Update-M365DSCAzureAdApplication doesn't work when setting admin consent with multi-factor authentication enabled

[Borgquite]

Description of the issue

Raised this in #4037 but to be fair, that was a separate issue.

When running Update-M365DscAzureADApplication cmdlet with the -AdminConsent parameter, it fails if the credentials supplied require multi-factor authentication (as they should!)

Microsoft 365 DSC Version

1.24.228.1

Which workloads are affected

other

The DSC configuration

$M365DSCRequiredPermissionsList = Get-M365DSCCompiledPermissionList -ResourceNameList @('AADAdministrativeUnit', 'AADGroup', 'AADUser', 'EXODistributionGroup', 'EXOManagementRoleAssignment') -PermissionType 'Application' -AccessType 'Update'
$M365DSCCredential = Get-Credential
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions $M365DSCRequiredPermissionsList -AdminConsent -Type 'Certificate' -MonthsValid 24 -CreateSelfSignedCertificate -CertificatePath "C:\M365DSC123.cer" -Credential $M365DSCCredential

Verbose logs showing the problem

Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSCTest123' -Permissions $M365DSCRequiredPermissionsList -AdminConsent -Type 'Certificate' -MonthsValid 24 -CreateSelfSignedCertificate -CertificatePath "C:\M365DSC123.cer" -Credential $M365DSCCredential                                                                                                                                                                                                                                                                                                                               cmdlet Get-Credential at command pipeline position 1                                                                                                                                                
Supply values for the following parameters:                                                                                                                                                         
Credential                                                                                                                                                                                          
2024-03-20 09:48:42 - Checking specified parameters                                                                                                                                                 
2024-03-20 09:48:42 -   Using a Certificate as credential                                                                                                                                           
2024-03-20 09:48:42 -                                                                                                                                                                               
2024-03-20 09:48:42 -   Make sure your certificate has the following prerequisites:                                                                                                                 
2024-03-20 09:48:42 -     KeySpec           : Signature                                                                                                                                             
2024-03-20 09:48:42 -     KeyLength         : 2048                                                                                                                                                  
2024-03-20 09:48:42 -     KeyAlgorithm      : RSA                                                                                                                                                   
2024-03-20 09:48:42 -     HashAlgorithm     : SHA256 or SHA1                                                                                                                                        
2024-03-20 09:48:42 -     Enhanced Key Uses : Client Authentication and Server Authentication                                                                                                       
2024-03-20 09:48:42 -     And the entire certificate chain is available!                                                                                                                            
2024-03-20 09:48:42 -                                                                                                                                                                               
2024-03-20 09:48:43 -                                                                                                                                                                               
2024-03-20 09:48:43 - Checking existance of AD Application                                                                                                                                          
2024-03-20 09:48:43 -   New Azure AD application 'Microsoft365DSCTest123' created!                                                                                                                  
2024-03-20 09:48:43 -                                                                                                                                                                               
2024-03-20 09:48:43 - Checking app permissions                                                                                                                                                      
2024-03-20 09:48:43 -   Checking permission 'Graph\Organization.Read.All'                                                                                                                           
2024-03-20 09:48:43 -   Checking permission 'Graph\AdministrativeUnit.Read.All'                                                                                                                     
2024-03-20 09:48:43 -   Checking permission 'Graph\AdministrativeUnit.ReadWrite.All'                                                                                                                
2024-03-20 09:48:43 -   Checking permission 'Graph\Application.Read.All'                                                                                                                            
2024-03-20 09:48:43 -   Checking permission 'Graph\Device.Read.All'                                                                                                                                 
2024-03-20 09:48:43 -   Checking permission 'Graph\Group.Read.All'                                                                                                                                  
2024-03-20 09:48:43 -   Checking permission 'Graph\RoleManagement.Read.Directory'                                                                                                                   
2024-03-20 09:48:43 -   Checking permission 'Graph\User.Read.All'                                                                                                                                   
2024-03-20 09:48:43 -   Checking permission 'Graph\Group.ReadWrite.All'                                                                                                                             
2024-03-20 09:48:43 -   Checking permission 'Graph\RoleManagement.ReadWrite.Directory'                                                                                                              
2024-03-20 09:48:43 -   Checking permission 'Graph\ReportSettings.ReadWrite.All'                                                                                                                    
2024-03-20 09:48:43 -   Checking permission 'Graph\User.ReadWrite.All'                                                                                                                              
2024-03-20 09:48:43 -   Checking permission 'Exchange\Exchange.ManageAsApp'                                                                                                                         
2024-03-20 09:48:44 -     Permission updated for application                                                                                                                                        
2024-03-20 09:48:44 -                                                                                                                                                                               
2024-03-20 09:48:44 - Waiting 10 seconds for application creation                                                                                                                                   
2024-03-20 09:48:44 -   ...                                                                                                                                                                         
2024-03-20 09:48:54 -                                                                                                                                                                               
2024-03-20 09:48:54 - Providing Admin Consent for application permissions                                                                                                                           
Invoke-RestMethod : {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must    
use multi-factor authentication to access '<redacted>'. Trace ID: 1dc6364c-0bc7-448f-88db-d554da521000 Correlation ID: b5ae7e11-9135-4e6a-afff-468e353391fb Timestamp:    
2024-03-20 09:48:54Z","error_codes":[50076],"timestamp":"2024-03-20 09:48:54Z","trace_id":"1dc6364c-0bc7-448f-88db-d554da521000","correlation_id":"b5ae7e11-9135-4e6a-afff-468e353391fb","error_uri 
":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCPermissions.psm1:1605 char:26
+                 $token = Invoke-RestMethod $uri `
+                          ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
2024-03-20 09:48:54 - [ERROR] [ERROR] Error while providing consent to the requested permissions. Please make sure you provide consent via the Azure AD Admin Portal.
2024-03-20 09:48:54 - Error details: The remote server returned an error: (401) Unauthorized.
2024-03-20 09:48:54 -
2024-03-20 09:48:54 - Checking app credentials
2024-03-20 09:48:54 -   Uploading App Certificate
2024-03-20 09:48:54 -     CreateSelfSignedCertificate specified, generating new Self Signed Certificate
2024-03-20 09:48:55 -     Certificate exported to C:\M365DSC123.cer
2024-03-20 09:48:55 -     Certificate details: CN=Microsoft365DSCTest123 (<redacted>)
2024-03-20 09:48:55 -  
2024-03-20 09:48:55 - Application Id: <redacted>
2024-03-20 09:48:55 -
2024-03-20 09:48:55 - NOTE: Make sure you add the application to the required Microsoft 365 (e.g. Global Admin) or Exchange (e.g. Organization Management) role groups as well!
2024-03-20 09:48:55 -       See the documentation for any required permissions.

