Add OIDC authentication via service principal for automated tasks

[Sar4D]

ROPC is the only supported way for automated testing scenarios that covers the applications (Spo, Exo, etc). However, it is the least secure and not recommended by Microsoft. MS LINK INFO Certificate based authentication is not possible in all automation scenarios where it would be impossible to store the pfx.

I tried testing the ROPC flow, works for Exo but for SPO I get the error :

*** [Get-MonkeyMSALToken] - Acquire token failed. AADSTS9001023: The g
rant type is not supported over the /common or /consumers endpoints. Please use the /organizations 
or tenant-specific endpoint. Trace ID: dca13de3-7c60-4fd6-ba53-7c6710104100 Correlation ID: 87060ba
9-97d0-4da3-9ee3-7c8c2b920b41 Timestamp: 2024-06-19 13:50:13Z - warning - 
***  [Get-MSALTokenForGraphV2] - Unable to get token for Microsoft Grap
h - warning 

I get the problem after doing some research, the token needs to be acquired from the /organizations endpoint for ROPC flow, I couldnt find any switch parameters in the code to force that, altough I am mentionning the Tenant ID when invoking Monkey365.

In an automated scenario where we could use a service principal that has all the relevant rights, per example in a Github action workflow, it would be amazing to be able to use a service principal? Is there a particular reason why SP with client/secret is not supported for M365 scans as it is possible to assign the required rights and roles?

[silverhack]

Hi @Sar4D,

ROPC only supports Microsoft Entra tenants and is mandatory to use a TenantId or the organizations authority.

For automated scenarios, such as GitHub Actions, you can store the certificate contents in a base64 encoded secret.

Regarding Service Principal limitation for Exchange Online and SharePoint Online, Microsoft has restricted the use of Service Principals for some core applications within Microsoft365. You can see for more information here

Having said that, I've updated the dev branch with some small additions for SharePoint Online, due that TenantId was not populated on ROPC scenarios. You can see some examples to use Monkey365 with ROPC here.

[Sar4D]

Hi @silverhack Thank you for the explanation and additions! I will eventually try the certificate with the encoding, but for now we just want to try out the flow using ROPC. I am still unable to connect but getting a different error. I am using the authentication flow as mentioned in your documentation. $paramMS365Sp = @{ Instance = 'Microsoft365'; Analysis = 'SharePointOnline'; UserCredentials = $cred; TenantId = $tenantId; ExportTo = 'HTML'; }

This is the new error I am getting : (Inside a Github Actions)

[silverhack]

Hi @Sar4D

Have you tried with the latest dev version? Seems that monkey365 is unable to find default domain name for SharePoint Online.

[Sar4D]

Hey @silverhack Yes I tried with the dev version in GHA and locally, with PSCore and 5.1 Neither work and I am always getting the same error. Have you tried on your end and it works?

[silverhack]

Hi @Sar4D,

Not tested in GitHub Action but tested locally and yes, it works. Please, note that Monkey365 relies on MSGraph access for various identity and tenant operations, and unwanted exceptions may occur if access to MSGraph is blocked for any reason.

You can also pass the SharePoint domain by using the -ScanSites parameter.

$p = @{
    Instance = 'Microsoft365';
    Analysis = 'SharePointOnline';
    UserCredentials = $cred;
    ScanSites = "https://rootdomain.sharepoint.com";
    TenantId = '00000000-0000-0000-0000-000000000000';
    ExportTo = 'PRINT';
}

Invoke-Monkey365 @p

Hope that helps,