goosey auth fails

[Pavel-Sushko]

🐛 Summary

When running goosey auth for the first time it fails with the following output:

(.venv) PS F:\DIR\untitledgoosetool> goosey auth
2023-03-27 13:32:13,277 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:118)
2023-03-27 13:33:27,923 - auth - WARNING - Exception happened during auth: Message:
Stacktrace:
RemoteError@chrome://remote/content/shared/RemoteError.sys.mjs:8:8
WebDriverError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:180:5
NoSuchElementError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:392:5
element.find/</<@chrome://remote/content/marionette/element.sys.mjs:134:16
 (auth.py:421)

To reproduce

Steps to reproduce the behavior:

1. Clone and install the project:

   (.venv) PS F:\DIR\untitledgoosetool> git clone https://github.com/cisagov/untitledgoosetool.git
   >> cd untitledgoosetool
   >> pip install .

2. Start a virtual environment:

   (.venv) PS F:\DIR\untitledgoosetool> python -m venv .venv
   >> .venv\Scripts\activate

3. Generate configuration files:

   python .\scripts\generate_conf.py

4. Fill .conf as such:

   
   [auth]
   username=username
   password=password
   tenant=tenant_id
   us_government=False
   exo_us_government=False
   appid=
   clientsecret=
   subscriptionid=All
   m365=True
   msgtrace=True

[filters] date_start=date_start date_end=date_end

[azure] activity_log=False alerts=False all_azure_subscriptions=False all_resources=False assessments=False bastion_logs=False compliance=False container_config=False diagnostic_settings=False file_shares=False key_vault_log=False network=False nsg_flow_logs=False portal_alerts=False portal_defendersettings=False portal_pcap=False portal_sensors=False security_center=False storage_accounts=False vm_config=False

[azuread] applications=False azuread_audit=False azuread_provisioning=False conditional_access=False devices=False directory_roles=False groups=False identity_provider=False organization=False policies=False risk_detections=False risky_objects=False security=False service_principals=False signins_adfs=False signins_msi=False signins_rt=False signins_sp=False summaries=False users=False

[m365] exo_addins=False exo_groups=False exo_inboxrules=False exo_mailbox=False powershell_calls=False ual=False

[mde] advanced_hunting_query=False alerts=False indicators=False investigations=False library_files=False machine_vulns=False machines=False recommendations=False software=False

[msgtrc] setemailaddress= direction= messageid= notifyaddress= originalclientip= recipientaddress= reporttitle= reporttype= senderaddress=

5. Run: `goosey auth`

## Expected behavior ##

I expected to be authenticated, instead I got some unexpected errors.

