Cannot connect as service principal

[dt-flo]

Details of the scenario you tried and the problem that is occurring

ISSUE DESCRIPTION: My problem is that I try to connect to M365 with the following command Export-M365DSCConfiguration -ApplicationID $cred[0] -TenantId ****.onmicrosoft.com -ApplicationSecret $cred[1] -Components @("AADConditionalAccessPolicy") and I receive the following error message (that means the program successfully retrieved an access token):

Connect-MgGraph : Cannot bind parameter 'AccessToken'. Cannot convert the "eyJ0****************************************************"
value of type "System.String" to type "System.Security.SecureString".
At C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.116\Workloads\MicrosoftGraph.psm1:126 char:46
+ ... AccessToken $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.Acce ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Connect-MgGraph], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Graph.PowerShell.Authentication.Cmdlets.Connect
   MgGraph

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName : Microsoft Windows 11 Enterprise OsOperatingSystemSKU : EnterpriseEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250 OsLanguage : de-DE OsMuiLanguages : {de-DE, en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

1.20.723.1

I tried PowerShell 5.1.22621.1778 and 7.3.5

[DennisLangenberg]

have you tried seperating the securestring conversion ? This solved the issue for me when working with certificate based authentication.

e.g. $Secure_String_AppSecret = ConvertTo-SecureString $cred[1]

[dt-flo]

have you tried seperating the securestring conversion ? This solved the issue for me when working with certificate based authentication.

e.g. $Secure_String_AppSecret = ConvertTo-SecureString $cred[1]

I did, I had to modify another Microsoft library on my computer. My colleagues also want to use M365DSC and it would be nice if it worked out of the box without having to modify other libraries on the system.

[andikrueger]

What other libraries did you modifiy? Ususally, M365DSC works out of the box. We have seen similar issues with other modules, that did not export functions properly.

[DVDNetworksGithub]

Receiving the same error with unmodified libraries in PowerShell 7.3.6

Exception: Cannot bind parameter 'AccessToken'. Cannot convert the "eyJ0************** " value of type "System.String" to type "System.Security.SecureString".

[dt-flo]

What other libraries did you modifiy? Ususally, M365DSC works out of the box. We have seen similar issues with other modules, that did not export functions properly.

I cannot recall what the name was exactly, but it was something like "microsoft client authentication helper".

Note, that without modifying anything, M365DSC does not work and produces the error above as also said by @DVDNetworksGithub It does not work out of the box unfortunately.

[andikrueger]

was it MSCloudLoginAssistant? This is the module used to create the authentication context for M365DSC.

[dt-flo]

was it MSCloudLoginAssistant? This is the module used to create the authentication context for M365DSC.

Yes, that was the module.

[ramonschopper]

I receive exactly the same error with both PowerShell 5.1 and PowerShell 7.3.6. In both cases its the Module MSCloudLoginAssistant of Version 1.0..117. Customizing the module to convert the access token to secure string will solve the issue. Microsoft365Dsc cannot be used for any automation pipelines at the moment due to this issue.

[techthoughts2]

Also experiencing this issue:

MSCloudLoginAssistant: 1.0.117
Microsoft365DSC: 1.23.719.1

Error:

Authentication methods specified:
- Service Principal with Application Secret

Partial Export file was saved at: C:\Users\user\AppData\Local\Temp\c34e0113-93e8-4a17-bdfb-60e5d5657491.partial.ps1
Exception: Cannot bind parameter 'AccessToken'. Cannot convert the "longkeyhere" value of type "System.String" to type "System.Security.SecureString".

[NikCharlebois]

MSCloudLoginAssistant 1.0.119 will fix this. This is due to a new way of handling the AccessToken parameter as a SecureString in Graph SDK 2.0.

[NikCharlebois]

Linking to #3527

[ChrisJay77]

I have the same issue when using Application Secrets Authentication:

Export-M365DSCConfiguration -ApplicationId 26cXXXX -TenantId XXXX.onmicrosoft.com -ApplicationSecret 0oR8QXXXXX -Workloads @("intune") -Path c:\Export_Secret.

will generate the cannot bind parameter 'AccessToken'At C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.118\Workloads\MicrosoftGraph.psm1:126 char:46

• ... AccessToken $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.Acce

However, as a workaround you create a certificate and run the same command (using the same app reg & permissions) it will work: Export-M365DSCConfiguration -ApplicationId 26cXXX -TenantId XXX.onmicrosoft.com -CertificateThumbprint 19XXXX -Workloads @("intune") -Path c:\Export_Cert

[mad2xlc]

Update MSCloudLoginAssistant 1.0.119 did the trick for me. Annoying that Update-M365DSCModule doesn't resolve this dependence.

[EverettCooleyPremier]

Even with MSCloudLoginAssistant 1.0.119 i'm still having this issue, both with an Application ID and with user credentials.

New-Object : Cannot find type [MSCloudLoginConnectionProfile]: verify that the assembly containing this type is loaded. At line:32 char:18

• return @(& $origNewObject @psBoundParameters)

• 
  + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
  + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

1.23.809.1 Microsoft365DSC 1.0.119 MSCloudLoginAssistant

[ChrisJay77]

latest version (1.23.809.1) has now resolved this and i can successfully export using application secret.