Skip to content

Integrate upstream PRs: Add TenantID parameter and improve MFA detection #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
socketz merged 4 commits into from
Nov 7, 2025
Merged

Integrate upstream PRs: Add TenantID parameter and improve MFA detection #2

socketz merged 4 commits into from
Nov 7, 2025

Conversation

Copy link

Copilot AI commented Nov 7, 2025
edited
Loading

Description of the change

Integrated three high-value upstream pull requests while avoiding duplication of features already present from the previously merged Entra ID improvements PR.

New capabilities:

  • TenantID parameter - Target specific Azure AD tenants (default: "common"). Critical for B2B guest user authentication scenarios where forcing tenant context is required.
  • MFA state differentiation - Separates AADSTS50076 (MFA enforced) from AADSTS50079 (MFA available but not enforced). Provides clearer signal on account security posture.
  • Output formatting - Adds trailing newline at script completion for clean terminal output.

Already present (from prior merge, not re-implemented):

  • Delay, VerboseErrors parameters
  • 9 additional AADSTS error codes (50055, 50056, 50072, 50074, 50173, 53003, 700016, 90019, 81018)
  • Microsoft Entra ID terminology updates
# Example: Target specific tenant for B2B user spray
Invoke-MSOLSpray -UserList guests.txt -Password Fall2024! -TenantId "contoso-tenant-id"

# Example: Output now distinguishes MFA states
# Before: Both showed "MFA is in use"
# After: 
#   AADSTS50076 → "MFA (Microsoft) is in use"
#   AADSTS50079 → "MFA can be onboarded (password is valid)"

Motivation

Addresses issues and unapproved PRs from upstream dafthack/MSOLSpray repository (dafthack#17, dafthack#13, dafthack#9). The TenantID parameter specifically solves authentication challenges with B2B guest accounts that exist in multiple tenants.

Type of change

Feature request

Checklist

  • I have performed a self-review of my code.
  • I have added detailed comments to my code where applicable.
  • I have verified that my change does not break existing code.
  • My PR is based on the latest changes of the main branch (if unsure, please run git pull --rebase upstream main).
  • I am familiar with the Google Style Guide for the language I have coded in.
  • I have read through the Contributing Guide and signed the Contributor License Agreement.
Original prompt

Fix all the issues from original repository and also add all the pull requests that hasn't been approved yet, but before check if there are bugs in source code.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits November 7, 2025 17:40
@socketz
Add TenantID support, improve MFA messages, add output newline, log i…
131afa2 
…nvalid passwords

Co-authored-by: socketz <638274+socketz@users.noreply.github.com>
@socketz
Finalize changes - keep invalid password attempts silent
b3330d3 
Co-authored-by: socketz <638274+socketz@users.noreply.github.com>
@socketz
Address code review feedback - clean up comments
033adf2 
Co-authored-by: socketz <638274+socketz@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix issues and add unapproved pull requests Integrate upstream PRs: Add TenantID parameter and improve MFA detection Nov 7, 2025
Copilot AI requested a review from socketz November 7, 2025 17:50
@socketz socketz marked this pull request as ready for review November 7, 2025 17:50
Copilot AI review requested due to automatic review settings November 7, 2025 17:50
Copilot AI reviewed Nov 7, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for targeting specific Azure AD/Entra ID tenants during password spraying operations and improves MFA status detection by distinguishing between active MFA enforcement and MFA registration eligibility.

  • Added a new TenantId parameter (defaults to "common") to enable authentication against specific tenants, useful for B2B scenarios
  • Split MFA error code handling to differentiate between active MFA (AADSTS50076) and MFA onboarding availability (AADSTS50079)
  • Updated parameter positions to accommodate the new TenantId parameter

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
README.md Added documentation for the new TenantId parameter in the options list
MSOLSpray.ps1 Added TenantId parameter, integrated it into the OAuth2 URL construction, separated MFA error codes for clearer status reporting, and renumbered subsequent parameters

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@socketz socketz merged commit a0f6a4e into master Nov 7, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@socketz socketz socketz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@socketz socketz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@socketz