Add OIDC authentication via service principal for automated tasks

[Sar4D]

ROPC is the only supported way for automated testing scenarios that covers the applications (Spo, Exo, etc). However, it is the least secure and not recommended by Microsoft. MS LINK INFO Certificate based authentication is not possible in all automation scenarios where it would be impossible to store the pfx.

I tried testing the ROPC flow, works for Exo but for SPO I get the error :

*** [Get-MonkeyMSALToken] - Acquire token failed. AADSTS9001023: The g
rant type is not supported over the /common or /consumers endpoints. Please use the /organizations 
or tenant-specific endpoint. Trace ID: dca13de3-7c60-4fd6-ba53-7c6710104100 Correlation ID: 87060ba
9-97d0-4da3-9ee3-7c8c2b920b41 Timestamp: 2024-06-19 13:50:13Z - warning - 
***  [Get-MSALTokenForGraphV2] - Unable to get token for Microsoft Grap
h - warning 

I get the problem after doing some research, the token needs to be acquired from the /organizations endpoint for ROPC flow, I couldnt find any switch parameters in the code to force that, altough I am mentionning the Tenant ID when invoking Monkey365.

In an automated scenario where we could use a service principal that has all the relevant rights, per example in a Github action workflow, it would be amazing to be able to use a service principal? Is there a particular reason why SP with client/secret is not supported for M365 scans as it is possible to assign the required rights and roles?