0

I have a C# program that uses the Microsoft Teams PowerShell Module to read policies etc. It did work well with Module Version 2.6.1 After updating to 3.1.0, login via MFA doesn't work anymore (non-MFA still works).

PowerShell Error: Exception = {"Broker response returned error: WAM Error Wam plugin Microsoft.Identity.Client.Platforms.Features.WamBroker.AadPlugin Error code: 3399548929 Error Message: Need user interaction to continue."}

In WIndows Event Viewer: Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'c5fde071-9440-4083-9e3c-b6712ad6e4d5'. Trace ID: 195be915-61f3-4dcc-a53a-70f455ce7200 Correlation ID: 49f54e0f-c928-46c2-b000-8bf1511383a7 Timestamp: 2022-01-27 17:06:55Z TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token Logged at OAuthTokenRequestBase.cpp, line: 449, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://login.microsoftonline.com/common, client: ecd6b820-32c2-49b6-98a6-444530e5a77a, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/ecd6b820-32c2-49b6-98a6-444530e5a77a, resource: c5fde071-9440-4083-9e3c-b6712ad6e4d5, correlation ID (request): 49f54e0f-c928-46c2-b000-8bf1511383a7

Any ideas?

Thanks in advance, Joerg

c# code: '''C#

powershell.AddScript("Connect-MicrosoftTeams -AccountId " + App.userName);  
Collection<System.Management.Automation.PSObject> result = new Collection<PSObject>();  
try  
{
result = powershell.Invoke(); 
}  
catch (Exception ex)  
{...}

'''

The Execption is not thrown, only

user3298529
  • 1
  • 3
  • Please post some sample code of how you are making the initial connection. – Hilton Giesenow Jan 28 '22 at 07:04
  • Added to original post... – user3298529 Jan 28 '22 at 09:37
  • That's better, thanks. Why are you trying to invoke PowerShell from C#, for interest? Why not just call the Graph API using the DotNet SDK? It's much more simple from a design perspective, and will deal with issues like this better. – Hilton Giesenow Jan 28 '22 at 12:32
  • yes. BUT: to use the Graph API, you have to register an App in AAD (which I try to avoid for varios reasons) and not all reqired settings are available via Graph. – user3298529 Jan 29 '22 at 11:05
  • Yes you do need an app, but it's better to just have a single platform rather than mixing the two like this, it will give you less problems. As an alternative, why not make the app entirely PowerShell (remove the C#)? – Hilton Giesenow Jan 29 '22 at 17:54
  • Nice idea. As soon as you tell me how to make a GUI in PowerShell ;-) One of the reasons for the App is to hide PowerShell from the users. – user3298529 Jan 30 '22 at 17:54
  • totally, possible, just painful: https://theitbros.com/powershell-gui-for-scripts/ PowerShell is dotnet based, after all. Basically, you're kind of asking for trouble mixing worlds like this, when there's a perfectly good solution in the Graph SDK. If you're only running this one machine though, you could encrypt the user credentials and user the -credentials parameter, or launch the credential popup from your c#, like this: https://stackoverflow.com/questions/1624417/powershell-how-do-i-get-credentials-from-c-sharp-code . I don't know what that will do if your tenant uses MFA though – Hilton Giesenow Jan 30 '22 at 19:53
  • Could you please confirm if your issue has resolved with above suggestion or still looking for any help? – Sayali-MSFT Feb 04 '22 at 05:10

2 Answers2

0

Microsoft provides a PowerShell class for C# via system.management.automation.powershell. It works well - except for the new MicrosoftTeams PowerShell Modul (Version 3.1). There have been good reasons not to use Graph. Using plain PowerShell is also not an option. So no - the issue has not been resolved.

joergsc
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 04 '22 at 12:10
0

Problem solved! Just omit the -AccountId Parameter from the "Connect-MicrosoftTeams" and it works. That's a different behavior than AzureAD Modul, where you can prepopulate the interactive Logon Window with a username.

joergsc
  • 1