maester365
Connecting to SecurityCompliance (IPPSSession) fails in Connect-Maester
Description
The Exchange SecurityCompliance step in Connect-Maester fails intermittently (more often than not) with the following error:
I can reproduce the error by running the following (extracted from the function).
~/Code > [string]$ExchangeEnvironmentName = 'O365Default'
~/Code > $Environments = @{
> O365China = @{
> ConnectionUri = 'https://ps.compliance.protection.partner.outlook.cn/powershell-liveid'
> AuthZEndpointUri = 'https://login.chinacloudapi.cn/common'
> }
> O365GermanyCloud = @{
> ConnectionUri = 'https://ps.compliance.protection.outlook.com/powershell-liveid/'
> AuthZEndpointUri = 'https://login.microsoftonline.com/common'
> }
> O365Default = @{
> ConnectionUri = 'https://ps.compliance.protection.outlook.com/powershell-liveid/'
> AuthZEndpointUri = 'https://login.microsoftonline.com/common'
> }
> O365USGovGCCHigh = @{
> ConnectionUri = 'https://ps.compliance.protection.office365.us/powershell-liveid/'
> AuthZEndpointUri = 'https://login.microsoftonline.us/common'
> }
> O365USGovDoD = @{
> ConnectionUri = 'https://l5.ps.compliance.protection.office365.us/powershell-liveid/'
> AuthZEndpointUri = 'https://login.microsoftonline.us/common'
> }
> }
~/Code > Write-Host "$($Environments[$ExchangeEnvironmentName].ConnectionUri)`n$($Environments[$ExchangeEnvironmentName].AuthZEndpointUri)"
https://ps.compliance.protection.outlook.com/powershell-liveid/
https://login.microsoftonline.com/common
>> Connect-IPPSSession -BypassMailboxAnchoring -ConnectionUri $Environments[$ExchangeEnvironmentName].ConnectionUri -AzureADAuthorizationEndpointUri $Environments[$ExchangeEnvironmentName].AuthZEndpointUri
Error Acquiring Token:
Unknown Status: Unexpected
Context: Operation did not start in the allotted time.
Tag: 0x1e3d43d2 (error code 0) (Internal error code 507331538)
OperationStopped: Unknown Status: Unexpected Context: Operation did not start in the allotted time. Tag: 0x1e3d43d2
(error code 0) (internal error code 507331538)
~/Code >
The connection works consistently with the simpler Connect-IPPSSession -UserPrincipalName $MyUPN -BypassMailboxAnchoring. (However, this may not be an option in all scenarios.)
Environment
- PowerShell 7.5.0, 7.5.1
- Windows Terminal 1.22.11141.0
- Visual Studio Code 1.99.3
I am also running into this issue when running Connect-Maester -Service Graph,ExchangeOnline,Teams,SecurityCompliance
Connect-Maester -Service Graph,ExchangeOnline,Teams,SecurityCompliance
Error Acquiring Token:
Unknown Status: Unexpected
Context: Operation did not start in the allotted time.
Tag: 0x1e3d43d2 (error code 0) (internal error code 507331538)
OperationStopped: Unknown Status: Unexpected Context: Operation did not start in the allotted time. Tag: 0x1e3d43d2 (error code 0) (internal error code 507331538)
If I skip the SecurityCompliance tests, I do not get these errors.
If I use Connect-IPPSSession -UserPrincipalName '<UPN>' -BypassMailboxAnchoring I can connect to SecurityCompliance without error.
Environment
- PowerShell 7.5.1
- Windows Terminal 1.22.11141.0
- OS: Windows 11 24H2 (26100.3775)
- PSModule versions (AllUsers scope)
- Maester 1.1.0
- ExchangeOnlineManagement 3.7.2
- Microsoft.Graph.Authentication 2.28.0
- MicrosoftTeams 7.0.0
I am also getting the same error while the following runs fine: Connect-ExchangeOnline -UserPrincipalName 'username@<tenant>.onmicrosoft.com' -ShowBanner:$false
- PowerShell 7.5.1
- Windows Terminal 1.22.11141.0
- OS: Windows 11 23H2 (22631.5189)
- PSModule versions current & all users scope
- Maester 1.1.0 AND Maester 1.1.1
- ExchangeOnlineManagement 3.7.2
- Microsoft.Graph.Authentication 2.28.0
- Pester 5.7.1
PS C:\Temp> $error[0] | Select *
PSMessageDetails :
Exception : MSAL.NetCore.4.66.1.0.MsalServiceException:
ErrorCode: unknown_broker_error
Microsoft.Identity.Client.MsalServiceException: Unknown Status: Unexpected
Context: Operation did not start in the allotted time.
Tag: 0x1e3d43d2 (error code 0) (internal error code 507331538)
at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.WamAdapters.HandleResponse(Aut
hResult authResult, AuthenticationRequestParameters authenticationRequestParameters,
ILoggerAdapter logger, String errorMessage)
at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.SignInInteractiv
elyAsync(AuthenticationRequestParameters authenticationRequestParameters)
at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.AcquireTokenInte
ractiveAsync(AuthenticationRequestParameters authenticationRequestParameters,
AcquireTokenInteractiveParameters acquireTokenInteractiveParameters)
at Microsoft.Identity.Client.Internal.Broker.BrokerInteractiveRequestComponent.FetchTokensAs
ync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.FetchTokensFromBrokerAsync
(String brokerInstallUrl, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.GetTokenResponseAsync(Canc
ellationToken cancellationToken)
at
Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken
cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>
b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken
cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTo
kenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters,
CancellationToken cancellationToken)
at Microsoft.Exchange.Management.AdminApiProvider.Authentication.MSALTokenProvider.GetAccess
TokenAsync(String claims, String cmdletId)
StatusCode: 0
ResponseBody:
Headers:
TargetObject :
CategoryInfo : OperationStopped: (:) [], MsalServiceException
FullyQualifiedErrorId : Unknown Status: Unexpected
Context: Operation did not start in the allotted time.
Tag: 0x1e3d43d2 (error code 0) (internal error code 507331538)
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Connect-ExchangeOnline<Process>, C:\Users\\Documents\PowerShell\Modules\ExchangeO
nlineManagement\3.7.2\netCore\ExchangeOnlineManagement.psm1: line 754
at Connect-IPPSSession<Process>, C:\Users\\Documents\PowerShell\Modules\ExchangeOnli
neManagement\3.7.2\netCore\ExchangeOnlineManagement.psm1: line 903
at Connect-Maester,
C:\Users\\Documents\PowerShell\Modules\maester\1.1.0\public\Connect-Maester.ps1:
line 197
at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
Unfortunately I think we need to re-open this issue and track it as unrelated to the DLL version conflict. I'm still getting this error unless I use either a UPN or an application identity to connect.
Error Acquiring Token:
Unknown Status: Unexpected
Context: Operation did not start in the allotted time.
Tag: 0x1e3d43d2 (error code 0) (internal error code 507331538)
OperationStopped: Unknown Status: Unexpected Context: Operation did not start in the allotted time. Tag: 0x1e3d43d2 (error code 0) (internal error
code 507331538)
Connect-IPPSSession -UserPrincipalName '<UPN>' -BypassMailboxAnchoring
With this one I was also able to run this part of Maester.
I'm also having this issue when using All for the modules. Using Exchange or Office365 on their own have worked without issue.
