Forum Discussion
Solved
Authenticating with an access token Connect-MicrosoftTeams
Has anyone tried authenticating with an access token (using -AadAccessToken or -MsAccessToken)? The old version of New-CsOnlineSession had an -OAuthAccessToken param, which accepted a jwt with the PS ...
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
I've had the same problem with several different versions of the MicrosoftTeams modules...
Including:
Install-Module -Name MicrosoftTeams -RequiredVersion 2.3.2-preview -AllowPrerelease
Install-Module -Name MicrosoftTeams -RequiredVersion 3.0.0
Install-Module -Name MicrosoftTeams -RequiredVersion 3.1.1
Install-Module -Name MicrosoftTeams -RequiredVersion 4.0.0
Install-Module -Name MicrosoftTeams -RequiredVersion 4.0.1-preview -AllowPrerelease
My tokens are correct:
PS> $($graphToken | Get-JWTDetails).Roles | sort
AppCatalog.Read.All
AppCatalog.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
People.Read.All
Schedule.Read.All
Schedule.ReadWrite.All
Team.ReadBasic.All
TeamSettings.Read.All
User.Read.All
UserShiftPreferences.Read.All
UserShiftPreferences.ReadWrite.All
PS> $($teamsToken | Get-JWTDetails).Roles | sort
application_access
application_access_custom_sba_appliance
All of them give me this:
PS> Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
Connect-MicrosoftTeams : Object reference not set to an instance of an object.
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-MicrosoftTeams], NullReferenceException
+ FullyQualifiedErrorId : Connect-MicrosoftTeams,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams
Connect-MicrosoftTeams : Object reference not set to an instance of an object.
At line:1 char:1
+ Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-MicrosoftTeams], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.TeamsCmdlets.Powershell.Connect.ConnectMicrosoftTeams
Logged it here too: https://github.com/MicrosoftDocs/office-docs-powershell/issues/9188
As written here - i have running code (with Delegated Permissions)
Using Delegated Permissions does not make sense - i totally agree 🙂
I had a Ticket open at Microsoft #28612860. It was closed with the ETA of Mid April for the Fix. So we will see.
Tested a code with Application Permissions with Teams PowerShell Module 4.1.0 - still does not work.
Regards
Andres
- Hi Andres,
that's great to hear. hopefully MS will fix this, an the connect-microsoftTeams will work as expected with ApplicationPermissions (include using a certificate an not an AppSecret)....
BrRonar85 and Andres-Bohren
Thanks for the link and comments. Still cannot get it working...
#Install-Modules Install-Module JWTDetails #Not needed - just for debug Install-Module MSAL.PS -MaximumVersion 4.36.1.2 -acceptlicense -SkipPublisherCheck -force Install-Module MicrosoftTeams -MaximumVersion 3.0.0 -force #Import Modules Import-module -name JWTDetails Import-Module MSAL.PS -MaximumVersion 4.36.1.2 Import-Module MicrosoftTeams -MaximumVersion 3.0.0 Get-Module #Clear TokenCache Clear-MsalTokenCache #Prep Add-Type -AssemblyName System.Web $ImpersonationUPN="Email address removed" $TenantID="TENANTNAME-OR-TENANTID" $ApplicationID="REDACTED" $ImpersonationUPN="Email address removed" $ClientSecret="REDACTED" #TeamsAccessToken $Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" $Token = Get-MsalToken -ClientId $ApplicationID -TenantId $TenantId -Scope $Scope -ClientSecret $(ConvertTo-SecureString -String $ClientSecret -AsPlainText -force) $TeamsAccessToken = $Token.AccessToken Get-JWTDetails $TeamsAccessToken #GraphAccessToken $Scope = "https://graph.microsoft.com/.default" $Token = Get-MsalToken -ClientId $ApplicationID -TenantId $TenantId -Scope $Scope -ClientSecret $(ConvertTo-SecureString -String $ClientSecret -AsPlainText -force) $GraphAccessToken = $Token.AccessToken Get-JWTDetails $GraphAccessToken #Connect To MS TEAMS Connect-MicrosoftTeams -AccessTokens @($GraphAccessToken,$TeamsAccessToken) -AccountId $($impersonatedUser.id) -verbose #Error: Parameter set cannot be resolved using the specified named parameters. Connect-MicrosoftTeams -LogLevel Verbose -LogFilePath %temp%\Connect-MSTeams.log -AccessTokens @($GraphAccessToken,$TeamsAccessToken) notepad %temp%\Connect-MSTeams.logDebug:
2022-04-04T13:55:38.2302931Z,Error ,Connect-MicrosoftTeams.ProcessRecord, System.NullReferenceException - Object reference not set to an instance of an object.. at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.GetTokenClaimValue(JsonWebToken webToken, String value) at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.ProcessProvidedAccessTokens(AzureAccount account, String tenantId) at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.AcquireAccessToken(AzureAccount account, AzureEnvironment environment, String tenantId, SecureString password, AuthenticationFlow authFlow) at Microsoft.TeamsCmdlets.Powershell.Connect.RMProfileClient.Login(AzureAccount account, AzureEnvironment environment, String tenantId, SecureString password, AuthenticationFlow authFlow)Hi sjackson340 ,
the part using a ClientID, ClientSecret, Username & Password worked for me, after changing the AppRegistrations Role Memberships and API Permissions.
Used Parts of the code Andres-Bohren mentioned here (https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-microsoftteams/m-p/3020424/highlight/true#M4391 😞
$tenantName = "<REMOVEDNAME>.onmicrosoft.com" $clientId = "<APPREGISTRATION ID>" $clientSecret = "<APPREGISTRATIONSECRET>" $username = "<MYSERVICEUSER>@<REMOVEDNAME>.onmicrosoft.com" $password = "<MYPWD>" $uri = "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" $body = @{ Grant_Type = "password"; #Grant_Type = "client_credentials"; Scope = "https://graph.microsoft.com/.default" Client_Id = $clientId; Client_Secret = $clientSecret; Username = $username; Password = $password; } $graphTokenResponse = Invoke-RestMethod -Method POST -Uri $uri -Body $body $graphToken = $graphTokenResponse.access_token $body = @{ Grant_Type = "password" # client_credentials #Grant_Type = "client_credentials" Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default" Client_Id = $clientId Client_Secret = $clientSecret Username = $username Password = $password } $teamsTokenResponse = Invoke-RestMethod -Method POST -Uri $uri -Body $body $teamsToken = $teamsTokenResponse.access_token Connect-MicrosoftTeams -AccessTokens @($graphToken, $teamsToken)The App Registration itself i've extented with the following Delegated Rights:
and as this step has to be done by Exchange Management (Dokumented by MS here), i've added the Appregistration to the Teams administrators, thinking, this cloud be the right step, as it's also needed for EXO Management. (i'm using the same AppRegistration for EXO Management)
After the connect...
... i was able to create new Teams...
.. and also Query the CSOnlineUser Data...
also the new Set-CSOnlineVoiceUser seems to work - but i've got no tenant numbers in my development tenant right now 🙂
But i totally agree with Andres-Bohren statement, that this has to work with Application Permissions only in combination using a certificate as authenticator as well! Please guys @microsoft-msteams fix this!
BR
