Powershell Connect to MicrosoftTeams with MFA user

Simon Shaw 6 Reputation points
2021-05-24T10:53:23.52+00:00

I am trying to use powershell to connect to microsoft teams with an admin user that is configured with MFA.
Although Connect-MicrosoftTeams seems to complete successfully with the following output. 

Account               Environment Tenant                               TenantId  
-------               ----------- ------                               --------  
mfaadmin@mydomain.net AzureCloud  44cbfb1e-xxxx-xxxx-xxxx-xxxxxxxxxxxx 44cbfb1e-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Whatever command I try to run fails with the following error: 

    Get-CsCloudMeetingPolicy  
       Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.  
       At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22  
       +     $remoteSession = & (Get-CsOnlineSessionCommand)  
       +                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
       + CategoryInfo          : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException  
       + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession  
     ``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument  
       that is not null or empty, and then try the command again.  
      At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38  
     + ...    -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...  
     +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
     + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException  
     + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

The user is a new user has the role global admin and is configured with MFA. This is the only user that in the tenant that is configured this way.
On my tenant I added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.

I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command. 

$clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"    
$clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"    
$tenantName = "mydomain.onmicrosoft.com"    
$resource = "https://graph.microsoft.com/"    
$tokenBody = @{    
   Grant_Type    = "client_credentials"    
   Scope         = "https://graph.microsoft.com/.default"    
   Client_Id     = $clientId    
   Client_Secret = $clientSecret    
}     
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody    
Import-Module MicrosoftTeams  
Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.net

When I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
What am I missing here?

Thanks in advance.

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,135 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,383 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,595 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-05-24T15:58:46.693+00:00

    Hello @Simon Shaw ,

    Thanks for reaching out.

    This is more related with MicrosoftTeams module rather than MFA (Multi Factor Authentication), hence I would recommend you to post your queries on MS Teams forum.

    Addition to that, here are some suggestion based on my research, Teams PowerShell module requires PowerShell 5.1 but many issues are fixed in latest version of PowerShell version 7, therefore, I would recommend you to try installing PS version 7 and test the outcome.

    Its worth to refer following ongoing MS teams forum thread, which is related to above exception UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession .

    Hope this helps.

    -------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Sharon Zhao-MSFT 25,056 Reputation points Microsoft Vendor
    2021-05-25T02:40:30.917+00:00

    @Simon Shaw ,

    I tested the two scenarios. The results are the same as yours. One is for an admin with MFA and another is for an admin without MFA. It only works for the admin without MFA.

    I didn’t find related known issue on Microsoft Teams now. I will try to search for some valuable information. If there is any update, I will share with you. Thanks for your patience and understanding.

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.