Error running script with -CreateAzurerApplication when account has MFA enabled

[wmckay85]

According to the directions I can run the command below to create the application in Azure CVE-2023-23397.ps1 -CreateAzureApplication

Expected behavior I expect to have this open a browser window to authenticate, I use my account to do so.

Script Output I am sent to a "Localhost:8004" page which has an error, then the script returns the message below. "Unable to acquire an authorization code from the Microsoft Azure Active Directory endpoint."

Additional context When this has happened to me running other commands I would use a device code to authenticate, however I do not know a workaround as this is not my script and I am quite inexperienced and do not know the best way to re-write this script.

e.g. the cmdlet with -Device parameter seems to work for me in other cases. Connect-MsolService -Device

[lusassl-msft]

@wmckay85 I was not able to reproduce the issue which you describe here. Running the latest version of the script works fine: CVE-2023-23397.ps1 -CreateAzureApplication

Do you use any software that sends all connections through a local proxy as some anti-virus solutions do? The Start-LocalListener function starts a local listener using HTTP and port 8004. The error in your screenshot ERR_SSL_PROTOCOL_ERROR seems to indicate that for whatever reason, the connection was established to an HTTPS endpoint.

[wmckay85]

We do run SentinelOne on our work computers. I might be able to ask nicely to have that paused or otherwise allow this action to happen, maybe it will have something in the logs to say what it did (if anything).

[lusassl-msft]

That could be the reason. You can try to start running the local listener and then open the URL in the browser to see what happens and which certificate is presented.

Just copy the following code into a new PowerShell window: https://raw.githubusercontent.com/microsoft/CSS-Exchange/291801ff25bc10c030a2780d5d3af8a0d94df387/Shared/Helpers/Start-LocalListener.ps1

Run it like this: Start-LocalListener -Verbose

Open a browser and call the following url: http://localhost:8004/code=abc

[wmckay85]

It might also have something to do with having Windows Admin Center still installed on my laptop, it doesn't say which cert I'm using at https://localhost:8004/code=abc I'm going to remove that since I don't really need it running locally and see if anything changes.

Brain fart, I forgot to try a different browser. I was doing all this in Edge as it is normally what I use for work, but I have Firefox installed as well. In firefox I get: "Authentication complete. You can return to the application. Feel free to close this browser tab." as a result from http://localhost:8004/code=abc

[lusassl-msft]

@wmckay85 we automatically launch the default browser (that's why it launches Edge on your machine). I'm not sure why the connection is redirected to https. There was a feature available in Edge which did automatic forwarding from http to https when enabled. However, I don't find the feature any longer in Edge (see: https://learn.microsoft.com/en-us/answers/questions/988950/edge-redirecting-http-to-https). Maybe there is an extension installed which does the same?

[wmckay85]

The "fix" was setting firefox as the default for this. I'm sure someone could figure out a better way but it worked for me.

[lusassl-msft]

Okay, thanks for confirming that it works when using Firefox. Will close this issue.