Guest Invite New-AzureADMSInvitation error "Object reference not set to an instance of an object"

Michael Spencer 0 Reputation points
2023-03-02T00:43:22.0333333+00:00

I'm following the https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-invite-powershell article, but getting an "Object reference not set to an instance of an object" error when running the New-AzureADMSInvitation command.

I'm running this from a on-prem vm. The goal is to auto-invite B2B users that are added to an application we have on-prem.

I have a registered app that I'm using to connect and have granted admin consent for the following MSGraph API permissions: User.Invite.All, User.ManageIdentities.All, User.ReadWrite.All

I load all the variables for the registered app, tenant, etc. , then this...

Import-Module -Name AzureADPreview -force

# Get Access Token

$azurePassword = ConvertTo-SecureString $ClientSecret -AsPlainText -Force

$psCred = New-Object System.Management.Automation.PSCredential($AplicationId , $azurePassword)

Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal

$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext

$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

After running the above it displaysUser's image

If I run Get-AzureADUser -All $true it shows all the users in my tenant correctly and it will let me add/delete regular users.

But if I try to run the following i get New-AzureADMSInvitation : Object reference not set to an instance of an object.

New-AzureADMSInvitation -InvitedUserEmailAddress $email.'InvitedUserEmailAddress' -InvitedUserDisplayName $email.Name -InviteRedirectUrl https://myapps.microsoft.com -SendInvitationMessage:$true

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,127 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,237 questions
{count} votes

5 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 39,101 Reputation points
    2023-03-02T02:57:55.8066667+00:00

    Hi @Michael Spencer

    Azure AD PowerShell is about to be deprecated, you can use the latest graph PowerShell to invite B2B collaboration users to your tenant.

    Import-Module Microsoft.Graph.Identity.SignIns
    
    Connect-MgGraph -Scopes "User.Invite.All"
    
    $params = @{
    	InvitedUserEmailAddress = "admin@fabrikam.com"
    	InviteRedirectUrl = "https://myapp.contoso.com"
    }
    
    New-MgInvitation -BodyParameter $params
    

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.

  2. CarlZhao-MSFT 39,101 Reputation points
    2023-03-10T10:33:20.9266667+00:00

    Hi @Michael Spencer

    This is because you are using Azure AD graph access token to connect to Microsoft graph powershell, and New-MgInvitation cmdlet is a Microsoft graph powershell command, which does not support Azure AD graph access token, that's what is causing the issue.

    If you must use an Azure AD graph access token, then you should use that token to connect to Azure AD and then use Azure AD powershell commands to invite external users to collaborate.

    Connect to Azure AD:

    Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

    Invite users:

    New-AzureADMSInvitation -InvitedUserEmailAddress someexternaluser@externaldomain.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.

  3. Michael Spencer 0 Reputation points
    2023-03-09T21:34:25.94+00:00

    I need to be able to script this, so far I have this, which works as far as authentication apparently.

    $azurePassword = ConvertTo-SecureString $ClientSecret -AsPlainText -Force

    $psCred = New-Object System.Management.Automation.PSCredential($AplicationId , $azurePassword)

    Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal

    $context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext

    $aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

    Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

    Connect-MgGraph -AccessToken $aadToken

    And I get the "Welcome To Microsoft Graph!" response.
    When I then try:

     $params = @{
    	    InvitedUserEmailAddress = $email.'InvitedUserEmailAddress'
    	    InviteRedirectUrl = "https://myapp.microsoft.com"
        }
    
        New-MgInvitation -BodyParameter $params
    
    

    It errors with:

    New-MgInvitation : Access token validation failure. Invalid audience.

    But I can list, add, delete regular users w/o issue.


  4. Michael Spencer 0 Reputation points
    2023-03-10T21:58:14.4633333+00:00

    Got there, eventually.

    Thanks

    0 comments No comments

  5. Michael Spencer 0 Reputation points
    2023-03-10T22:09:04.0766667+00:00

    Success !
    Several issues: Cert must be installed in user's store, won't be found if it's in the local machine store !
    Missing modules and 2 versions of Microsoft.Graph.Authentication, so it wouldn't load correctly.

    # load configs
    . Import-Module "$($PWD)\UserUpdate_config.ps1" -force
    
    # enforce TLS1.2
    [Net.ServicePointManager]::SecurityProtocol  = [Net.SecurityProtocolType]::Tls12
    
    Import-Module Microsoft.Graph.Identity.SignIns -force
    Import-Module Microsoft.Graph.Authentication -force
    Import-Module Microsoft.Graph.Users -force
    Import-Module Microsoft.Graph.Groups -force
    
    # cert must be in user's store to be seen
    Connect-MgGraph -ClientID $AplicationId -TenantId $TenantId -CertificateThumbprint $certthumb -ContextScope Process
    
    # get group object used by app
    $relgroupinfo = New-MgDirectoryObject -Id $(Get-MgGroup -Filter "DisplayName eq '$($relgroup)'").Id
    
    # get users to add. This will eventually be pulled directly from the app via SQL
    $invitations = import-csv -Path $invitespath
    
    foreach ($usit in $invitations) {
        # create user and send invite
        $userinfo = New-MgInvitation -InvitedUserDisplayName $usit.'Name' -InvitedUserEmailAddress $usit.'InvitedUserEmailAddress' -InviteRedirectUrl "https://myapp.microsoft.com" -SendInvitationMessage
        # add user to group
        New-MgGroupMember -GroupId $group2add.Id -DirectoryObjectId $userinfo.Id
    }
    
    Disconnect-MgGraph