## Any helpful log output or screenshots ##

Paste the results here:

```PS
(.venv) PS F:\DIR\untitledgoosetool> goosey auth
2023-03-27 13:32:13,277 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:118)
2023-03-27 13:33:27,923 - auth - WARNING - Exception happened during auth: Message:
Stacktrace:
RemoteError@chrome://remote/content/shared/RemoteError.sys.mjs:8:8
WebDriverError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:180:5
NoSuchElementError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:392:5
element.find/</<@chrome://remote/content/marionette/element.sys.mjs:134:16
 (auth.py:421)

I also didn't receive any Authenticator prompts despite 2FA being enabled.

Add any screenshots of the problem here.

[victoriawallace-cisa]

Hello, thank you for the detailed issue. Did you happen to run any of the following webdrivermanager commands:

#For Windows:
webdrivermanager firefox:v0.32.0 --linkpath AUTO
#For *nix (you might need sudo):
webdrivermanager firefox:v0.32.0 --linkpath /usr/local/bin

[Pavel-Sushko]

Here is what I get after running that webdrivermanager command:

(.venv) PS F:\DIR\untitledgoosetool> webdrivermanager firefox:v0.32.0 --linkpath AUTO
Downloading WebDriver for browser: "firefox"
Driver binary downloaded to: ".\.venv\WebDriverManager\gecko\v0.32.0\geckodriver-v0.32.0-win64\geckodriver.exe"
Driver copied to: .\.venv\Scripts\geckodriver.exe

(.venv) PS F:\DIR\untitledgoosetool> goosey auth
2023-03-27 14:19:36,162 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:118)
2023-03-27 14:20:49,504 - auth - WARNING - Exception happened during auth: Message:
Stacktrace:
RemoteError@chrome://remote/content/shared/RemoteError.sys.mjs:8:8
WebDriverError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:180:5
NoSuchElementError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:392:5
element.find/</<@chrome://remote/content/marionette/element.sys.mjs:134:16
 (auth.py:421)

[victoriawallace-cisa]

Do you have Firefox on your computer?

[Pavel-Sushko]

Yes

[victoriawallace-cisa]

What version of Firefox do you have? If it's not the latest version, can you update to the latest version and try again?

[Pavel-Sushko]

Version 111.0.1, no updates available.

[victoriawallace-cisa]

Can you try running webdrivermanager firefox:v0.32.0 --linkpath AUTO outside of your venv (try both as user and as an admin)? Try running goosey auth again and let us know the results.

[Pavel-Sushko]

I have tried both as an admin, and regular user, and the output is the same:

PS C:\windows\system32> webdrivermanager firefox:v0.32.0 --linkpath AUTO
webdrivermanager : The term 'webdrivermanager' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ webdrivermanager firefox:v0.32.0 --linkpath AUTO
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (webdrivermanager:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[victoriawallace-cisa]

One more thing, can you try to install goose outside of the venv?

EDIT: And try to run the webdriver command as well (after the pip install).

[Pavel-Sushko]

{...}
Installing collected packages: goosey
  Attempting uninstall: goosey
    Found existing installation: goosey 1.0.0
    Uninstalling goosey-1.0.0:
      Successfully uninstalled goosey-1.0.0
  DEPRECATION: goosey is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at https://github.com/pypa/pip/issues/8559
  Running setup.py install for goosey ... done
Successfully installed goosey-1.0.0

PS F:\DIR\untitledgoosetool> webdrivermanager firefox:v0.32.0 --linkpath AUTO
webdrivermanager : The term 'webdrivermanager' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ webdrivermanager firefox:v0.32.0 --linkpath AUTO
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (webdrivermanager:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[victoriawallace-cisa]

Can you make sure you have webdrivermanager in your pip packages (https://pypi.org/project/webdrivermanager/) and that its able to be called on from your terminal? It looks like webdrivermanager isn't being recognized by your terminal. You can also install the geckodriver manually.

[Pavel-Sushko]

PS C:\Users\{username}\Downloads\untitledgoosetool> pip install webdrivermanager
Requirement already satisfied: webdrivermanager in {file path} (0.10.0)
Requirement already satisfied: BeautifulSoup4 in {file path} (from webdrivermanager) (4.12.0)
