Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connect-MgGraph fails when requesting Policy.ReadWriteApplicationConfiguration scope and some other scopes #497

Closed
adamedx opened this issue Jan 8, 2021 · 1 comment · Fixed by #728
Closed

Connect-MgGraph fails when requesting Policy.ReadWriteApplicationConfiguration scope and some other scopes #497

adamedx opened this issue Jan 8, 2021 · 1 comment · Fixed by #728
Assignees
@peombwa
Labels
Bug - P2
Milestone
1.7.0

Comments

@adamedx
Copy link

adamedx commented Jan 8, 2021
edited by azure-boards bot
Loading

It turns out that there are scenarios with newer applications that fail when you sign in via https://login.microsoftonline.com/common. When all of the following are true at sign-in, some permissions scopes may be treated as invalid and result in an error returned by Connect-MgGraph during authentication:

  1. Sign-in is device code flow (this is what Connect-MgGraph uses for delegated auth)
  2. The app was created relatively recently (i.e. in last ~2 years or so)
  3. The scope is one of a specific set of scopes -- Policy.ReadWrite.ApplicationConfiguration is one example
  4. You are using https://login.microsoftonline.com/common

This apparently is not a problem when you use /organizations. Unfortunately, this means you can't sign-in with MSA, unless we allow an option to specify that MSA sign-in is desired via a parameter to Connect-MgGraph.
AB#7384
@ghost ghost added the ToTriage label Jan 8, 2021
@adamedx adamedx changed the title Connect-MgGraph should use organizations endpoint for delegated sign-in by default Connect-MgGraph fails when requesting Policy.ReadWriteApplicationConfiguration scope and some other scopes Jan 8, 2021
@ddyett ddyett added the promote label Jan 11, 2021
@ddyett ddyett added the Bug - P1 label Feb 3, 2021
@peombwa peombwa removed the ToTriage label Feb 4, 2021
@peombwa peombwa added this to the 1.7.0 milestone Jun 8, 2021
@peombwa peombwa self-assigned this Jun 24, 2021
@peombwa peombwa added Bug - P2 and removed Bug - P1 labels Jun 24, 2021
@peombwa
Copy link
Member

peombwa commented Jun 24, 2021
edited
Loading

@adamedx This is no longer a major issue (v1.6.0+) since we have changed our default authentication mode to interactive sign-in with a browser pop-up. Policy.ReadWriteApplicationConfiguration scope works as expected in this mode.

For cases where a customer explicitly uses Connect-MgGraph -UseDeviceAuthentication and this exception is thrown, we can update the error message by adding Please retry with either Connect-MgGraph -TenantId "your tenant id" or Connect-MgGraph -Audience "organizations. In this case, -Audience will be an alias to -TenantId since they are mutually exclusive.

@peombwa peombwa mentioned this issue Jun 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peombwa peombwa

Labels
Bug - P2
Projects
None yet
Milestone
1.7.0
Development

Successfully merging a pull request may close this issue.

Add Audience as an alias to TenantId. microsoftgraph/msgraph-sdk-powershell
3 participants
@adamedx @peombwa @ddyett