4

We have an Azure AD account with Multi Factor Authentication enabled and are wondering if there is a way we connect to it without a prompt, that is without MFA, through Powershell.

We've tried Connect-AzureAD -Credentials however it doesn't proceed when MFA is setup:

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access...

If there is any way to have MFA setup and connect through Powershell that would be much appreciated.

Improve this question
2
  • You also can use the service principal to connect Azure AD. For more details, please refer to learn.microsoft.com/en-us/powershell/module/azuread/… Commented Oct 25, 2019 at 6:10
  • There is a workaround which may helps. Please check my answer. Thanks. Commented Oct 25, 2019 at 8:29

3 Answers 3

Reset to default
5

No. If MFA is required, you cannot sign in programmatically as a user.

Interactive authentication is required in that case.

If you change your policies to allow authentication from that machine without MFA, then it will work.

You can also use a service principal for authentication instead of a user.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

There is a little complex workaround.

You can direct connect to Azure AD with an access token:

Connect-AzureAD
       [-AzureEnvironmentName <EnvironmentName>]
       [-TenantId <String>]
       -AadAccessToken <String>
       [-MsAccessToken <String>]
       -AccountId <String>
       [-LogLevel <LogLevel>]
       [-LogFilePath <String>]
       [-InformationAction <ActionPreference>]
       [-InformationVariable <String>]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

And you can get an access token with refresh token without a prompt.

To simply get a refresh token, a easy way is to use Fiddler. Open Fiddler, and run Connect-AzureAD. you will be able to find the refresh token:

enter image description here

Then you can get a new access token and use it to connect to AAD as following:

# The refresh token
$refresh_token="AQABAAAAAACQN9QBRU3jT6bcBQLZNUj7NLUSh_LtiE0dRWb-Vqb9RjUoNjK67G0DlSF65M_w6o1fAvQ******16Z4J0X-MEZSAA"

# Tenant id and account id
$tenant_id = "hanxia.onmicrosoft.com"
$account = "[email protected]"

# 1b730954-1685-4b74-9bfd-dac224a7b894 is a public client from Microsoft 
$clientId = "1b730954-1685-4b74-9bfd-dac224a7b894"
$uri = "https://login.microsoftonline.com/${tenant_id}/oauth2/token"
$body = @{grant_type='refresh_token';resource='https://graph.windows.net';client_id=$clientId;refresh_token=$refresh_token}
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $body
$accessToken = $result.access_token

# Connect to AAD
Connect-AzureAD -TenantId $tenant_id -AadAccessToken $accessToken -AccountId $account

Result

enter image description here

Note

The refresh contains privacy information. You need to keep it safe.

Improve this answer

2 Comments

This works great, and actually the same thing could be done using a Client Secret to get the access token. Does it pose any security concerns though?
For Azure AD Rest API, it would not pose any security concerns. When you add permissions for your app in Azure AD. There are two kinds of permissions. One is delegated permission, the other is appication permission. With user credential or refresh token, you will get a token for the user, in this way, you will be able to invoke the API which requires delegated permission. And, with client credential, you will get a token for the app, in this way, you will be able to call the API which requires application permission.
1

I have had faced the same issue. Below code worked for me like a charm. Try below

#Install-Module -Name "AzureAD" -Force -Scope CurrentUser
$contextX = Get-AzContext
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Write-Output "Connected to account $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken -Verbose

P.S. Make sure AzureAD and MicrosoftGraph module is installed also AzContext is already set to some subscription. Let me know if you need any further help. Happy to assist.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.