"Access is denied" M365 with MFA

[andreasmalta]

I cannot seem to get the settings to work, but I do have the Azure Active Directory Security defaults turned on. (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) I'm getting the following error:

TerminatingError(New-PSSession): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic." At line:77 char:3

• Write-Log -Level "FATAL" -Message "Failed to fetch Global Add ...

• 
  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-Log

[grahamr975]

andreasmalta,

After looking over their documentation, I've found Azure Active Directory Security defaults only supports Modern authentication. I've been working on adding modern authentication because legacy authentication is being depreciated soon. See the issue #6 for more information. Unfortunately, you'll need wait until the next update is released.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

To give your users easy access to your cloud apps, Azure AD supports a variety of authentication protocols, including legacy authentication. Legacy authentication is a term that refers to an authentication request made by:

Clients that don't use modern authentication (for example, an Office 2010 client).

[grahamr975]

I just published a new branch that I'm still testing that uses modern authentication. Please let me know how this works for you.

https://github.com/grahamr975/EWS-Office365-Contact-Sync/tree/oauth_migration

[andreasmalta]

I'm testing it, but so far with similar results. Only difference in the setup is the -ModernAuth right?

[grahamr975]

The script fails for you at Get-GalContacts.ps1, which fetches the contacts from the O365 server using Exchange Online Powershell. I've not yet enabled Modern Authentication for this portion of the script, as basic authentication for Exchange Online Powershell is not being depreciated until later in 2021. This is on my to-do list for after EWS is fully migrated to Modern Auth.

[rypto]

Hi grahamr975,

Iv'e managed to run the script as per your description and I get the following.. not sure what's going on

`2020-08-21 16:04:26 INFO Beginning contact sync for myname@mail.com's mailbox VERBOSE: Loading module from path 'C:\Temp\EWS-Office365-Contact-Sync-master\EWSContacts\Module\bin\Microsoft.Exchange.WebServices.dll'. VERBOSE: Using EWS dll from Local Directory VERBOSE: Using Modern Auth VERBOSE: Loading module from path 'C:\Temp\EWS-Office365-Contact-Sync-master\EWSContacts\Module\bin\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'. PS>TerminatingError(New-Object): "A constructor was not found. Cannot find an appropriate constructor for type Microsoft.Exchange.WebServices.Data.OAuthCredentials."

TerminatingError(New-Object): "A constructor was not found. Cannot find an appropriate constructor for type Microsoft.Exchange.WebServices.Data.OAuthCredentials." TerminatingError(New-Object): "A constructor was not found. Cannot find an appropriate constructor for type Microsoft.Exchange.WebServices.Data.OAuthCredentials." 2020-08-21 16:04:26 ERROR Failed to Sync-ContactList for myname@mail.com A constructor was not found. Cannot find an appropriate constructor for type Microsoft.Exchange.WebServices.Data.OAuthCredentials.

---

Windows PowerShell transcript end End time: 20200821160426`

[Noiden]

@grahamr975 any update on this? Thanks.

[grahamr975]

This should now be fixed with the new ModernAuthenication version of the script. Please download and install the latest version.