Unable to Activate AD Role Due to MfaRule

[bmkaiser]

I believe this an issue that you're aware of and are working to resolve per this comment on a previous issue: https://github.com/JustinGrote/JAz.PIM/issues/6#issuecomment-1130008715

I tried piping Get-JazADRole to Enable-JazADRole as well as using tab completion with Enable-JazADRole, but neither worked. Additionally, when the Enable-JazADRole fails, Wait-JazADRole also fails because $totalProgress cannot be calculated.

PS > Enable-JAzADRole 'Global Reader (LJnv8vs6uUa3z6Em7nTEUZY-Uygeo0pJj_wBT3Lkhj8-1-e)' -j 'test' | Wait-JAzADRole
Enable-JAzADRole: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: ["MfaRule"]
Write-Progress: C:\Program Files\PowerShell\Modules\jaz.pim\0.0.8\Public\Wait-ADRole.ps1:125
Line |
 125 |  … ount of $($waitJobs.ChildJobs.count)" -PercentComplete $totalProgress
     |                                                           ~~~~~~~~~~~~~~
     | Cannot bind parameter 'PercentComplete'. Cannot convert value "NaN" to type "System.Int32". Error:
     | "Value was either too large or too small for an Int32."

Is there a way to force a prompt to satisfy the MFA rule requirement within my tenant's conditional access policies?

[JustinGrote]

Try connect-mggraph -forcerefresh

[bmkaiser]

That seemed like it would work, but unfortunately I wasn't prompted for MFA and the results remains the same:

PS > Connect-MgGraph -ForceRefresh
Welcome To Microsoft Graph!
PS > Import-Module -Name Jaz.PIM
PS > Enable-JAzADRole 'Global Reader (LJnv8vs6uUa3z6Em7nTEUZY-Uygeo0pJj_wBT3Lkhj8-1-e)' -j 'test' | Wait-JAzADRole
Enable-JAzADRole: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: ["MfaRule"]
Write-Progress: C:\Program Files\PowerShell\Modules\Jaz.PIM\0.0.8\Public\Wait-ADRole.ps1:125
Line |
 125 |  … ount of $($waitJobs.ChildJobs.count)" -PercentComplete $totalProgress
     |                                                           ~~~~~~~~~~~~~~
     | Cannot bind parameter 'PercentComplete'. Cannot convert value "NaN" to type "System.Int32". Error:
     | "Value was either too large or too small for an Int32."

[JustinGrote]

I mean it's Azure saying that you haven't met the MFA, it's literally the response from the server, so it's something in your token or conditional access that isn't meeting the criteria. If you find what it is I can make that a more friendly error message of something to check for, otherwise there's nothing I can do I don't think.

[bmkaiser]

Yeah, that makes sense. I found the article below which describes a method for manually getting an access token for this exact scenario, which is supposed to provide an MFA prompt:

https://web.archive.org/web/20210928082057/http://www.anujchaudhary.com/2020/02/connect-to-azure-ad-powershell-with-mfa.html

I tried the described method using the Client ID for the Microsoft Graph PowerShell Enterprise Application (instead of Azure AD):

$params = @{
    Scopes  = @("https://graph.microsoft.com/.default")
    ClientId = '14d82eec-204b-4c2f-b7e8-296a70dab67e'
    RedirectUri = 'urn:ietf:wg:oauth:2.0:oob'
    Authority  = 'https://login.microsoftonline.com/common'
    Interactive = $true
    ExtraQueryParameters  = @{
        claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'
    }
}

$MsResponse = Get-MSALToken @params

This gave me a one-time code to use at https://microsoft.com/devicelogin/, but it still didn't work and I was never prompted for MFA. I tried connecting to Microsoft Graph both with -UseDeviceAuthentication and separately providing the access token with -AccessToken.

When reviewing my sign-in logs in Azure AD, I see the following details for the failed logins:

Property	Value
Authentication requirement	Multifactor authentication
Status	Failure
Continuous access evaluation	No
Sign-in error code	50199
Failure reason	For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
Additional Details	MFA requirement skipped due to IP address

I think my next step will be to open a case with Microsoft Support and see what they say, but perhaps there is a different way the Graph request can be performed to force a user confirmation.

[JustinGrote]

Looks like you're using a whitelisted IP as a form of MFA "where you are", but maybe PIM doesn't consider that acceptable. I haven't done much testing for that scenario.

[bmkaiser]

I have found a solution (I think). It appears the source of the issue comes down to a behavior difference for MSAL.PS between PowerShell and Windows PowerShell. The only way I was able to get an actual MFA prompt was to import MSAL.PS using WinPSCompatSession.

Import-Module -Name MSAL.PS -UseWindowsPowerShell
Import-Module -Name Jaz.PIM

$params = @{
    Scopes = @("https://graph.microsoft.com/.default")
    ClientId = '14d82eec-204b-4c2f-b7e8-296a70dab67e'
    Authority = 'https://login.microsoftonline.com/common'
    Interactive = $true
    ExtraQueryParameters = @{
        claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'
    }
}

$MsResponse = Get-MSALToken @params
Connect-MgGraph -AccessToken $MsResponse.AccessToken

For some reason though, I don't always need to do this. I had been happily using the Jaz.PIM module last week without needing to explicitly provide an access token. Perhaps it makes sense to only attempt getting an access token if Graph throws the ["MfaRule"] error?

[bmkaiser]

This issue hasn't occurred in a long time. I suspect that Microsoft changed something on their end, so I will close this issue now.