Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access

Ravindra Shukla 116 Reputation points
2021-05-18T09:46:37.45+00:00

Hi,

I am working on Microsoft Graph POC using powershell script.

I am using authorization grant flow to get the access token to retrieve the emails from a shared mailbox using my user account, whenever I provide my login credentials, its giving me below error related to the MFA.

{"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: 108e9b0b-55f8-4482-8341-3b29dd684100\r\nCorrelation ID:
fc47f1d4-6011-4177-a0af-37d092dc8c18\r\nTimestamp: 2021-05-17 15:34:18Z","error_codes":[50076],"timestamp":"2021-05-17 15:34:18Z","trace_id":"108e9b0b-55f8-4482-8341-3b29dd684100","correlatio
n_id":"fc47f1d4-6011-4177-a0af-37d092dc8c18","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action","claims":"{\"access_token\":{\"capolids\":{\"essential\
":true,\"values\":[\"26e1b5cf-a948-4054-8b2e-7a6aec1f6ba3\"]}}}"}

How to use the MFA authentication in powershell script, like it will prompt me a window for MFA authentication?

Any pointers or help is much appreciated.

Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,295 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Ravindra Shukla 116 Reputation points
    2021-05-19T15:04:58.953+00:00

    Can someone please help me on my above query or redirect it to a appropriate team by tagging it as I got stuck here.

    0 comments No comments

  2. Glen Scales 4,431 Reputation points
    2021-05-19T23:38:33.197+00:00

    You should post the Authentication code your using if you using authorization code flow then it should have gone through the MFA process before the Authcode was issued. But its hard to tell without seeing the code your using.

    0 comments No comments

  3. Ravindra Shukla 116 Reputation points
    2021-05-20T06:14:06.173+00:00

    Hi @Glen Scales

    Thank you for your reply.

    Yes, I am using authorization code grant flow. Below is the code snippet I am using for reference.

    Function Show-OAuthWindow  
    {  
        param(  
            [System.Uri]$Url,  
              
        )  
      
      
        Add-Type -AssemblyName System.Windows.Forms  
       
        $form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width=440;Height=640}  
        $web  = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width=420;Height=600;Url=($url ) }  
        $DocComp  = {  
            $Global:uri = $web.Url.AbsoluteUri  
            if ($Global:Uri -match "error=[^&]*|code=[^&]*") {$form.Close() }  
        }  
        $web.ScriptErrorsSuppressed = $true  
        $web.Add_DocumentCompleted($DocComp)  
        $form.Controls.Add($web)  
        $form.Add_Shown({$form.Activate()})  
        $form.ShowDialog() | Out-Null  
      
        $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)  
        $output = @{}  
        foreach($key in $queryOutput.Keys){  
            $output["$key"] = $queryOutput[$key]  
        }  
          
        $output  
    }  
      
    $tenant = Read-Host "Enter your tenant id/name"  
    $clientid = Read-Host "Enter your client id"  
    $clientsecret = Read-Host "Enter your client secret" ConvertTo-SecureString -AsPlainText $clientsecret -Force  
    $upn = Read-Host "Enter your upn name"  
      
    Add-Type -AssemblyName System.Web  
    $client_id = "$clientid"  
    $client_secret = "$clientsecret"  
    $redirectUrl = "https://localhost:6000"  
    $userUPN = "$upn"  
      
    $loginUrl = "https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=" +   
                [System.Web.HttpUtility]::UrlEncode($redirectUrl) +   
                "&client_id=$client_id" +   
                "&prompt=login"  
      
      
    $queryOutput = Show-OAuthWindow -Url $loginUrl  
      
    $AuthorizationPostRequest =   
        "grant_type=authorization_code" + "&" +  
        "redirect_uri=" + [System.Web.HttpUtility]::UrlEncode($redirectUrl) + "&" +  
        "client_id=$client_id" + "&" +  
        "client_secret=" + [System.Web.HttpUtility]::UrlEncode("$client_secret") + "&" +  
        "code=" + $queryOutput["code"]   
          
      
    #Requesting a token using the authorization code  
    $Authorization = Invoke-RestMethod -Method Post -ContentType application/x-www-form-urlencoded -Uri https://login.microsoftonline.com/$tenant/oauth2/v2.0/token -Body $AuthorizationPostRequest  
      
    $mail = Invoke-RestMethod -Headers @{Authorization =("Bearer "+ $Authorization.access_token)} -Uri https://graph.microsoft.com/v1.0/users/$userUPN/messages? -Method Get  
      
    $mail.value | Select-Object -first 4 | Select-Object -ExpandProperty Subject  
    
    0 comments No comments

  4. Glen Scales 4,431 Reputation points
    2021-05-27T23:54:19.45+00:00

    Your code doesn't look correct to me eg the authorization code should get returned in the Body of the response and with this line you trying to parse it out of the QueryString of the response

    $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)
    

    Maybe try something like

    function Show-OAuthWindow {
        [CmdletBinding()]
        param (
            [System.Uri]
            $Url
    
        )
        ## Start Code Attribution
        ## Show-AuthWindow function is the work of the following Authors and should remain with the function if copied into other scripts
        ## https://foxdeploy.com/2015/11/02/using-powershell-and-oauth/
        ## https://blogs.technet.microsoft.com/ronba/2016/05/09/using-powershell-and-the-office-365-rest-api-with-oauth/
        ## End Code Attribution
        Add-Type -AssemblyName System.Web
        Add-Type -AssemblyName System.Windows.Forms
    
        $form = New-Object -TypeName System.Windows.Forms.Form -Property @{ Width = 440; Height = 640 }
        $web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{ Width = 420; Height = 600; Url = ($url) }
        $Navigated = {
          if($web.DocumentText -match "document.location.replace"){
            $Script:oAuthCode = [regex]::match($web.DocumentText, "code=(.*?)\\u0026").Groups[1].Value
            $form.Close();
          }
        }    
        $web.ScriptErrorsSuppressed = $true
        $web.Add_Navigated($Navigated)
        $form.Controls.Add($web)
        $form.Add_Shown( { $form.Activate() })
        $form.ShowDialog() | Out-Null
        return $Script:oAuthCode
    }
    

    which is what i use and i know this works

    0 comments No comments