question

SimonShaw-5232 avatar image
0 Votes"
SimonShaw-5232 asked Roger-2715 edited

Powershell Connect to MicrosoftTeams with MFA user

I am trying to use powershell to connect to microsoft teams with an admin user that is configured with MFA.
Although Connect-MicrosoftTeams seems to complete successfully with the following output.

 Account               Environment Tenant                               TenantId
 -------               ----------- ------                               --------
 mfaadmin@mydomain.net AzureCloud  44cbfb1e-xxxx-xxxx-xxxx-xxxxxxxxxxxx 44cbfb1e-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Whatever command I try to run fails with the following error:

     Get-CsCloudMeetingPolicy
        Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.
        At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22
        +     $remoteSession = & (Get-CsOnlineSessionCommand)
        +                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException
        + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession
      ``Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument
        that is not null or empty, and then try the command again.
       At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:2975 char:38
      + ...    -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsCloudM ...
      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
      + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

The user is a new user has the role global admin and is configured with MFA. This is the only user that in the tenant that is configured this way.
On my tenant I added a new App Registration which was allocated the Application (client) ID of "71045f16-xxxx-xxxx-xxxx-xxxx".
To this App Registration I added a new secret that was assigned the Secret ID "314e6c61-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" and the value "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx".
I also added Policy.Read.All API Permission.

I then ran the following script which acquires the access_token that is used in the Connect-MicrosoftTeams command.

 $clientId = "71045f16-xxxx-xxxx-xxxx-xxxx"  
 $clientSecret = "YDjZy--xx~xxxxxxxxxxxxxxx.xx.xxxxx"  
 $tenantName = "mydomain.onmicrosoft.com"  
 $resource = "https://graph.microsoft.com/"  
 $tokenBody = @{  
    Grant_Type    = "client_credentials"  
    Scope         = "https://graph.microsoft.com/.default"  
    Client_Id     = $clientId  
    Client_Secret = $clientSecret  
 }   
 $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody  
 Import-Module MicrosoftTeams
 Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token -AccountId mfaadmin@mydomain.net

When I run the Connect-MicrosoftTeams command with the standard credentials parameters, I am able to call all the powershell commands (that I tested with).
What am I missing here?

Thanks in advance.

office-teams-windows-itprowindows-server-powershellazure-ad-multi-factor-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dude. Thanks for posting, @SimonShaw-5232. Same issue here. Tried new versions of the MicrosoftTeams module, PowerShell, etc. No dice. Heading over to MS Teams forum assuming it's a module issue...

UPDATE: Yup - it's in the Teams forum here: https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-microsoftteams/m-p/2233794

0 Votes 0 ·
sikumars-msft avatar image
0 Votes"
sikumars-msft answered

Hello @SimonShaw-5232,

Thanks for reaching out.

This is more related with MicrosoftTeams module rather than MFA (Multi Factor Authentication), hence I would recommend you to post your queries on MS Teams forum.

Addition to that, here are some suggestion based on my research, Teams PowerShell module requires PowerShell 5.1 but many issues are fixed in latest version of PowerShell version 7, therefore, I would recommend you to try installing PS version 7 and test the outcome.

Its worth to refer following ongoing MS teams forum thread, which is related to above exception UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession .

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SharonZhao-MSFT avatar image
0 Votes"
SharonZhao-MSFT answered SharonZhao-MSFT commented

@SimonShaw-5232,

I tested the two scenarios. The results are the same as yours. One is for an admin with MFA and another is for an admin without MFA. It only works for the admin without MFA.

I didn’t find related known issue on Microsoft Teams now. I will try to search for some valuable information. If there is any update, I will share with you. Thanks for your patience and understanding.


If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SimonShaw-5232,
Please try to run Connect-MicrosoftTeams without AccountId. I test this in my lab. It can works properly.
99344-image.png


0 Votes 0 ·
image.png (5.0 KiB)

I am specifically trying to connect with a user that is configured with MFA.
The Connect-MicrosoftTeams command in the screenshot does not have any parameters (not even the access token), I guess that it is connecting with parameters that you previously entered, perhaps you didn't run the Disconnect-MicrosoftTeams commands before running the connect command.
I tried just using just the AadAccessToken parameter, however the script asked me to provide an AccountId

 Connect-MicrosoftTeams -AadAccessToken $tokenResponse.access_token
 cmdlet Connect-MicrosoftTeams at command pipeline position 1
 Supply values for the following parameters:
 AccountId:


0 Votes 0 ·

@SimonShaw-5232,
I run Disconnect-MicrosoftTeams before running the connect command. Then, it will pop up the Window as below:
99649-image.png


1 Vote 1 ·
image.png (18.4 KiB)

Thanks for your response. I am developing a server side unattended non-interactive script, hence I cannot use a window popup.

0 Votes 0 ·

@SimonShaw-5232,
If so, we recommend you open a service request about this problem to get a more efficient support. Thanks for your understanding.

0 Votes 0 ·