DL Conversion Failed - You must use multi-factor authentication

write2tsm commented 11 months ago

Hi Tim

I'm using the below command:

Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -exchangeOnlineCredential $credentials -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU "

and experiencing this error:

[20/07/2023 2:30:27 PM] - ExchangeOnlineCredentialsUserName = [20/07/2023 2:30:27 PM] - Is certificate auth = False [20/07/2023 2:30:27 PM] - ExchangeOnlineCommandPrefix = O365 [20/07/2023 2:30:27 PM] - Creating the exchange online powershell session. AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'. Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000 Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23 Timestamp: 2023-07-20 04:30:32Z At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21

throw $_.Exception.InnerException;


+ CategoryInfo          : OperationStopped: (:) [], MsalUiRequiredException
+ FullyQualifiedErrorId : AADSTS50076: **Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.
Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000
Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23**

This is a bulk migration test, so I'm using certificate based auth for both MS Graph (Azure AD) and Exchange Online. Have followed the guidance in following articles:

For MS Graph--> https://practical365.com/use-certificate-authentication-microsoft-graph-sdk/
For Exchange Online--> https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-azure-ad

and the connections establish successfully:

Connect-MgGraph -TenantId "<AzureADTenantID" -AppId "AzureAD App Registration App ID>" -CertificateThumbprint "xzsadsdfd"

Connect-ExchangeOnline -CertificateThumbPrint "xzsadsdfd" -AppID "AzureAD App Registration App ID>" -Organization "myorg.onmicrosoft.com"

The error seems to suggest some MFA issue, but what I'm not sure why it is using the credentials from array to connect to Exchange Online when I've already used Cert-based Authentication. Moreover, if I remove the "-exchangeOnlineCredential $credentials" from the Start-MultipleMachineDistributionListMigration command, it fails saying this:

[20/07/2023 1:56:43 PM] - BEGIN start-parameterValidation [20/07/2023 1:56:43 PM] - **** [20/07/2023 1:56:43 PM] - The parameter set name for validation: ExchangeOnlineMulti [20/07/2023 1:56:43 PM] - ERROR: One permissions method to connect to Exchange Online must be specified. [20/07/2023 1:56:43 PM] - ****

Do you see anything wrong with the Start-MultipleMachineDistributionListMigration switches / parameters?

Thanks

timmcmic commented 11 months ago

If I’m reading the command correctly you’re specifying exchange online credentials array. You need to not use exchange online credentials but rather use the exchange cert auth settings. I did not see those in your command. Will be the apple, tenant id, and thumbprint.

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: write2tsm @.> Sent: Thursday, July 20, 2023 1:07 AM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] DL Conversion Failed - (Issue #144)

Hi Tim

I'm using the below command:

Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -exchangeOnlineCredential $credentials -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU "

and experiencing this error:

[20/07/2023 2:30:27 PM] - ExchangeOnlineCredentialsUserName = [20/07/2023 2:30:27 PM] - Is certificate auth = False [20/07/2023 2:30:27 PM] - ExchangeOnlineCommandPrefix = O365 [20/07/2023 2:30:27 PM] - Creating the exchange online powershell session. AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'. Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000 Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23 Timestamp: 2023-07-20 04:30:32Z At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21

*

            throw $_.Exception.InnerException;

*

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 *   CategoryInfo : OperationStopped: (:) [], MsalUiRequiredException
 *   FullyQualifiedErrorId : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.

Trace ID: 6d3b15b1-0efa-426e-bbec-70b956f15000 Correlation ID: c3751b3f-d7f2-4678-9020-5a362c803e23

This is a bulk migration test, so I'm using certificate based auth for both MS Graph (Azure AD) and Exchange Online. Have followed the guidance in following articles:

For MS Graph--> https://practical365.com/use-certificate-authentication-microsoft-graph-sdk/
For Exchange Online--> https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-azure-ad

and the connections establish successfully:

Connect-MgGraph -TenantId "<AzureADTenantID" -AppId "AzureAD App Registration App ID>" -CertificateThumbprint "xzsadsdfd"

Connect-ExchangeOnline -CertificateThumbPrint "xzsadsdfd" -AppID "AzureAD App Registration App ID>" -Organization "myorg.onmicrosoft.com"

The error seems to suggest some MFA issue, but what I'm not sure why it is using the credentials from array to connect to Exchange Online when I've already used Cert-based Authentication. Moreover, if I remove the "-exchangeOnlineCredential $credentials" from the Start-MultipleMachineDistributionListMigration command, it fails saying this:

[20/07/2023 1:56:43 PM] - BEGIN start-parameterValidation [20/07/2023 1:56:43 PM] - **** [20/07/2023 1:56:43 PM] - The parameter set name for validation: ExchangeOnlineMulti [20/07/2023 1:56:43 PM] - ERROR: One permissions method to connect to Exchange Online must be specified. [20/07/2023 1:56:43 PM] - ****

Do you see anything wrong with the Start-MultipleMachineDistributionListMigration switches / parameters?

Thanks

— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/144, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6NUWVXACUOZI6C6FL3XRC4I3ANCNFSM6AAAAAA2Q3M6ZA. You are receiving this because you are subscribed to this thread.Message ID: @.***>

write2tsm commented 11 months ago

Ok, that makes sense.

