question

GonWild-8986 avatar image
0 Votes"
GonWild-8986 asked GonWild-8986 answered

Azure Automation - Connect-AzureAD blocked by Conditional Access

Hello,
My powershell script in our Azure Automation account breaks at the very first line;

Connect-AzureAd : One or more errors occurred.: AADSTS53003: Access has been blocked by Conditional Access policies.
The access policy does not allow token issuance.

I'm successfully running scripts here that connect to Sharepoint, but connecting to Exchange and AAD fails with the error above.
I investigated the sign-in logs and found nothing of this. Code used to connect is:

$Credentials = Get-AutomationPSCredential -Name 'AzureAutomationUser'
Connect-AzureAd -Credential $Credentials

What to tweak in conditional access to make this work?




azure-automationazure-ad-conditional-access
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image alfredorevilla-msft ·

Please provide the correlation or request id and timestamp provided by the error.

0 Votes 0 ·

2 Answers

GonWild-8986 avatar image
0 Votes"
GonWild-8986 answered

I took a guess and added the user used in the script as excluded from our CA policy that blocks access from external IP addresses.
That made the automation script able to connect.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonAlfredSmith-5004 avatar image
0 Votes"
JonAlfredSmith-5004 answered alfredorevilla-msft commented

Never seen that error. Perhaps the error is due to older PowerShell modules that don't support MFA. For instance do you use Exchange Online PowerShell V2?
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps

If that works, the sam might apply to your module AzureAD
https://www.varonis.com/blog/connect-to-office-365-powershell/

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GonWild-8986 avatar image GonWild-8986 ·

thanks for commenting.

Running these connections on-prem is fine. Its when I run them within our Azure Automation Account these things happen. The exchange module is indeed v2, and has been working before. I'm thinking some of our Conditional Access policy is causing this, but not sure what that might be.

0 Votes 0 ·
alfredorevilla-msft avatar image alfredorevilla-msft GonWild-8986 ·

Please provide the correlation or request id and timestamp provided by the error to find what CA policy is being applied.

1 Vote 1 ·