Forum Discussion
Solved
Authenticating with an access token Connect-MicrosoftTeams
Has anyone tried authenticating with an access token (using -AadAccessToken or -MsAccessToken)? The old version of New-CsOnlineSession had an -OAuthAccessToken param, which accepted a jwt with the PS permissions in the scope, which one could obtain silently, and so avoid login.
New-CsOnlineSession has been dropped and the SfB Connector is end of life in July and Connect-MicrosoftTeams does appear to support token for the telephony functions.
New-CsOnlineSession has been dropped and the SfB Connector is end of life in July and Connect-MicrosoftTeams does appear to support token for the telephony functions.
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
This error is most likely caused by the module trying to find the "UPN" value of the token, which is the user name of the respective account. Since the authorization flow takes place within the context of a user, the token has a UPN, which allows this flow to work. There is no user context or UPN involved with the client credentials, which leads to the credentials not working.The Teams PowerShell module for Microsoft Teams has been released as a preview version (2.1.0) which supports modern authentication and is fully functional. The likelihood is that this version will be pushed through to general availability quite soon as a result of this fast process.
If you would like more information, please take a look at this link.MicrosoftTeams PowerShell Module 4.0.0 has been released
https://www.powershellgallery.com/packages/MicrosoftTeams/4.0.0
I've tested it with App Only Authentication (Certificate / ClientSecret). Still does not workIn my Microsoft Case [Case #:28612860] they said that the ETA will be early Q2 2022. I guess we still have to wait.
Regards Andres
I've had the same problem with several different versions of the MicrosoftTeams modules...
Including:
Install-Module -Name MicrosoftTeams -RequiredVersion 2.3.2-preview -AllowPrereleaseInstall-Module -Name MicrosoftTeams -RequiredVersion 3.0.0
Install-Module -Name MicrosoftTeams -RequiredVersion 3.1.1
Install-Module -Name MicrosoftTeams -RequiredVersion 4.0.0Install-Module -Name MicrosoftTeams -RequiredVersion 4.0.1-preview -AllowPrerelease
My tokens are correct:PS> $($graphToken | Get-JWTDetails).Roles | sort
AppCatalog.Read.All
AppCatalog.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
People.Read.All
Schedule.Read.All
Schedule.ReadWrite.All
Team.ReadBasic.All
TeamSettings.Read.All
User.Read.All
UserShiftPreferences.Read.All
UserShiftPreferences.ReadWrite.AllPS> $($teamsToken | Get-JWTDetails).Roles | sort
application_access
application_access_custom_sba_appliance
All of them give me this:PS> Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") Connect-MicrosoftTeams : Object reference not set to an instance of an object. At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], NullReferenceException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams Connect-MicrosoftTeams : Object reference not set to an instance of an object. At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], NullReferenceException + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams​Logged it here too: https://github.com/MicrosoftDocs/office-docs-powershell/issues/9188As written here - i have running code (with Delegated Permissions)
Using Delegated Permissions does not make sense - i totally agree 🙂
I had a Ticket open at Microsoft #28612860. It was closed with the ETA of Mid April for the Fix. So we will see.
Tested a code with Application Permissions with Teams PowerShell Module 4.1.0 - still does not work.
Regards
Andres
Update: Still no improvement on the App Only (Unattended) front in the latest MicrosoftTeams 3.0.0. module. The only reported working method is by using Delegate permissions as stated in the Docs under 'AccessTokens' parameter directions.
If someone has an ETA on setting CS policies in an unattended (or dare I say DSC manner), please post here- https://github.com/MicrosoftDocs/office-docs-powershell/issues/8623#issuecomment-993611923
This was just posted in a Github issue. Apparently Microsoft is aware of the issue and the ETA is March 2022.- Hi everyone, I just tested the new PS Teams module 3.1.1. I still get the same error (Connect-MicrosoftTeams : Object reference not set to an instance of an object.),
I hope they will fix it on March...
