ghost
commented
4 years ago @christianarg by chance do the customers in question have Security Defaults enabled?
Open christianarg opened 4 years ago
ghost
commented
4 years ago @christianarg by chance do the customers in question have Security Defaults enabled?
christianarg
commented
4 years ago No. But most of them have mfa conditional access rules with ad premium licences we sell them. Please don't tell me that a customer can't have mfa conditional access rules or security defaults in order to secure app model to work properly.
ghost
commented
4 years ago @christianarg you should not be impacted by conditional access rules that enforce multi-factor authentication. There is possibility that the refresh token you are using could be missing the expected claim, which would explain why it is failing. However, I do not think that is your issue because you said things are working for other customers. When you try to access the EAC using your partner credentials are you prompted for MFA or does it only happen when you authenticate?
christianarg
commented
4 years ago We are prompted MFA when generating the refresh token
$token = New-PartnerAccessToken -Module ExchangeOnline
But obviously we're not prompted MFA when using it to connect to exchange online with New-PsSession (our script are executed as part of process, in Azure automation, there is no human interaction).
As I said before it works perfectly and we use the refresh token to get a new refresh token automatically on a daily basis. But approx every 2 weeks it gives the error mentioned in my OP
pavlekukric
commented
4 years ago We have the same issue. Secure App Model works fine for all customers, even those having conditional access enabled, but fails for all customers having "Allow users to remember multi-factor authentication on devices they trust Days before a device must re-authenticate (1-60):" option enabled. To my understanding, with a secure App Model, we as a Partners should have all permissions, regardless of any security rules specific customers have.
Wondering if this is expected behavior or it's a bug on the MS side.
Any thoughts or info?
Regards,
Pavle Kukric
christianarg
commented
4 years ago @pavlekukric we identified the same issue. Strange thing is that this only applies for the exchange online token https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0#exchange-online-powershell
The "other token" (user_impersonation) is not affected by having the "Allow users to remember multi-factor authentication on devices they trust Days before a device must re-authenticate (1-60):" checked
EIG-Rosetta
commented
4 years ago We have the same issue with MFA "expiring" for Exchange Online refresh tokens, where it does not for the main PartnerCenter user impersonation tokens.
Steps to reproduce
It seems to be related t https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Refresh-token-lifetime-error-AADSTS50076/td-p/8204 but for those customers it is not a solution to uncheck the "Allow users to remember multi-factor authentication..." Our customer want's this.
We use the exchange refresh token daily to generate a new refresh tokens. Yet for a few tenants we get this error. In fact there are many tenants with this check that don't return this error.
The only way to solve this is to manually regenerate the exchange online refresh token with New-PartnerAccessToken -Module ExchangeOnline + user + app + approve mfa
Expected behavior
To connect with secure app model powershell without errors with the daily regenerated refreshtoken
Actual behavior
Diagnostic logs
Environment
(Edit: fixed link to techcommunity)