Requirement already satisfied: tqdm in {file path} (from webdrivermanager) (4.65.0)
Requirement already satisfied: appdirs in {file path} (from webdrivermanager) (1.4.4)
Requirement already satisfied: requests in {file path} (from webdrivermanager) (2.28.2)
Requirement already satisfied: lxml in {file path} (from webdrivermanager) (4.9.2)
Requirement already satisfied: soupsieve>1.2 in {file path} (from BeautifulSoup4->webdrivermanager) (2.4)
Requirement already satisfied: certifi>=2017.4.17 in {file path} (from requests->webdrivermanager) (2022.12.7)
Requirement already satisfied: charset-normalizer<4,>=2 in {file path} (from requests->webdrivermanager) (2.1.1)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in {file path} (from requests->webdrivermanager) (1.26.15)
Requirement already satisfied: idna<4,>=2.5 in {file path} (from requests->webdrivermanager) (3.4)
Requirement already satisfied: colorama in {file path} (from tqdm->webdrivermanager) (0.4.6)

[victoriawallace-cisa]

You can manually download geckodriver here: https://github.com/mozilla/geckodriver/releases

Select the appropriate geckodriver from the releases page.

Afterwards, you'll need to set the path (https://firefox-source-docs.mozilla.org/testing/geckodriver/Usage.html), make sure to set the PATH variable to where the geckodriver file location is.

[Pavel-Sushko]

I ended up having to reboot my PC, and instead went through the route of registering an application. That seems to have fixed it, I can authenticate just fine.

[victoriawallace-cisa]

After rebooting, are you able to run the webdrivermanager command? Or are you able to run goosey auth without any errors? You said "went through the route of registering an application", are you talking about an Azure AD application? If so, you aren't doing the full authentication for goosey because you need both an user authentication and an application authentication.

EDIT: Looking at the original post, you'll definitely need an appid and clientsecret in there.

[Pavel-Sushko]

Yes, I have added the App_ID and Client_Secret. I now get the following output.

PS C:\Users\{username}\Downloads\untitledgoosetool> python -m webdrivermanager firefox:v0.32.0 --linkpath AUTO
Downloading WebDriver for browser: "firefox"
Driver binary downloaded to: "C:\Users\{username}\AppData\Local\rasjani\WebDriverManager\gecko\v0.32.0\geckodriver-v0.32.0-win64\geckodriver.exe"
Driver copied to: C:\Program Files (x86)\VMware\VMware Player\bin\geckodriver.exe
WARNING: Path "C:\Program Files (x86)\VMware\VMware Player\bin" is not in the PATH environment variable.

PS C:\Users\{username}\Downloads\untitledgoosetool> goosey auth
{timestamp} - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:118)
{timestamp} - auth - WARNING - Exception happened during auth: Message:
Stacktrace:
RemoteError@chrome://remote/content/shared/RemoteError.sys.mjs:8:8
WebDriverError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:180:5
NoSuchElementError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:392:5
element.find/</<@chrome://remote/content/marionette/element.sys.mjs:134:16
 (auth.py:421)

[victoriawallace-cisa]

Thanks for the feedback, I'm going to try to replicate this issue in our environment.

[Pavel-Sushko]

FYI: I have also tried installing the geckodriver manually, and still have the same output for auth.

Just for a bit of added context.

[victoriawallace-cisa]

I was able to replicate the same error. I was able to replicate the issue when I changed WebDriverWait(browser, 10) to WebDriverWait(browser, 1), which means the elements in selenium are loading too slow.

In the auth.py file, can you change all occurrences of WebDriverWait(browser, 10) to WebDriverWait(browser, 60)? If that doesn't work, increase WebDriverWait(browser, 60) to WebDriverWait(browser, 120). There should be 27 occurrences within that file. After saving the changes to the file, please do a pip install and report if that fixes the issue.

[Pavel-Sushko]

PS C:\Users\{username}\Downloads\untitledgoosetool> goosey auth --debug
2023-03-27 19:19:42,159 - auth - DEBUG - Device code selenium authority uri: https://login.microsoftonline.com/{tenant_id} (auth.py:112)
2023-03-27 19:19:42,160 - auth - DEBUG - Device code selenium resource uri: https://graph.microsoft.com/.default (auth.py:114)
