search

soteria-security / 365Inspect

A PowerShell script that automates the security assessment of Microsoft 365 environments.
https://soteria.io/solutions/soteria-inspect/
MIT License
576 stars 110 forks source link

New runs of the tool are triggering errors #97

Open gitgoodgreghub opened 1 week ago

gitgoodgreghub commented 1 week ago

Describe the bug When running 365Inspect against a tenant (a tenant I was able to connect to last week) the following error is displayed after connecting to Sharepoint Service:

Sign in

Sorry, but we’re having trouble signing you in.

AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not found in the directory 'XXXXX (replace XXXXX with customer name)'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Troubleshooting details

If you contact your administrator, send this info to them. Copy info to clipboard

Request Id: a5e6b68a-ec0f-43a6-ae69-f6cd93249a00 Correlation Id: 13e15d66-76be-40f2-87d5-d07e3109f681 Timestamp: 2024-09-10T17:20:21Z

Message: AADSTS700016: Application with identifier '31359c7f-bd7e-475c-86db-fdb8c937548e' was not found in the directory 'XXXXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Flag sign-in errors for review: Enable flagging

If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.

To Reproduce Steps to reproduce the behavior:

  1. Run 365Inspect.ps1 from an administrative PowerShell
  2. Login to tenant with credentials
  3. Pass MFA check
  4. Trigger event listed above

Expected behavior Full report build-out from 365Inspect as I have run previously

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information): Win11

Additional context

gitgoodgreghub commented 1 week ago

Admin consent was granted previously, now this is not even prompting for admin consent nor alerting the admin at all. Presumably this is still approved and just not working. New subsequent runs against other tenants are also experiencing this, failing to prompt the admin consent.

ThoughtContagion commented 1 week ago

Hi there,

The PnP PowerShell module has changed the methods in which they allow authentication. Previously, the PnP.PowerShell module was a multi-tenant application. The change that they have made is to remove the multi-tenant application and require individual tenants to register/create their own application for use with the PnP service.

Register an Entra ID Application to use with PnP PowerShell

There is a command that can be run to automate this step.

Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "PnP Rocks" -Tenant [yourtenant].onmicrosoft.com -Interactive

Unfortunately, this change means that previous environment configurations will fail with the error seen above. We will update the README accordingly.

ThoughtContagion commented 1 week ago

References to the change: https://www.linkedin.com/posts/veronique-lengelle-48a71b31_pnppowershell-entraid-cliformicrosoft365-activity-7231967025298837504-Bwp0/ https://www.youtube.com/watch?v=VNgc4k_gCT0