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid- I see 2.6.2-prerelease was added a couple of days ago, however it seems pretty broken. Was this version supposed to resolve this issue (expiry time mismatch)?
- NMLVS good to hear that
Hi,
We were successfully using Microsoft Teams powershell using Access Tokens. But today we are faced with strange issue:
We are getting error during authentication: Connect-MicrosoftTeams
The provided tokens must have less than 180 seconds difference in the time range of expiration. System.Management.Automation.RemoteException: The provided tokens must have less than 180 seconds difference in the time range of expiration.
We have checked the access tokens expiry, they do differ by more then 180 seconds. We are using Refresh tokens to generate Access tokens. This is done automatically using .NET code, both access tokens are fetched within few milliseconds, yet the expiry differs. And when we use these tokens we get above error.
Has anyone experienced this?
Regards,
Muhammad Usman
- Has anyone successfully got this working yet?
There was a new version released today for MicrosoftTeams, but I still unsuccessful.
I have provided the App the relevant permissions as outlined in the documentation.
Connect-MicrosoftTeams -AccessTokens @($tokenResponse, $teams_tokenResponse) -AccountId $UPN
Connect-MicrosoftTeams : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1- I got this working by rolling back to an older preview version.
Install-Module -Name MicrosoftTeams -RequiredVersion "2.3.2-preview" -AllowPrerelease -force
Import-Module MicrosoftTeams -RequiredVersion 2.3.2
$ApplicationId = 'xx'
$ApplicationSecret = 'xx'
$TenantID = 'xx'
$UPN = "admin@xx"
$ReqTokenBody = @{
Grant_Type = "client_credentials"
client_Id = $ApplicationId
Client_Secret = $ApplicationSecret
Scope = "https://graph.microsoft.com/.default"
}
$graph_TokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method POST -Body $ReqTokenBody
$teams_ReqTokenBody = @{
Grant_Type = "client_credentials"
client_Id = $ApplicationId
Client_Secret = $ApplicationSecret
Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default"
}
$teams_TokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method POST -Body $teams_ReqTokenBody
Connect-MicrosoftTeams -AccessTokens @($graph_tokenResponse.access_token,$teams_tokenResponse.access_token) -AccountId $UPN
I'm trying to setup something similar in Softerra Adaxes, but I'm not getting very far
$clientId = "" $clientSecret = "" $tenantName = "tenant.onmicrosoft.com" $tenantNameshort = "" $tenantIdCode = "" $graphResource = "https://graph.microsoft.com/" $graphtokenBody = @{ Grant_Type = "client_credentials" Scope = "https://graph.microsoft.com/.default" Client_Id = $clientId Client_Secret = $clientSecret } $graphTokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $graphtokenBody $teamsResource = "https://api.interfaces.records.teams.microsoft.com" $teamstokenBody = @{ Grant_Type = "client_credentials" Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" Client_Id = $clientId Client_Secret = $clientSecret } $TeamsTokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $teamstokenBody Connect-MicrosoftTeams -TenantId $tenantId -AccessTokens @($graphTokenResponse.access_token,$TeamsTokenResponse.access_token)I get this error:
Connect-MicrosoftTeams : Not supported tenant type. At C:\scripts\connect-teams.ps1:27 char:1 + Connect-MicrosoftTeams -TenantId $tenantId -AccessTokens @($graphToke ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeamsIf I try something along the lines of
Connect-MicrosoftTeams -TenantId $tenantId -ClientId $clientId -Certificatethumbprint $certificateThumbprintI get the following:
Connecting to remote server api.interfaces.records.teams.microsoft.com failed with the following error message : The WinRM client cannot process the request....
