Forum Discussion
Solved
Authenticating with an access token Connect-MicrosoftTeams
Has anyone tried authenticating with an access token (using -AadAccessToken or -MsAccessToken)? The old version of New-CsOnlineSession had an -OAuthAccessToken param, which accepted a jwt with the PS ...
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
I am pretty sure that this is the same problem that I am having.
This is what I am doing.
For my test added a new user to my tenant with the global admin role and is configured it to use MFA. This is the only user that in the tenant that is configured this way.
In AzureAD I then added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.
I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.
$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"
$clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"
$tenantName = "mydomain.onmicrosoft.com"
$resource = "https://graph.microsoft.com/"
$tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $clientId
Client_Secret = $clientSecret
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody
Import-Module MicrosoftTeams
Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.netWhatever command I try to run fails with the following error:
Get-CsCloudMeetingPolicy
Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22
+ $remoteSession = & (Get-CsOnlineSessionCommand)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException
+ FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession
``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument
that is not null or empty, and then try the command again.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38
+ ... -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommandWhen I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
Is this the same issue, or should I open a separate thread?
- Appears to be the same and potentially fixed with 3.0 release, which we hope will appear this week...
Note that there is a 2.3.2 preview (available on the 2.3.1 download page) with no release notes or other info about content. However, we've already tested and it breaks in a different way under this use case.
We actually have created a workaround for this AccessToken auth issue with 2.3.1, which involved decompiling some DLLs to figure out the bug in that Microsoft code. We may be able to post that approach after some additional review.
I've got the 2.3.2 preview installed and I am now getting this error:
PS C:\Users\Administrator> Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -AccountId XXXX@XXXX Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams Connect-MicrosoftTeams : Invalid audiences 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 found in the provided tokens At line:1 char:1 + Connect-MicrosoftTeams -AccessTokens @($graph_token, $teams_token) -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeamsI used "https://graph.microsoft.com/.default" as the scope for the graph access token, what should l use as the scope for the teams access token, any ideas?
- That is certainly the issue we are facing. Connect-MicrosoftTeams has never worked with this sort of authentication, though it is supposed to work and the eventual 3.0 version might possibly fix it, finally.
Up until now we have been doing something trickier using New-PsSession and Import-PsSession which was working (and seemed to provide the missing "Session" that your error is complaining about). Sadly, this approach has evidently been deprecated and now only works intermittently or with specific tenants (or maybe specific back-end lync servers). Microsoft has clearly removed a working feature before they have a working replacement.
Interestingly, when it works, we get the following warning message instead of an error:
WARNING: Your tenant has been granted exception to use Skype For Business Online connector till June 15 2021. Your organization must replace the Skype for Business Online PowerShell connector module with the Teams PowerShell Module prior to that date. Please visit https://aka.ms/sfbocon2tpm for supported options.We are facing the same issues here. Somehow the S4B OnlineConnector got removed without providing a working alternative solution to change policies scriptbased.