2023-03-27 19:19:42,794 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:118)
Msgtrc = true
2023-03-27 19:26:21,749 - auth - INFO - Obtained audit log cookies. (auth.py:377)
2023-03-27 19:26:40,903 - auth - WARNING - Exception happened during auth: 'NoneType' object has no attribute 'get' (auth.py:421)
2023-03-27 19:27:16,307 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/{tenant_id} (auth.py:209)
2023-03-27 19:27:16,309 - auth - DEBUG - App authentication resource uri: https://graph.microsoft.com/.default (auth.py:210)
2023-03-27 19:27:17,058 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/{tenant_id} (auth.py:209)
2023-03-27 19:27:17,060 - auth - DEBUG - App authentication resource uri: https://api.securitycenter.microsoft.com/.default (auth.py:210)
2023-03-27 19:27:17,823 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/{tenant_id} (auth.py:209)
2023-03-27 19:27:17,825 - auth - DEBUG - App authentication resource uri: https://management.azure.com/.default (auth.py:210)

[victoriawallace-cisa]

Looks like you aren't running into that problem anymore. For now, you can probably gradually decrease the WebDriverWait(browser, 60) to see what wait times work for you.

For a successful auth, you'll want to see these two messages at the end:

Obtained audit log cookies.
Exchange cookies acquired.

We'll look into potentially implementing a more flexible wait logic in one of our future pull requests.

[Pavel-Sushko]

In the output I posted I get: Obtained audit log cookies., but I still don't get: Exchange cookies acquired.

[victoriawallace-cisa]

You will have to re-auth until you do get Exchange cookies acquired. Sometimes this takes multiple attempts.

EDIT: If you are still failing auth, you might want to run goosey auth --interactive --debug to see if there's an issue with the Exchange portals.

[ogowen45]

On the MFA prompt I have to enter the number that is supposed to be showing on the requesting device but I am never able to see it even on goosey-gui. How can we authenticate without the MFA code to go with the prompt?

[victoriawallace-cisa]

On the MFA prompt I have to enter the number that is supposed to be showing on the requesting device but I am never able to see it even on goosey-gui. How can we authenticate without the MFA code to go with the prompt?

Currently, goose does not support MFA OTP code, it currently only supports the MFA notification from Microsoft's 2FA app.

[ogowen45]

It is from Microsoft 2FA app it just requires that the 2 digit code be entered with the prompt to Microsoft Authenticator. Which Microsoft will be moving to this as a requirement in the near future

[ogowen45]

" Note

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023. We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance."

https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

[victoriawallace-cisa]

" Note

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023. We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance."

https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Thanks, as it is, the tool doesn't support that type of prompt. If you can create a feature request, we can add it to our to-do list.

[Pavel-Sushko]

I never get a 2FA prompt in the first place

[victoriawallace-cisa]

I never get a 2FA prompt in the first place

Do you have MFA enforced via CA or just enabled? It looks like you have a partial authentication success from your earlier log. Have you tried authing until you get the exchange cookies?

[Pavel-Sushko]

It's enforced in our organization.

[victoriawallace-cisa]

What kind of MFA? Is it the notification prompt or other?

[Pavel-Sushko]

Notification prompt.

[victoriawallace-cisa]

Are you sure its enforced via conditional access policy? If you aren't getting prompted for MFA but obtained audit log cookies, it sounds like it doesn't need the MFA since it's not required. Have you tried running goosey auth --interactive --debug to see if there's an issue with getting the Exchange cookies or to see if its failing on the MFA prompt?

[Pavel-Sushko]

When running goosey auth --interactive --debug, I get the following Firefox Window:

After which, another Firefox window opens, asks me for a password, but closes before I have the chance to enter one.

Then, the auth.py script finishes with the following output:

PS C:\Users\{username}\Downloads\untitledgoosetool> goosey auth --interactive --debug
