script granting pim admin role in Azure AD with MFA

Question

script granting pim admin role in Azure AD with MFA

Darryl 256

Hi,

I'm trying to script some maintenance tasks in Exchange, and to make the changes I need to grant myself the exchange admin role in PIM and authenticate using MFA.

I've followed this but I still get an error relating to MFA:

Open-AzureADMSPrivilegedRoleAssignmentRequest : Error occurred while executing
OpenAzureADMSPrivilegedRoleAssignmentRequest
Code: RoleAssignmentRequestPolicyValidationFailed
Message: The following policy rules failed: ["MfaRule"]

I'm not sure if the clientid I've used is right, where do I get this from? does that relate to an specific application?

Thanks

Saurabh Sharma 23,846 Microsoft Employee Moderator

Hi @Darryl ,

Thanks for using Microsoft Q&A !!
I have tried using the cmdlet and it works fine. I have used the command like below -

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule  
$schedule.Type = "Once"  
$schedule.StartDateTime = "2021-04-26T20:49:11.770Z"  
$schedule.endDateTime = "2022-07-25T20:49:11.770Z"  
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -Schedule $schedule -ResourceId "<TenantId>" -RoleDefinitionId "29232cdf-9323-42fd-ade2-1d097af3e4de" -SubjectId "fd30f582-5613-450e-a75a-73f279aa82da" -AssignmentState "Eligible" -Type "AdminAdd"

Here, I am passing Tenant Guid as -ResourceId and user object id from Azure Portal as SubjectId.

Result -

Thanks
Saurabh

Darryl 256 Reputation points

2021-05-28T11:06:08.547+00:00

Hi,
I'm using MFA and usually the authenticator app on my phone. I'm using this article to get the token. I think it's not working as Azure is expecting my to authenticate using MFA which the powershell isn't doing (the link doesn't seem to have worked in my original post, apologies). The get-MSALToken cmd seems to work but i don't know what the ClientId should be, does this relate to an app in Azure?
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-02T20:03:01.347+00:00

Hi @Darryl ,
Thanks for sharing this one. I am checking on this and get back to you.

Thanks
Saurabh
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-10T23:06:26.72+00:00

Hi @Darryl ,

Sorry for the delay. Client id - 1b730954-1685-4b74-9bfd-dac224a7b894 which is for the Azure AD PowerShell client app and you can use the same in your script.
How are you currently running the script. Are you passing any other client id ?

Also, you may be getting this error because the role setting would have MFA required set. The solution is to login with MFA as shown in the blog. So, can you please check and change it before running the script.

Thanks
Saurabh
Darryl 256 Reputation points

2021-06-15T10:23:34.03+00:00

If I follow the blog I shouldn't have to authenticate using MFA, as it gets the token for me? I'm trying to automate something in Exchange, but because we have PIM and I need to request the Exchange role in Azure AD which requires me to authenticate using MFA.

Maybe i've misunderstood the blog.
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-15T14:50:24.083+00:00

@Darryl As per my understanding the blog is to "Get token for MS Graph by prompting for MFA" and you will be prompted for MFA authentication even if you do not have MFA enforced on the account.
I believe you already have MFA enforced on the account and you are prompted with MFA authentication even if you are not using the method mentioned in the blog.

Please let me know if you have any other questions.

Thanks
Saurabh
Darryl 256 Reputation points

2021-06-16T09:19:07.88+00:00

ok, maybe i've misunderstood what it was doing.
Is there a recommended way of automating maintenance scripts in Office365? maybe a service account without MFA?
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-18T20:48:15.89+00:00

@Darryl sorry, none which I am aware to automate with bypassing MFA.
Service Accounts excluded with MFA accounts may put you in risk if these credentials are leaked and thus I will not suggest you to use it.
Can you please look into this post if Runbooks could help you on the same.

Thanks
Saurabh

Your answer

Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-05-27T18:19:01.417+00:00

Hi @Darryl ,

Thanks for using Microsoft Q&A !!
I have tried using the cmdlet and it works fine. I have used the command like below -

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule $schedule.Type = "Once" $schedule.StartDateTime = "2021-04-26T20:49:11.770Z" $schedule.endDateTime = "2022-07-25T20:49:11.770Z" Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -Schedule $schedule -ResourceId "<TenantId>" -RoleDefinitionId "29232cdf-9323-42fd-ade2-1d097af3e4de" -SubjectId "fd30f582-5613-450e-a75a-73f279aa82da" -AssignmentState "Eligible" -Type "AdminAdd"

Here, I am passing Tenant Guid as -ResourceId and user object id from Azure Portal as SubjectId.

Result -

Thanks
Saurabh
Darryl 256 Reputation points

2021-05-28T11:06:08.547+00:00

Hi,
I'm using MFA and usually the authenticator app on my phone. I'm using this article to get the token. I think it's not working as Azure is expecting my to authenticate using MFA which the powershell isn't doing (the link doesn't seem to have worked in my original post, apologies). The get-MSALToken cmd seems to work but i don't know what the ClientId should be, does this relate to an app in Azure?
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-02T20:03:01.347+00:00

Hi @Darryl ,
Thanks for sharing this one. I am checking on this and get back to you.

Thanks
Saurabh
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-10T23:06:26.72+00:00

Hi @Darryl ,

Sorry for the delay. Client id - 1b730954-1685-4b74-9bfd-dac224a7b894 which is for the Azure AD PowerShell client app and you can use the same in your script.
How are you currently running the script. Are you passing any other client id ?

Also, you may be getting this error because the role setting would have MFA required set. The solution is to login with MFA as shown in the blog. So, can you please check and change it before running the script.

Thanks
Saurabh
Darryl 256 Reputation points

2021-06-15T10:23:34.03+00:00

If I follow the blog I shouldn't have to authenticate using MFA, as it gets the token for me? I'm trying to automate something in Exchange, but because we have PIM and I need to request the Exchange role in Azure AD which requires me to authenticate using MFA.

Maybe i've misunderstood the blog.
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-15T14:50:24.083+00:00

@Darryl As per my understanding the blog is to "Get token for MS Graph by prompting for MFA" and you will be prompted for MFA authentication even if you do not have MFA enforced on the account.
I believe you already have MFA enforced on the account and you are prompted with MFA authentication even if you are not using the method mentioned in the blog.

Please let me know if you have any other questions.

Thanks
Saurabh
Darryl 256 Reputation points

2021-06-16T09:19:07.88+00:00

ok, maybe i've misunderstood what it was doing.
Is there a recommended way of automating maintenance scripts in Office365? maybe a service account without MFA?
Saurabh Sharma 23,846 Reputation points Microsoft Employee Moderator

2021-06-18T20:48:15.89+00:00

@Darryl sorry, none which I am aware to automate with bypassing MFA.
Service Accounts excluded with MFA accounts may put you in risk if these credentials are leaked and thus I will not suggest you to use it.
Can you please look into this post if Runbooks could help you on the same.

Thanks
Saurabh

Share via

script granting pim admin role in Azure AD with MFA

Your answer