For all those reasons, I've been working on a total rework of DFIR-O365RC. The release should land soon :)

Regards,