2023-03-28 12:34:29,241 - auth - DEBUG - Device code selenium authority uri: https://login.microsoftonline.com/{tenant_id} (auth.py:112)
2023-03-28 12:34:29,241 - auth - DEBUG - Device code selenium resource uri: https://graph.microsoft.com/.default (auth.py:114)
2023-03-28 12:34:29,927 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:118)
Incorrect password. Please correct it and try again.

I am certain my password is correct. I just tested it.

[victoriawallace-cisa]

Thanks, that's very helpful! I'm going to see if I can recreate that error.

[victoriawallace-cisa]

Also, if your password contains % (https://github.com/cisagov/untitledgoosetool#known-issues), you will need to escape it with %%.

[Pavel-Sushko]

I saw that. My password is entered according to those guidelines.

[victoriawallace-cisa]

@Pavel-Sushko Can you grab the latest version of the tool and test it out again? The MFA portion might be where it's hanging up at, but if that's the case, you might have to wait for an update that address the different MFA types.

[Pavel-Sushko]

Just tried with Python 3.10.10. Here is what my output looks like:

PS C:\Users\USER\Downloads\untitledgoosetool> goosey auth --secure --debug
Please type your username: [REDACTED]
Please type your password:
Please type your application client id: [REDACTED]
Please type your client secret:
Please type the password for file encryption:
2023-04-05 21:14:12,658 - auth - DEBUG - Encrypted the .auth file! (auth.py:753)
2023-04-05 21:14:12,804 - auth - DEBUG - Encrypted the .ugt_auth file! (auth.py:607)
2023-04-05 21:14:12,806 - auth - DEBUG - No auth file and no encrypted auth file detected. (auth.py:621)
2023-04-05 21:14:12,806 - auth - DEBUG - Device code selenium authority uri: [REDACTED] (auth.py:110)
2023-04-05 21:14:12,806 - auth - DEBUG - Device code selenium resource uri: [REDACTED] (auth.py:112)
2023-04-05 21:14:13,440 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:117)
2023-04-05 21:15:38,733 - auth - INFO - Attempting to automatically auth as an user. You may have to accept MFA prompts. (auth.py:239)
2023-04-05 21:15:44,699 - auth - DEBUG - M365 authentication set to True. Pulling authentication information. (auth.py:244)
2023-04-05 21:16:58,524 - auth - DEBUG - Opening second tab: Exchange Control Panel (auth.py:298)
2023-04-05 21:17:44,223 - auth - DEBUG - Completed loading second window! (auth.py:311)
2023-04-05 21:17:45,378 - auth - DEBUG - Opening third tab: Admin Exchange Portal (auth.py:317)
2023-04-05 21:18:30,157 - auth - DEBUG - Completed loading third window! (auth.py:334)
2023-04-05 21:18:31,183 - auth - DEBUG - Switching back to first tab: Audit Log Search. (auth.py:339)
2023-04-05 21:18:46,297 - auth - INFO - First tab: Obtained audit log cookies. (auth.py:356)
2023-04-05 21:18:46,338 - auth - INFO - Third tab: Obtained Exchange cookies. (auth.py:366)
2023-04-05 21:18:46,359 - auth - WARNING - Exception happened during auth: 'NoneType' object has no attribute 'get' (auth.py:389)
2023-04-05 21:18:53,008 - auth - INFO - User authentication complete. (auth.py:398)
2023-04-05 21:18:57,089 - auth - DEBUG - App Authentication authority uri: [REDACTED] (auth.py:212)
2023-04-05 21:18:57,089 - auth - DEBUG - App authentication resource uri: [REDACTED] (auth.py:213)
2023-04-05 21:18:57,350 - auth - ERROR - There was an issue with your application auth: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app [REDACTED].
Trace ID: [REDACTED]
Correlation ID: [REDACTED]
Timestamp: 2023-04-06 01:18:57Z (auth.py:218)

I am certain my client secret is correct. I, however, have yet to receive an MFA request.

[victoriawallace-cisa]

@Pavel-Sushko The client secret that you have provided must have been incorrect as that error message is directly from Microsoft. If it helps, you can also mix and match credentials in the .auth file. We've updated to make it as flexible as possible with regards to users inputting credentials in the prompt and/or the .auth file. After running goosey auth --secure, the .auth file will become encrypted.

However, looking at the debugging logs, it looks like the device code authentication and the interactive login failed.

