search

microsoft / nav-arm-templates

ARM (Azure Resource Manager) templates for Microsoft Dynamics NAV
MIT License
53 stars 55 forks source link

Office 365 integration with MFA (AADSTS50076) #153

Closed Arthurvdv closed 3 years ago

Arthurvdv commented 3 years ago

I'm having some trouble setting up a development environment from aka.ms/getbc, where the admin-account has MFA enabled.

image

When providing the credentials Office365User Name and Office365Password with the admin account of our Azure AD, the setup fails;

11:09:13 AM One or more errors occurred.: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.

Is it possible to support this scenario or is the combination with MFA not possible?


<font color="Gray">10:39:58 AM Running Windows Server 2019 Datacenter</font>
<font color="Gray">10:39:58 AM Initialize, user: testazuread$</font>
<font color="Gray">10:39:58 AM TemplateLink: https://raw.githubusercontent.com/Microsoft/nav-arm-templates/master/getbc.json</font>
<font color="Gray">10:40:30 AM Installing PowerShellGet 2.2.1</font>
<font color="Gray">10:40:47 AM Installing Internet Information Server (this might take a few minutes)</font>
<font color="Gray">10:43:11 AM Downloading C:\inetpub\wwwroot\default.aspx</font>
<font color="Gray">10:43:11 AM Downloading C:\inetpub\wwwroot\status.aspx</font>
<font color="Gray">10:43:11 AM Downloading C:\inetpub\wwwroot\line.png</font>
<font color="Gray">10:43:11 AM Downloading C:\inetpub\wwwroot\Microsoft.png</font>
<font color="Gray">10:43:12 AM Downloading C:\inetpub\wwwroot\web.config</font>
<font color="Gray">10:43:12 AM Creating Connect.rdp</font>
<font color="Gray">10:43:12 AM Turning off IE Enhanced Security Configuration</font>
<font color="Gray">10:43:12 AM Downloading c:\myfolder\SetupWebClient.ps1</font>
<font color="Gray">10:43:12 AM Downloading c:\demo\SetupDesktop.ps1</font>
<font color="Gray">10:43:12 AM Downloading c:\demo\SetupNavContainer.ps1</font>
<font color="Gray">10:43:12 AM Downloading c:\demo\SetupVm.ps1</font>
<font color="Gray">10:43:13 AM Downloading c:\demo\SetupStart.ps1</font>
<font color="Gray">10:43:13 AM Downloading c:\demo\restartContainers.ps1</font>
<font color="Gray">10:43:14 AM Downloading C:\DEMO\Install-VS2017Community.ps1</font>
<font color="Gray">10:43:16 AM Restarting computer and start Installation tasks</font>
<font color="Gray">10:45:38 AM SetupStart, User: testazuread$</font>
<font color="Gray">10:45:42 AM Installing Latest Business Central Container Helper from PowerShell Gallery</font>
<font color="Gray">10:46:03 AM Using BcContainerHelper version 1.0.6</font>
<font color="Gray">10:46:03 AM Installing ACME-PS PowerShell Module</font>
<font color="Gray">10:46:39 AM Using Lets Encrypt certificate</font>
<font color="Gray">10:48:33 AM Installing Az module</font>
<font color="Gray">10:51:37 AM Installing AzureAD module</font>
<font color="Gray">10:51:53 AM Installing SqlServer module</font>
<font color="Gray">10:52:49 AM Register RestartContainers Task to start container delayed</font>
<font color="Gray">10:52:55 AM Launch SetupVm</font>
<font color="Gray">10:53:00 AM SetupVm, User: vmadmin</font>
<font color="Gray">10:53:02 AM Starting docker</font>
<font color="Gray">10:53:02 AM Enabling Docker API</font>
<font color="Gray">10:53:04 AM Enabling File Download in IE</font>
<font color="Gray">10:53:04 AM Enabling Font Download in IE</font>
<font color="Gray">10:53:04 AM Show hidden files and file types</font>
<font color="Gray">10:53:04 AM Disabling Server Manager Open At Logon</font>
<font color="Gray">10:53:04 AM Add Import bccontainerhelper to PowerShell profile</font>
<font color="Gray">10:53:04 AM Adding Landing Page to Startup Group</font>
<font color="Gray">10:53:06 AM Pulling mcr.microsoft.com/dynamicsnav:10.0.17763.1457-generic (this might take some time)</font>
<font color="Gray">10:53:12 AM 10.0.17763.1457-generic: Pulling from dynamicsnav</font>
<font color="Gray">11:05:53 AM d171df54237d: Pull complete</font>
<font color="Gray">11:05:53 AM Digest: sha256:808eaf5b603c7de832af95efdeaa1453489ff687758dfe64e7e457e381d5156c</font>
<font color="Gray">11:05:53 AM Status: Downloaded newer image for mcr.microsoft.com/dynamicsnav:10.0.17763.1457-generic</font>
<font color="Gray">11:05:53 AM Installing Visual C++ Redist</font>
<font color="Gray">11:06:07 AM Installing SQL Native Client</font>
<font color="Gray">11:06:09 AM Installing OpenXML 2.5</font>
<font color="Gray">11:08:55 AM Creating Aad Apps for Office 365 integration</font>
<font color="Red">11:09:13 AM One or more errors occurred.: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.
Trace ID: 639c8d41-3151-4cfa-b44d-5d32c0861000
Correlation ID: 0794e6a4-3e28-4ace-8cd0-c36212bf81c5
Timestamp: 2020-09-29 09:09:13Z</font>
<font color="Red">11:09:13 AM Reverting to NavUserPassword authentication</font>
<font color="Gray">11:09:13 AM Using artifactUrl https://bcartifacts.azureedge.net/onprem/16.5.15897.15953/w1</font>
<font color="Gray">11:09:13 AM Country w1</font>
<font color="Gray">11:09:13 AM Version 16.5.15897.15953</font>
<font color="Gray">11:09:13 AM Locale en-US</font>
<font color="Gray">11:09:13 AM Running container (this might take some time)</font>
<font color="Red">11:21:52 AM The remote server returned an error: (401) Unauthorized.</font>
<font color="Red">11:21:52 AM at Invoke-BcContainerApi, C:\Program Files\WindowsPowerShell\Modules\bccontainerhelper\1.0.6\Api\Invoke-NavContainerApi.ps1: line 153</font>
<font color="Red">11:21:52 AM at Get-BcContainerApiCompanyId, C:\Program Files\WindowsPowerShell\Modules\bccontainerhelper\1.0.6\Api\Get-NavContainerApiCompanyId.ps1: line 62</font>
<font color="Red">11:21:52 AM at <ScriptBlock>, C:\demo\SetupNavContainer.ps1: line 389</font>
<font color="Red">11:21:52 AM at <ScriptBlock>, C:\demo\setupVm.ps1: line 296</font>```
freddydk commented 3 years ago

Yeah, that is an issue. I do not have a fix for this yet, but will be looking into this.

For now, the only option is really to create the VM with Username/Password auth - and then change afterwards, creating the apps manually.

marknitek commented 3 years ago

@freddydk will there be a fix for this? MFA is basicly required in corporate networks i would say...

I tried using an app password to prevent MFA but it did not work either. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords#overview-and-considerations

So no luck for prod tenants?