Can someone please help me on my above query or redirect it to a appropriate team by tagging it as I got stuck here.
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
Hi,
I am working on Microsoft Graph POC using powershell script.
I am using authorization grant flow to get the access token to retrieve the emails from a shared mailbox using my user account, whenever I provide my login credentials, its giving me below error related to the MFA.
{"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: 108e9b0b-55f8-4482-8341-3b29dd684100\r\nCorrelation ID:
fc47f1d4-6011-4177-a0af-37d092dc8c18\r\nTimestamp: 2021-05-17 15:34:18Z","error_codes":[50076],"timestamp":"2021-05-17 15:34:18Z","trace_id":"108e9b0b-55f8-4482-8341-3b29dd684100","correlatio
n_id":"fc47f1d4-6011-4177-a0af-37d092dc8c18","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action","claims":"{\"access_token\":{\"capolids\":{\"essential\
":true,\"values\":[\"26e1b5cf-a948-4054-8b2e-7a6aec1f6ba3\"]}}}"}
How to use the MFA authentication in powershell script, like it will prompt me a window for MFA authentication?
Any pointers or help is much appreciated.
Thank you.
4 answers
Sort by: Most helpful
-
-
Glen Scales 4,431 Reputation points
2021-05-19T23:38:33.197+00:00 You should post the Authentication code your using if you using authorization code flow then it should have gone through the MFA process before the Authcode was issued. But its hard to tell without seeing the code your using.
-
Ravindra Shukla 116 Reputation points
2021-05-20T06:14:06.173+00:00 Hi @Glen Scales
Thank you for your reply.
Yes, I am using authorization code grant flow. Below is the code snippet I am using for reference.
Function Show-OAuthWindow { param( [System.Uri]$Url, ) Add-Type -AssemblyName System.Windows.Forms $form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width=440;Height=640} $web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width=420;Height=600;Url=($url ) } $DocComp = { $Global:uri = $web.Url.AbsoluteUri if ($Global:Uri -match "error=[^&]*|code=[^&]*") {$form.Close() } } $web.ScriptErrorsSuppressed = $true $web.Add_DocumentCompleted($DocComp) $form.Controls.Add($web) $form.Add_Shown({$form.Activate()}) $form.ShowDialog() | Out-Null $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query) $output = @{} foreach($key in $queryOutput.Keys){ $output["$key"] = $queryOutput[$key] } $output } $tenant = Read-Host "Enter your tenant id/name" $clientid = Read-Host "Enter your client id" $clientsecret = Read-Host "Enter your client secret" ConvertTo-SecureString -AsPlainText $clientsecret -Force $upn = Read-Host "Enter your upn name" Add-Type -AssemblyName System.Web $client_id = "$clientid" $client_secret = "$clientsecret" $redirectUrl = "https://localhost:6000" $userUPN = "$upn" $loginUrl = "https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=" + [System.Web.HttpUtility]::UrlEncode($redirectUrl) + "&client_id=$client_id" + "&prompt=login" $queryOutput = Show-OAuthWindow -Url $loginUrl $AuthorizationPostRequest = "grant_type=authorization_code" + "&" + "redirect_uri=" + [System.Web.HttpUtility]::UrlEncode($redirectUrl) + "&" + "client_id=$client_id" + "&" + "client_secret=" + [System.Web.HttpUtility]::UrlEncode("$client_secret") + "&" + "code=" + $queryOutput["code"] #Requesting a token using the authorization code $Authorization = Invoke-RestMethod -Method Post -ContentType application/x-www-form-urlencoded -Uri https://login.microsoftonline.com/$tenant/oauth2/v2.0/token -Body $AuthorizationPostRequest $mail = Invoke-RestMethod -Headers @{Authorization =("Bearer "+ $Authorization.access_token)} -Uri https://graph.microsoft.com/v1.0/users/$userUPN/messages? -Method Get $mail.value | Select-Object -first 4 | Select-Object -ExpandProperty Subject
-
Glen Scales 4,431 Reputation points
2021-05-27T23:54:19.45+00:00 Your code doesn't look correct to me eg the authorization code should get returned in the Body of the response and with this line you trying to parse it out of the QueryString of the response
$queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)
Maybe try something like
function Show-OAuthWindow { [CmdletBinding()] param ( [System.Uri] $Url ) ## Start Code Attribution ## Show-AuthWindow function is the work of the following Authors and should remain with the function if copied into other scripts ## https://foxdeploy.com/2015/11/02/using-powershell-and-oauth/ ## https://blogs.technet.microsoft.com/ronba/2016/05/09/using-powershell-and-the-office-365-rest-api-with-oauth/ ## End Code Attribution Add-Type -AssemblyName System.Web Add-Type -AssemblyName System.Windows.Forms $form = New-Object -TypeName System.Windows.Forms.Form -Property @{ Width = 440; Height = 640 } $web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{ Width = 420; Height = 600; Url = ($url) } $Navigated = { if($web.DocumentText -match "document.location.replace"){ $Script:oAuthCode = [regex]::match($web.DocumentText, "code=(.*?)\\u0026").Groups[1].Value $form.Close(); } } $web.ScriptErrorsSuppressed = $true $web.Add_Navigated($Navigated) $form.Controls.Add($web) $form.Add_Shown( { $form.Activate() }) $form.ShowDialog() | Out-Null return $Script:oAuthCode }
which is what i use and i know this works