Someone
asked on
how to authenticate MFA account in a scheduled task script
Hello IT people
I want to deply scheduler task to enable MFA for new users in Azure. But, how could I make the task authenticate my credential?
I use this script to enable MFA:
So, I need to connect to AzureAD and MSOLService modules. Normally I'll be prompted to enter my credential, but not in a scheduler task. And I use MFA in my account.
I tried the following script, using App Passwrds method , but i got error:
the error I got:
I want to deply scheduler task to enable MFA for new users in Azure. But, how could I make the task authenticate my credential?
I use this script to enable MFA:
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Get-AzureADGroupMember -ObjectId "xxx" -all 1 | foreach {Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $sta -Verbose}
So, I need to connect to AzureAD and MSOLService modules. Normally I'll be prompted to enter my credential, but not in a scheduler task. And I use MFA in my account.
I tried the following script, using App Passwrds method , but i got error:
$username = 'userid@domain.net'
$Password = ConvertTo-SecureString 'MyPswWrd' -AsPlainText -Force
$creds = new-object System.Management.Automation.PSCredential($username, $password)
Connect-AzureAD -Credential $creds
Connect-MsolService -Credential $creds
the error I got:
new-object : Cannot find an overload for "PSCredential" and the argument count: "2".
At line:3 char:14
+ ... $creds = new-object System.Management.Automation.PSCredential($use ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
Connect-AzureAD : One or more errors occurred.: Federated service at
https://autologon.microsoftazuread-sso.com/domain.net/winauth/trust/2005/usernamemixed?client-request-id=35468cb5-d0e0-4536-98df-30049217af07 returned error:
Authentication Failure
At line:4 char:5
+ Connect-AzureAD -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AadAuthenticationFailedException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Connect-AzureAD : One or more errors occurred.
At line:4 char:5
+ Connect-AzureAD -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AggregateException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Connect-AzureAD : Federated service at
https://autologon.microsoftazuread-sso.com/domain.net/winauth/trust/2005/usernamemixed?client-request-id=35468cb5-d0e0-4536-98df-30049217af07 returned error:
Authentication Failure
At line:4 char:5
+ Connect-AzureAD -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AdalServiceException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Connect-AzureAD : Response status code does not indicate success: 400 (BadRequest).
At line:4 char:5
+ Connect-AzureAD -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], HttpRequestException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Connect-AzureAD : <?xml version="1.0" encoding="utf-8"?><S:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Header><psf:pp xmlns:psf="http://schemas.microsoft.com/Pass
port/SoapServices/SOAPFault"><psf:serverVersion>1</psf:serverVersion><psf:authstate>0x80048800</psf:authstate><psf:reqstatus>0x80048821</psf:reqstatus><psf:serverInfo
ServerTime="2021-01-20T10:09:21.3126689Z">ESTS-PUB-WEULR2-AZ2-FD011-001.ProdSlices rid:dae4400e-096d-4b48-a3a9-7dd11365a100</psf:serverInfo></psf:pp></S:Header><S:Body
xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Fault><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuthentication</S:Value></S:Subcode></S:Code
><S:Reason><S:Text xml:lang="en-US">Authentication Failure</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFau
lt"><psf:value>0x80048821</psf:value><psf:internalerror><psf:code>0x80048821</psf:code><psf:text>AADSTS50126: Error validating credentials due to invalid username or
password.</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault></S:Body></S:Envelope>: Unknown error
At line:4 char:5
+ Connect-AzureAD -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AdalException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Connect-AzureAD : One or more errors occurred.: Federated service at
https://autologon.microsoftazuread-sso.com/domain.net/winauth/trust/2005/usernamemixed?client-request-id=35468cb5-d0e0-4536-98df-30049217af07 returned error:
Authentication Failure
At line:4 char:5
+ Connect-AzureAD -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-AzureAD], AadAuthenticationFailedException
+ FullyQualifiedErrorId : Microsoft.Open.Azure.AD.CommonLibrary.AadAuthenticationFailedException,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Connect-MsolService : Authentication Error: Unexpected authentication failure.
At line:5 char:5
+ Connect-MsolService -Credential $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.Online.Administration.Automation.ConnectMsolService
ASKER
That's what I've done, I've used the app passwords, but it gives me errors.
Unless I'm messing something 🤔
Unless I'm messing something 🤔
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting!
We do have new ADFS server that we are configuring, maybe it is the problem.
We do have new ADFS server that we are configuring, maybe it is the problem.
What you can do it's to use an APP password in order to solve that and use it as a "password".
for this, you need to have MFA Enabled (Office Portal/Admin/Users/active users/MFA Configuration)
Make sure that the user is Enabled and then go here:
https://account.activedirectory.windowsazure.com/Proofup.aspx
Select "App Password" create one and solved.