microsoft
Update-M365DSCAzureAdApplication doesn't work when setting admin consent with multi-factor authentication enabled
Description of the issue
Raised this in #4037 but to be fair, that was a separate issue.
When running Update-M365DscAzureADApplication cmdlet with the -AdminConsent parameter, it fails if the credentials supplied require multi-factor authentication (as they should!)
Microsoft 365 DSC Version
1.24.228.1
Which workloads are affected
other
The DSC configuration
$M365DSCRequiredPermissionsList = Get-M365DSCCompiledPermissionList -ResourceNameList @('AADAdministrativeUnit', 'AADGroup', 'AADUser', 'EXODistributionGroup', 'EXOManagementRoleAssignment') -PermissionType 'Application' -AccessType 'Update'
$M365DSCCredential = Get-Credential
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions $M365DSCRequiredPermissionsList -AdminConsent -Type 'Certificate' -MonthsValid 24 -CreateSelfSignedCertificate -CertificatePath "C:\M365DSC123.cer" -Credential $M365DSCCredential
Verbose logs showing the problem
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSCTest123' -Permissions $M365DSCRequiredPermissionsList -AdminConsent -Type 'Certificate' -MonthsValid 24 -CreateSelfSignedCertificate -CertificatePath "C:\M365DSC123.cer" -Credential $M365DSCCredential cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
2024-03-20 09:48:42 - Checking specified parameters
2024-03-20 09:48:42 - Using a Certificate as credential
2024-03-20 09:48:42 -
2024-03-20 09:48:42 - Make sure your certificate has the following prerequisites:
2024-03-20 09:48:42 - KeySpec : Signature
2024-03-20 09:48:42 - KeyLength : 2048
2024-03-20 09:48:42 - KeyAlgorithm : RSA
2024-03-20 09:48:42 - HashAlgorithm : SHA256 or SHA1
2024-03-20 09:48:42 - Enhanced Key Uses : Client Authentication and Server Authentication
2024-03-20 09:48:42 - And the entire certificate chain is available!
2024-03-20 09:48:42 -
2024-03-20 09:48:43 -
2024-03-20 09:48:43 - Checking existance of AD Application
2024-03-20 09:48:43 - New Azure AD application 'Microsoft365DSCTest123' created!
2024-03-20 09:48:43 -
2024-03-20 09:48:43 - Checking app permissions
2024-03-20 09:48:43 - Checking permission 'Graph\Organization.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\AdministrativeUnit.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\AdministrativeUnit.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Application.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Device.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Group.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\RoleManagement.Read.Directory'
2024-03-20 09:48:43 - Checking permission 'Graph\User.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Group.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Graph\RoleManagement.ReadWrite.Directory'
2024-03-20 09:48:43 - Checking permission 'Graph\ReportSettings.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Graph\User.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Exchange\Exchange.ManageAsApp'
2024-03-20 09:48:44 - Permission updated for application
2024-03-20 09:48:44 -
2024-03-20 09:48:44 - Waiting 10 seconds for application creation
2024-03-20 09:48:44 - ...
2024-03-20 09:48:54 -
2024-03-20 09:48:54 - Providing Admin Consent for application permissions
Invoke-RestMethod : {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must
use multi-factor authentication to access '<redacted>'. Trace ID: 1dc6364c-0bc7-448f-88db-d554da521000 Correlation ID: b5ae7e11-9135-4e6a-afff-468e353391fb Timestamp:
2024-03-20 09:48:54Z","error_codes":[50076],"timestamp":"2024-03-20 09:48:54Z","trace_id":"1dc6364c-0bc7-448f-88db-d554da521000","correlation_id":"b5ae7e11-9135-4e6a-afff-468e353391fb","error_uri
":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCPermissions.psm1:1605 char:26
+ $token = Invoke-RestMethod $uri `
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
2024-03-20 09:48:54 - [ERROR] [ERROR] Error while providing consent to the requested permissions. Please make sure you provide consent via the Azure AD Admin Portal.
2024-03-20 09:48:54 - Error details: The remote server returned an error: (401) Unauthorized.
2024-03-20 09:48:54 -
2024-03-20 09:48:54 - Checking app credentials
2024-03-20 09:48:54 - Uploading App Certificate
2024-03-20 09:48:54 - CreateSelfSignedCertificate specified, generating new Self Signed Certificate
2024-03-20 09:48:55 - Certificate exported to C:\M365DSC123.cer
2024-03-20 09:48:55 - Certificate details: CN=Microsoft365DSCTest123 (<redacted>)
2024-03-20 09:48:55 -
2024-03-20 09:48:55 - Application Id: <redacted>
2024-03-20 09:48:55 -
2024-03-20 09:48:55 - NOTE: Make sure you add the application to the required Microsoft 365 (e.g. Global Admin) or Exchange (e.g. Organization Management) role groups as well!
2024-03-20 09:48:55 - See the documentation for any required permissions.
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-GB
OsMuiLanguages : {en-GB, en-US}
Key : PSVersion
Value : 5.1.22621.2506
Name : PSVersion
Key : PSEdition
Value : Desktop
Name : PSEdition
Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions
Key : BuildVersion
Value : 10.0.22621.2506
Name : BuildVersion
Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion
Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion
Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion
Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion
The cmdLet uses an call to a native endpoint in EntraID.
Graph PowerShell supports permission grants: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent
This option should be implemented in M365dsc.
Error AADSTS50076 appears to be a wide spread problem. In varying forms of response, in general, Microsoft advise as a workaround to this problem is "Setup a separate user account (or dedicated service account) that has limited access and strong credentials that are regularly rotated. This account must be excluded from Conditional Access MFA enforcing policy."
I'm unable to find reference to an all encompassing Microsoft documentation which acknowledges this issue. I would assume many have raised a support ticket related to AADSTS50076, however, there is no evidence to suggest Microsoft are actively working on a solution (that I could find nor validate).
If de-scoping the account from MFA isn't workable, I may suggest exploring other securing criterion Conditional Access has to offer. A purpose built policy scoped only for this one account. Enforcing that the Device being used to run the commands be Managed (by Intune, SCCM or another MDM) and Compliant might suffice in reducing attack vectors.
You may even want a hardened VDI, with an IP range restricted Conditional Access policy scope to the one dedicated account for Microsoft365DSC tasks. Obviously, quite extreme, but not uncommon.
Alternatively, it is suggested to grant Admin Consent to the permissions required on the Service Principal, manually, through the Entra portal GUI, then omit the -AdminConsent switch from the command set going forward.
@RJEMDM For an 'initial setup and ongoing maintenance' command like Update-M365DSCAzureAdApplication, it seems unlikely that people are trying to automate this in a script etc.
For all of the Microsoft365DSC workloads, it is possible to use an interactive prompt supporting MFA. It should be possible to get this to work here too (as it used to until recently) without requiring insecure workarounds or manual steps.
@andikrueger 's suggestion should do the job by using the existing Graph credential, if I understand it correctly.