If you are able to, I'd suggest running goosey auth --interactive --debug --secure to see where the hang up is. Please note, if you want to be prompted for credentials, the prompt for credentials will happen before the browser pops up. Another note, when you run goosey auth with --interactive you will want to make sure the browser screen is in focus and not interfere with the automation. Can you report back what you're seeing on the screen?

[Pavel-Sushko]

Here is my new Output:

PS C:\Users\USERNAME\Downloads\untitledgoosetool> goosey auth --secure --debug --interactive
Please type the password for file encryption:
2023-04-06 15:46:33,416 - auth - DEBUG - Decrypted the .auth file! (auth.py:739)
Please type your username: email@example.com
Please type your password:
2023-04-06 15:46:54,851 - auth - DEBUG - Encrypted the .auth file! (auth.py:753)
2023-04-06 15:46:54,990 - auth - DEBUG - Decrypted the .ugt_auth file! (auth.py:599)
2023-04-06 15:46:55,134 - auth - DEBUG - Encrypted the .ugt_auth file! (auth.py:607)
2023-04-06 15:46:55,136 - auth - DEBUG - No auth file and no encrypted auth file detected. (auth.py:621)
2023-04-06 15:46:55,136 - auth - DEBUG - Device code selenium authority uri: https://login.microsoftonline.com/TENANT-ID (auth.py:110)
2023-04-06 15:46:55,137 - auth - DEBUG - Device code selenium resource uri: https://graph.microsoft.com/.default (auth.py:112)
2023-04-06 15:46:55,418 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:117)
2023-04-06 15:47:54,863 - auth - INFO - Attempting to automatically auth as an user. You may have to accept MFA prompts. (auth.py:239)
2023-04-06 15:48:04,362 - auth - DEBUG - M365 authentication set to True. Pulling authentication information. (auth.py:244)
2023-04-06 15:49:24,616 - auth - WARNING - Exception happened during auth: Message: Tried to run command without establishing a connection
 (auth.py:389)
2023-04-06 15:49:26,657 - auth - INFO - User authentication complete. (auth.py:398)
2023-04-06 15:49:30,696 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/TENANT-ID (auth.py:212)
2023-04-06 15:49:30,697 - auth - DEBUG - App authentication resource uri: https://graph.microsoft.com/.default (auth.py:213)
2023-04-06 15:49:30,998 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/TENANT-ID (auth.py:212)
2023-04-06 15:49:30,999 - auth - DEBUG - App authentication resource uri: https://api.securitycenter.microsoft.com/.default (auth.py:213)
2023-04-06 15:49:31,302 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/TENANT-ID (auth.py:212)
2023-04-06 15:49:31,303 - auth - DEBUG - App authentication resource uri: https://management.azure.com/.default (auth.py:213)
2023-04-06 15:49:31,983 - auth - DEBUG - Encrypted the .ugt_auth file! (auth.py

[bwjohnson207]

" Note Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023. We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance." https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Thanks, as it is, the tool doesn't support that type of prompt. If you can create a feature request, we can add it to our to-do list.

Damn so if I have that enabled, the tool doesn't currently support that? I seem to be hitting the same road block.

[victoriawallace-cisa]

" Note Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023. We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance." https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Thanks, as it is, the tool doesn't support that type of prompt. If you can create a feature request, we can add it to our to-do list.

Damn so if I have that enabled, the tool doesn't currently support that? I seem to be hitting the same road block.

Currently, the tool only supports push notification MFA. Additional MFA methods may be available in a later update.

[victoriawallace-cisa]

@Pavel-Sushko We added a MFA notification check (in an earlier post, you indicated that you do use push notifications for MFA). This might help determine where the failure is that you're running into. Please download and install the latest version of Untitled Goose Tool, and see if you receive a message The MFA request was not approved in time.

[victoriawallace-cisa]

@Pavel-Sushko We also added more support for different MFA methods (number matching, app OTP code, and SMS OTP code). Please try it out and let us know how it goes.

[victoriawallace-cisa]

No response received, closing this issue.

[Pavel-Sushko]

Sorry for not responding yet. I haven't had the time. I'll be looking into this issue by the end of the week.