Can you also clarify, what command / switches to run if we only want to pre-collect the DL configuration (without actually triggering the DL migration process).

Thanks

timmcmic commented 11 months ago

For auditing permissions

Start-collect*

For testing pre-migration viability

test-*

Tim

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: write2tsm @.> Sent: Thursday, July 20, 2023 6:22 AM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] DL Conversion Failed - You must use multi-factor authentication (Issue #144)

Ok, that makes sense.

Can you also clarify, what command / switches to run if we only want to pre-collect the DL configuration (without actually triggering the DL migration process).

Thanks

- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/144#issuecomment-1643663439, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6IELBZ5O4262SKGIK3XREBFLANCNFSM6AAAAAA2Q3M6ZA. You are receiving this because you commented.Message ID: @.**@.>>

write2tsm commented 11 months ago

Ok thanks.

I just ran the following command:

Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer -activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -msGraphTenantID "<AzureADTenantID" -msGraphCertificateThumbprint "aefgh1f6973be30eae" -msGraphApplicationID "AppID" -exchangeOnlineCertificateThumbPrint "aefgh1f6973be30eae" -exchangeOnlineOrganizationName "mydomain.mail.onmicrosoft.com" -exchangeOnlineAppID "AppID" -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU “AD DS OU”

It reported that the migration failed:

[20/07/2023 8:51:31 PM] - END Get-OULocation [20/07/2023 8:51:31 PM] - **** [20/07/2023 8:51:31 PM] - Function OU = [20/07/2023 8:51:31 PM] - Testing address for remote routing address = SMTP:20230720T2045499943204707797@mydomain.onmicrosoft.com [20/07/2023 8:51:31 PM] - Error - the group to have hybrid mail flow enabled does not have an address @domain.mail.onmicrosoft.com or an address at the custom routing domain specified. [20/07/2023 8:51:31 PM] - Add an email address @domain.mail.onmicrosoft.com appropriate for your tenant in order to hybrid mail enable the list. [20/07/2023 8:51:31 PM] - Error enabling hybrid mail flow. [20/07/2023 8:51:31 PM] - ****

However, the DLs have been moved to cloud and the on-prem DL is renamed with an suffix '!' sign and these remain in their original AD DS OU. This seems like the migration failed and left the DLs in interim state. The target DLs created are not editable in cloud.

Any suggestions please?

Thanks

timmcmic commented 11 months ago

Send the full log to dlconversionv2 at service dot Microsoft dot com

Tim

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: write2tsm @.> Sent: Thursday, July 20, 2023 7:17 AM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] DL Conversion Failed - You must use multi-factor authentication (Issue #144)

Ok thanks.

I just ran the following command:

Start-MultipleMachineDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer -activeDirectoryCredential $credentials -aadconnectServer -aadConnectCredential $credentials -aadConnectAuthenticationMethod Kerberos -exchangeServer -exchangeCredential $credentials -exchangeAuthenticationMethod Kerberos -msGraphTenantID "<AzureADTenantID" -msGraphCertificateThumbprint "aefgh1f6973be30eae" -msGraphApplicationID "AppID" -exchangeOnlineCertificateThumbPrint "aefgh1f6973be30eae" -exchangeOnlineOrganizationName "mydomain.mail.onmicrosoft.com" -exchangeOnlineAppID "AppID" -logFolderPath C:\DLConversion -remoteDriveLetter S -serverNames $machines -dnNoSyncOU “AD DS OU”

It reported that the migration as failed:

[20/07/2023 8:51:31 PM] - END Get-OULocation [20/07/2023 8:51:31 PM] - **** [20/07/2023 8:51:31 PM] - Function OU = [20/07/2023 8:51:31 PM] - Testing address for remote routing address = @.**@.> [20/07/2023 8:51:31 PM] - Error - the group to have hybrid mail flow enabled does not have an address @domain.mail.onmicrosoft.com or an address at the custom routing domain specified. [20/07/2023 8:51:31 PM] - Add an email address @domain.mail.onmicrosoft.com appropriate for your tenant in order to hybrid mail enable the list. [20/07/2023 8:51:31 PM] - Error enabling hybrid mail flow. [20/07/2023 8:51:31 PM] - ****

However, the DLs have been moved to cloud and the on-prem DL is renamed with an prefix '!' sign and these remain in their original AD DS OU. This seems like the migration failed and left the DLs in interim state. The target DLs created are not editable in cloud.

Any suggestions please?

Thanks

— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/144#issuecomment-1643737843, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6OGLBRXZHTVMM64VMTXREHS5ANCNFSM6AAAAAA2Q3M6ZA. You are receiving this because you commented.Message ID: @.***>

write2tsm commented 11 months ago

Sent the complete log file and some screenshots that might be helpful visualizing what happened as a result of test run.

timmcmic commented 11 months ago

Currently tracking an issue in the AU datacenters where commandlets are being referred to multiple domain controllers resulting in multiple dual write state changes. This causes operations to occur out of order. Pending review.

timmcmic commented 11 months ago

Actually closing this issue and will open a new one for dual write.

timmcmic / DLConversionV2

DL Conversion Failed - You must use multi-factor authentication #144