Powershell Connect to MicrosoftTeams with MFA user

Question

Powershell Connect to MicrosoftTeams with MFA user

Simon Shaw 6

I am trying to use powershell to connect to microsoft teams with an admin user that is configured with MFA.
Although Connect-MicrosoftTeams seems to complete successfully with the following output.

Account               Environment Tenant                               TenantId  
-------               ----------- ------                               --------  
******@mydomain.net AzureCloud  44cbfb1e-xxxx-xxxx-xxxx-xxxxxxxxxxxx 44cbfb1e-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Whatever command I try to run fails with the following error:

    Get-CsCloudMeetingPolicy  
       Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.  
       At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22  
       +     $remoteSession = & (Get-CsOnlineSessionCommand)  
       +                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
       + CategoryInfo          : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException  
       + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession  
     ``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument  
       that is not null or empty, and then try the command again.  
      At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38  
     + ...    -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...  
     +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
     + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException  
     + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

The user is a new user has the role global admin and is configured with MFA. This is the only user that in the tenant that is configured this way.
On my tenant I added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.

I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.

$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"    
$clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"    
$tenantName = "mydomain.onmicrosoft.com"    
$resource = "https://graph.microsoft.com/"    
$tokenBody = @{    
   Grant_Type    = "client_credentials"    
   Scope         = "https://graph.microsoft.com/.default"    
   Client_Id     = $clientId    
   Client_Secret = $clientSecret    
}     
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody    
Import-Module MicrosoftTeams  
Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId ******@mydomain.net

When I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
What am I missing here?

Thanks in advance.

Roger 1 Reputation point

2021-05-26T20:27:55.28+00:00

Dude. Thanks for posting, @Simon Shaw . Same issue here. Tried new versions of the MicrosoftTeams module, PowerShell, etc. No dice. Heading over to MS Teams forum assuming it's a module issue...

UPDATE: Yup - it's in the Teams forum here: https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-microsoftteams/m-p/2233794

2 answers

Your answer

Roger 1 Reputation point

2021-05-26T20:27:55.28+00:00

Dude. Thanks for posting, @Simon Shaw . Same issue here. Tried new versions of the MicrosoftTeams module, PowerShell, etc. No dice. Heading over to MS Teams forum assuming it's a module issue...

UPDATE: Yup - it's in the Teams forum here: https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-microsoftteams/m-p/2233794

Answer 1

Hello @Simon Shaw ,

Thanks for reaching out.

This is more related with MicrosoftTeams module rather than MFA (Multi Factor Authentication), hence I would recommend you to post your queries on MS Teams forum.

Addition to that, here are some suggestion based on my research, Teams PowerShell module requires PowerShell 5.1 but many issues are fixed in latest version of PowerShell version 7, therefore, I would recommend you to try installing PS version 7 and test the outcome.

Its worth to refer following ongoing MS teams forum thread, which is related to above exception UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession .

Hope this helps.

-------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Sharon Zhao-MSFT 25,756 Microsoft External Staff

@Simon Shaw ,

I tested the two scenarios. The results are the same as yours. One is for an admin with MFA and another is for an admin without MFA. It only works for the admin without MFA.

I didn’t find related known issue on Microsoft Teams now. I will try to search for some valuable information. If there is any update, I will share with you. Thanks for your patience and understanding.

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-05-25T06:58:01.107+00:00

@Simon Shaw ,
Please try to run Connect-MicrosoftTeams without AccountId. I test this in my lab. It can works properly.
Simon Shaw 6 Reputation points

2021-05-25T09:11:18.15+00:00
I am specifically trying to connect with a user that is configured with MFA.
The Connect-MicrosoftTeams command in the screenshot does not have any parameters (not even the access token), I guess that it is connecting with parameters that you previously entered, perhaps you didn't run the Disconnect-MicrosoftTeams commands before running the connect command.
I tried just using just the AadAccessToken parameter, however the script asked me to provide an AccountId

Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token cmdlet Connect-MicrosoftTeams at command pipeline position 1 Supply values for the following parameters: AccountId:
Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-05-26T05:22:38.403+00:00

@Simon Shaw ,
I run Disconnect-MicrosoftTeams before running the connect command. Then, it will pop up the Window as below:
Simon Shaw 6 Reputation points

2021-05-26T05:58:50.43+00:00

Thanks for your response. I am developing a server side unattended non-interactive script, hence I cannot use a window popup.
Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-05-26T07:30:54.21+00:00

@Simon Shaw ,
If so, we recommend you open a service request about this problem to get a more efficient support. Thanks for your understanding.

Share via

Powershell Connect to MicrosoftTeams with MFA user

2 answers

Your answer