question

RavindraShukla-2370 avatar image
0 Votes"
RavindraShukla-2370 asked GlenScales-6756 answered

Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access

Hi,

I am working on Microsoft Graph POC using powershell script.

I am using authorization grant flow to get the access token to retrieve the emails from a shared mailbox using my user account, whenever I provide my login credentials, its giving me below error related to the MFA.

 {"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: 108e9b0b-55f8-4482-8341-3b29dd684100\r\nCorrelation ID:
 fc47f1d4-6011-4177-a0af-37d092dc8c18\r\nTimestamp: 2021-05-17 15:34:18Z","error_codes":[50076],"timestamp":"2021-05-17 15:34:18Z","trace_id":"108e9b0b-55f8-4482-8341-3b29dd684100","correlatio
 n_id":"fc47f1d4-6011-4177-a0af-37d092dc8c18","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action","claims":"{\"access_token\":{\"capolids\":{\"essential\
 ":true,\"values\":[\"26e1b5cf-a948-4054-8b2e-7a6aec1f6ba3\"]}}}"}


How to use the MFA authentication in powershell script, like it will prompt me a window for MFA authentication?

Any pointers or help is much appreciated.

Thank you.

microsoft-graph-sdkmicrosoft-graph-mailmicrosoft-graph-users
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RavindraShukla-2370 avatar image
0 Votes"
RavindraShukla-2370 answered RavindraShukla-2370 edited

Can someone please help me on my above query or redirect it to a appropriate team by tagging it as I got stuck here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlenScales-6756 avatar image
0 Votes"
GlenScales-6756 answered

You should post the Authentication code your using if you using authorization code flow then it should have gone through the MFA process before the Authcode was issued. But its hard to tell without seeing the code your using.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RavindraShukla-2370 avatar image
0 Votes"
RavindraShukla-2370 answered RavindraShukla-2370 edited

Hi @GlenScales-6756

Thank you for your reply.

Yes, I am using authorization code grant flow. Below is the code snippet I am using for reference.

 Function Show-OAuthWindow
 {
     param(
         [System.Uri]$Url,
            
     )
    
    
     Add-Type -AssemblyName System.Windows.Forms
     
     $form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width=440;Height=640}
     $web  = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width=420;Height=600;Url=($url ) }
     $DocComp  = {
         $Global:uri = $web.Url.AbsoluteUri
         if ($Global:Uri -match "error=[^&]*|code=[^&]*") {$form.Close() }
     }
     $web.ScriptErrorsSuppressed = $true
     $web.Add_DocumentCompleted($DocComp)
     $form.Controls.Add($web)
     $form.Add_Shown({$form.Activate()})
     $form.ShowDialog() | Out-Null
    
     $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)
     $output = @{}
     foreach($key in $queryOutput.Keys){
         $output["$key"] = $queryOutput[$key]
     }
        
     $output
 }
    
 $tenant = Read-Host "Enter your tenant id/name"
 $clientid = Read-Host "Enter your client id"
 $clientsecret = Read-Host "Enter your client secret" ConvertTo-SecureString -AsPlainText $clientsecret -Force
 $upn = Read-Host "Enter your upn name"
    
 Add-Type -AssemblyName System.Web
 $client_id = "$clientid"
 $client_secret = "$clientsecret"
 $redirectUrl = "https://localhost:6000"
 $userUPN = "$upn"
    
 $loginUrl = "https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=" + 
             [System.Web.HttpUtility]::UrlEncode($redirectUrl) + 
             "&client_id=$client_id" + 
             "&prompt=login"
    
    
 $queryOutput = Show-OAuthWindow -Url $loginUrl
    
 $AuthorizationPostRequest = 
     "grant_type=authorization_code" + "&" +
     "redirect_uri=" + [System.Web.HttpUtility]::UrlEncode($redirectUrl) + "&" +
     "client_id=$client_id" + "&" +
     "client_secret=" + [System.Web.HttpUtility]::UrlEncode("$client_secret") + "&" +
     "code=" + $queryOutput["code"] 
        
    
 #Requesting a token using the authorization code
 $Authorization = Invoke-RestMethod -Method Post -ContentType application/x-www-form-urlencoded -Uri https://login.microsoftonline.com/$tenant/oauth2/v2.0/token -Body $AuthorizationPostRequest
    
 $mail = Invoke-RestMethod -Headers @{Authorization =("Bearer "+ $Authorization.access_token)} -Uri https://graph.microsoft.com/v1.0/users/$userUPN/messages? -Method Get
    
 $mail.value | Select-Object -first 4 | Select-Object -ExpandProperty Subject

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlenScales-6756 avatar image
0 Votes"
GlenScales-6756 answered

Your code doesn't look correct to me eg the authorization code should get returned in the Body of the response and with this line you trying to parse it out of the QueryString of the response

 $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)

Maybe try something like

 function Show-OAuthWindow {
     [CmdletBinding()]
     param (
         [System.Uri]
         $Url
        
     )
     ## Start Code Attribution
     ## Show-AuthWindow function is the work of the following Authors and should remain with the function if copied into other scripts
     ## https://foxdeploy.com/2015/11/02/using-powershell-and-oauth/
     ## https://blogs.technet.microsoft.com/ronba/2016/05/09/using-powershell-and-the-office-365-rest-api-with-oauth/
     ## End Code Attribution
     Add-Type -AssemblyName System.Web
     Add-Type -AssemblyName System.Windows.Forms
    
     $form = New-Object -TypeName System.Windows.Forms.Form -Property @{ Width = 440; Height = 640 }
     $web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{ Width = 420; Height = 600; Url = ($url) }
     $Navigated = {
       if($web.DocumentText -match "document.location.replace"){
         $Script:oAuthCode = [regex]::match($web.DocumentText, "code=(.*?)\\u0026").Groups[1].Value
         $form.Close();
       }
     }    
     $web.ScriptErrorsSuppressed = $true
     $web.Add_Navigated($Navigated)
     $form.Controls.Add($web)
     $form.Add_Shown( { $form.Activate() })
     $form.ShowDialog() | Out-Null
     return $Script:oAuthCode
 }

which is what i use and i know this works



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.