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-GB
OsMuiLanguages       : {en-GB, en-US}

Key   : PSVersion
Value : 5.1.22621.2506
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.22621.2506
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[andikrueger]

The cmdLet uses an call to a native endpoint in EntraID.

Graph PowerShell supports permission grants: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent

This option should be implemented in M365dsc.

[RJEMDM]

Error AADSTS50076 appears to be a wide spread problem. In varying forms of response, in general, Microsoft advise as a workaround to this problem is "Setup a separate user account (or dedicated service account) that has limited access and strong credentials that are regularly rotated. This account must be excluded from Conditional Access MFA enforcing policy."

I'm unable to find reference to an all encompassing Microsoft documentation which acknowledges this issue. I would assume many have raised a support ticket related to AADSTS50076, however, there is no evidence to suggest Microsoft are actively working on a solution (that I could find nor validate).

If de-scoping the account from MFA isn't workable, I may suggest exploring other securing criterion Conditional Access has to offer. A purpose built policy scoped only for this one account. Enforcing that the Device being used to run the commands be Managed (by Intune, SCCM or another MDM) and Compliant might suffice in reducing attack vectors.

You may even want a hardened VDI, with an IP range restricted Conditional Access policy scope to the one dedicated account for Microsoft365DSC tasks. Obviously, quite extreme, but not uncommon.

Alternatively, it is suggested to grant Admin Consent to the permissions required on the Service Principal, manually, through the Entra portal GUI, then omit the -AdminConsent switch from the command set going forward.

[Borgquite]

@RJEMDM For an 'initial setup and ongoing maintenance' command like Update-M365DSCAzureAdApplication, it seems unlikely that people are trying to automate this in a script etc.

For all of the Microsoft365DSC workloads, it is possible to use an interactive prompt supporting MFA. It should be possible to get this to work here too (as it used to until recently) without requiring insecure workarounds or manual steps.

@andikrueger 's suggestion should do the job by using the existing Graph credential, if I understand it correctly.