Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected exception returned from msal #17

Closed
jbclarkman opened this issue Dec 8, 2022 · 2 comments
Closed

Unexpected exception returned from msal #17

jbclarkman opened this issue Dec 8, 2022 · 2 comments
Labels
bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool.

Comments

@jbclarkman
Copy link

馃悰 Summary

When attempting to scan AAD, multiple AAD prompts occur even though the account being used is a Global Reader or even Global Admin and the enterprise application has the appropriate consent granted for the organization. This occurs during the "Running the AAD Provider; 1 of 1 Product settings extracted" process. If you respond to the constant authentication prompts about 20 times it, one of two things will occur.

  1. Powershell will eventually return an error saying "Unexpected exception returned from msal".
  2. MS logon will deny logging in with an error that says: "We couldn't sign you in, pleas try again later". Selecting the option for "use another account" and supplying the same credentials will result in the error above from Item v0.1.0聽#1.

To reproduce

Steps to reproduce the behavior:

  1. RunSCUBA.ps1 with logon=True and products including AAD.

Expected behavior

Should complete the AAD check

Any helpful log output or screenshots

ERROR when getting the MS "we couldn't sign you in..."

Export-AADProvider : Check the second error message below and if it appears to be related to permissions, your user
account must have a minimum of Global Reader role to run this script. You must also get an administrator to consent to the required MS Graph Powershell application permissions. View the README file for detailed instructions and then try again. At C:\temp2\ScubaGear-main\PowerShell\ScubaGear\Modules\Orchestrator.psm1:154 char:31 + $RetVal = Export-AADProvider | Select-Object -Las ... + ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AADProvider

Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance : Code: generalException
Message: Unexpected exception returned from MSAL.
At C:\temp2\ScubaGear-main\PowerShell\ScubaGear\Modules\Providers\ExportAADProvider.psm1:221 char:34

  • ... gnments = @(Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstan ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Get-MgRoleManag...leInstance_List], AuthenticationException
    • FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgRoleManagementDirectoryRoleAssignmentScheduleIns
      tance_List

ERROR when just clicking on the authentication account about 20 times.
PS C:\temp2\ScubaGear-main> .\RunSCuBA.ps1
Export-AADProvider : Check the second error message below and if it appears to be related to permissions, your user
account must have a minimum of Global Reader role to run this script. You must also get an administrator to consent to the required MS Graph Powershell application permissions. View the README file for detailed instructions and then try again. At C:\temp2\ScubaGear-main\PowerShell\ScubaGear\Modules\Orchestrator.psm1:154 char:31 + $RetVal = Export-AADProvider | Select-Object -Las ... + ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AADProvider

Get-MgUser : Code: generalException
Message: Unexpected exception returned from MSAL.
At C:\temp2\ScubaGear-main\PowerShell\ScubaGear\Modules\Providers\ExportAADProvider.psm1:120 char:17

  • ... $AADUser = Get-MgUser -ErrorAction Stop -UserId $User.Id
  •              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Get-MgUser_Get], AuthenticationException
    • FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get

Add any screenshots of the problem here.
image
image
@ethanb-cisa
Copy link
Contributor

@jbclarkman thanks for opening an issue. Can you run Disconnect-MgGraph and try again? The infinite AAD sign-in loop is something we've encountered before and plan to add it to the README in our next release.

Usually Disconnect-MgGraph fixes the loop condition.

@ethanb-cisa ethanb-cisa added the bug This issue or pull request addresses broken functionality label Dec 8, 2022
@jbclarkman
Copy link
Author

@jbclarkman thanks for opening an issue. Can you run Disconnect-MgGraph and try again? The infinite AAD sign-in loop is something we've encountered before and plan to add it to the README in our next release.

Usually Disconnect-MgGraph fixes the loop condition.

Yes that appears to have resolved it. Thank you!

@ethanb-cisa ethanb-cisa added the public-reported This issue is reported by the public users of the tool. label Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbclarkman @ethanb-cisa