I'm using the new preview version of the Azure AD PS module. I'm trying to connect via the new AccessToken parameter:
Connect-MsolService - AccessToken ey...
But I'm getting an "Unexpected Error" back.
Connect-MsolService : An unexpected error occurred.
At line:1 char:1
+ Connect-MsolService -AccessToken eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidHeaderException,Microsoft.Online.Admin
istration.Automation.ConnectMsolService
Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was
thrown.
At line:1 char:1
+ Connect-MsolService -AccessToken eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.MicrosoftOnlineException,Microsoft.Online.Adm
inistration.Automation.ConnectMsolService
I know the access token I'm using is good because I can use it to call the Graph API from Postman. Has anyone gotten this to work?
Edit: Not sure of the reason for the downvote, but just to show I did my homework, here's the request/response that the PS module is making behind the scenes, captured with a Fiddler trace. It contains the helpful message "The user identity header is invalid."
Request
POST https://provisioningapi.microsoftonline.com/provisioningwebservice.svc HTTP/1.1
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnect</a:Action>
<a:MessageID>urn:uuid:df0e35bd-ef05-48cd-a623-a1134b0b2ed6</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<UserIdentityHeader xmlns="http://provisioning.microsoftonline.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<BearerToken xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">Bearer ey...</BearerToken>
<LiveToken i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService"/>
</UserIdentityHeader>
<ClientVersionHeader xmlns="http://provisioning.microsoftonline.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<ClientId xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">50afce61-c917-435b-8c6d-60aa5a8b8aa7</ClientId>
<Version xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">1.1.8806.11</Version>
</ClientVersionHeader>
<ContractVersionHeader xmlns="http://becwebservice.microsoftonline.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<BecVersion xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">Version32</BecVersion>
</ContractVersionHeader>
<TrackingHeader xmlns="http://becwebservice.microsoftonline.com/">bf71f0c6-add7-4046-9209-bfd584ca3c28</TrackingHeader>
<a:To s:mustUnderstand="1">https://provisioningapi.microsoftonline.com/provisioningwebservice.svc</a:To>
</s:Header>
<s:Body>
<MsolConnect xmlns="http://provisioning.microsoftonline.com/">
<request xmlns:b="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:BecVersion>Version4</b:BecVersion>
<b:TenantId i:nil="true"/>
<b:VerifiedDomain i:nil="true"/>
</request>
</MsolConnect>
</s:Body>
</s:Envelope>
Response
HTTP/1.1 500 Internal Server Error
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnectInvalidHeaderExceptionFault</a:Action>
<a:RelatesTo>urn:uuid:df0e35bd-ef05-48cd-a623-a1134b0b2ed6</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">The creator of this fault did not specify a Reason.</s:Text>
</s:Reason>
<s:Detail>
<InvalidHeaderException xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<HelpLink i:nil="true"/>
<Message>The user identity header is invalid.</Message>
<OperationId i:nil="true"/>
<Source>Microsoft.Online.Administration.PublicBecWebService</Source>
<StackTrace> at Microsoft.Online.Administration.WebService.BecWebServiceAuthenticationManager.ValidateJwtTokenV2(String bearerToken) in x:\bt\533229\repo\src\dev\om\administration\publicbecwebservice\BecWebServiceAuthenticationManager.cs:line 371
at Microsoft.Online.Administration.WebService.BecWebServiceAuthenticationManager.CheckAccessCore(OperationContext operationContext) in x:\bt\533229\repo\src\dev\om\administration\publicbecwebservice\BecWebServiceAuthenticationManager.cs:line 723</StackTrace>
</InvalidHeaderException>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
Here's how I'm obtaining the access token. I'm using the client credentials flow since ultimately my goal is to run this from Azure Automation.
$clientId = "20bc779d-0edb-4a00-becf-xxx"
$redirectUri = new-object System.Uri("urn:ietf:wg:oauth:2.0:oob")
$resourceId = "https://graph.windows.net"
$authority = "https://login.windows.net/mydirectory.onmicrosoft.com"
$key = ConvertTo-SecureString $keyFromAzurePortal -AsPlainText -Force
$cred = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential ($clientId, $key)
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext($authority)
$authResult = $authContext.AcquireToken($resourceId, $cred)
I was not able to replicate your issue. Let me tell you what I did to get it working:
I first got an access token for a native client app targeting the Graph API:
Then I used that token in PowerShell:
What kind of access token are you getting? Would you mind sharing it? Or at least a JWT decompiled version of it without a signature?
If you want to take this elsewhere, feel free to reach out to us at
AADPowerShellPreview@microsoft.com
Please include the log files found here:
C:\Users[youralias]\AppData\Local\Microsoft\Office365\Powershell