- Any Updates on this Topic?
https://docs.microsoft.com/en-us/powershell/module/teams/connect-microsoftteams?view=teams-ps
$graphtoken = #Get MSGraph Token for following for resource "https://graph.microsoft.com" and scopes "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
$teamstoken = #Get Teams resource token for resource id "48ac35b8-9aa8-4d74-927d-1f4a14a0b239" and scope "user_impersonation";
Connect-MicrosoftTeams -AccessTokens @($graphtoken, $teamstoken) -AccountId $adminaccount
Account Environment Tenant TenantId
------- ----------- ------------------------------------ ------------------------------------
user@contoso.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Specifies a access tokens for "MSGraph" and "Skype and Teams Tenant Admin API" resources. This new parameter is added in version 2.3.2-preview.
Following steps must be performed by Tenant Admin in the Azure portal when using your own application.
Steps to configure the AAD application.
Go to Azure portal and go to App Registrations.
Create or select the existing application.
Add the following permission to this Application.
Click API permissions.
Click Add a permission.
Click on the Microsoft MS Graph, and then select Delegated Permission.
Add the following permissions: "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
Next, we need to add "Skype and Teams Tenant Admin API" resource permission. Click Add a permission.
Navigate to "APIs my organization uses"
Search for "Skype and Teams Tenant Admin API".
Add all the listed permissions.
Grant admin consent to both MS Graph and "Skype and Teams Tenant Admin API" name.- They seems to have gone backwards with release 2.5.0. I used to be able to use
Connect-MicrosoftTeams -AccessTokens @($graphtoken, $teamstoken) -Verbose -AccountId "user@domain.com"
to at least access the new cmdlets, but now I get
Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
I am pretty sure that this is the same problem that I am having.
This is what I am doing.
For my test added a new user to my tenant with the global admin role and is configured it to use MFA. This is the only user that in the tenant that is configured this way.
In AzureAD I then added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.
$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx" $clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx" $tenantName = "mydomain.onmicrosoft.com" $resource = "https://graph.microsoft.com/" $tokenBody = @{ Grant_Type = "client_credentials" Scope = "https://graph.microsoft.com/.default" Client_Id = $clientId Client_Secret = $clientSecret } $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody Import-Module MicrosoftTeams Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.netWhatever command I try to run fails with the following error:
Get-CsCloudMeetingPolicy Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets. At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22 + $remoteSession = & (Get-CsOnlineSessionCommand) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession ``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38 + ... -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommandWhen I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
Is this the same issue, or should I open a separate thread?- Appears to be the same and potentially fixed with 3.0 release, which we hope will appear this week...
Note that there is a 2.3.2 preview (available on the 2.3.1 download page) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.
We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.
- That is certainly the issue we are facing. Connect-MicrosoftTeams has never worked with this sort of authentication, though it is supposed to work and the eventual 3.0 version might possibly fix it, finally.
Up until now we have been doing something trickier using New-PsSession and Import-PsSession which was working (and seemed to provide the missing "Session" that your error is complaining about). Sadly, this approach has evidently been deprecated and now only works intermittently or with specific tenants (or maybe specific back-end lync servers). Microsoft has clearly removed a working feature before they have a working replacement.
Interestingly, when it works, we get the following warning message instead of an error:
WARNING: Your tenant has been granted exception to use Skype For Business Online connector till June 15 2021. Your organization must replace the Skype for Business Online PowerShell connector module with the Teams PowerShell Module prior to that date. Please visit https://aka.ms/sfbocon2tpm for supported options.We are facing the same issues here. Somehow the S4B OnlineConnector got removed without providing a working alternative solution to change policies scriptbased.
Can you please suggest an alternative method if new "Connect-MicrosoftTeams" does not work using -AadAccessToken for executing Get-CsTenant or SFB commands?
We are blocked and not sure when the fix of 3.0.x will come ? Please help.
- I am also finding that when connecting with access tokens the Get-CSOnlinePSTNGateway and anything that used to be connected via the new-csonlinesession no longer functions.
If you log in with Connect-MicrosoftTeams interactively then it will work, but this is undesirable for our automation requirements.
Module version 2.3.1
Sridevi-MSFTMicrosoft
We have implemented a fix which will be available when the 3.0.0 version is released.
