Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 5 Contributor

Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi,

This is probably something @idwilliams or @JanoschUlmer may be familiar with, I have read through the very similar thread about AADSTS50076 here:

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Refresh-token-lifetime-error-AADSTS50076/td-p/8204

 

The error I'm getting is:

 

StatusCodeError: 400 - 
{"error":"interaction_required",
"error_description":"AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'SampleBECApp'.
Trace ID: 27735909-04ee-423f-906c-1d83eaa0bc00
Correlation ID: 250543c2-4ba2-4acc-bd25-13b7b1a97e53
Timestamp: 2020-02-02 20:48:47Z",
"error_codes":[50078],
"timestamp":"2020-02-02 20:48:47Z",
"trace_id":"27735909-04ee-423f-906c-1d83eaa0bc00",
"correlation_id":"250543c2-4ba2-4acc-bd25-13b7b1a97e53",
"suberror":"basic_action"}

Or:

 

 

AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.
Trace ID: 942769b9-1a92-4323-8762-4662b8253700
Correlation ID: 970ee2a0-48be-4541-a033-2d4cbd77769c
Timestamp: 2020-02-06 18:55:56Z

 

 

What I'm trying to do: I have scheduled weekly task to renew my RefreshTokens for accessing Azure AD / Graph and ExchangeOnline PowerShell (originally created using Kelvin's script as per: https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/m-p/15421/highlight/true#M125  ) because the RefreshTokens expire every day.

This worked well for about 30 days. Then about 2 weeks ago I started getting the first error (refererencing 'SampleBECApp').

 

However the Azure AD App is still renewing just fine: I use a scheduled node.js JavaScript with the current RefreshToken to make a request to: https://login.microsoftonline.com/MY-TENANT-ID/oauth2/token, save the new refresh_token and all is good, even today. (the headers reference the Azure AD App ID and Secret created by Kelvin's script)

 

I do the same thing for the Exch Online Refresh Token, except the headers reference Client ID = a0c73c16-a7e3-4564-9a95-2bdf47383716 (which is the well-known Client ID for ExO PowerShell). And I started getting the first error.

 

Thinking it was my process, I tried using PartnerCenter PowerShell's New-PartnerAccessToken cmdlet (again, using my Tenant ID and the last valid Refresh Token, and the ApplicationID = the well-known Client ID). And I got the second error.

 

I did some digging and reading (such as the AADSTS50076 thread). We DO have Conditional Access enabled, as we are trying Duo, and that's the only Policy - for the Duo test users. The Secuirty Defaults / Baseline Policies are not enabled. All users have MFA turned on for their accounts. The Azure AD MFA "multi-factor authentication service settings" page has "remember multi-factor authentication" enabled for 60 days, if that matters. But I find that I am prompted to re-MFA every 30 days anyway, which is about the time my script stopped working.

- So it seems like since I Consented originally, using my MFA account, and now 30 days later I'm being told my MFA has expired.

- Jasonch's comments in the other thread imply each RefreshToken exchanged for a new RefreshToken should have a new 90 day lifetime and you won't have to do MFA again.

EDIT to add: I've checked the AccessToken and they're "pwd" and "mfa" in the "amr" section. Also, while I can't renew the ExO PS RefreshToken, I can still USE it to connect to clients' ExO PS just fine, well for 60 more days...

 

Why can I renew the Azure AD / Graph Refresh Token but not the Exchange Online PowerShell Refresh Token?

 

I found this curious: if I use one of our customer/client TENANT-IDs in place of mine for in the URL to login.microsoftonline.com it works! And I can use the resulting RefreshToken to access other clients' Exch Online tenancies. It's like "my tenancy requires MFA, and it's been 30+ days since I did MFA so now I need to do MFA again because of our polices, but if I use a tenant of client to get a new RefreshToken, they policies apply - which doesn't have MFA enforced".

 

In fact: I have the Integration Sandbox set up as well, and it doesn't have any Policies, and it's working fine, even after 30 days.

 

What am I missing or what do I need to do? I want to have an unattended script that runs and renews my RefreshTokens, I don't want to have to re-do interactive MFA every 30 days, and I'd rather not use a client tenant ID if I don't have to. It works for AAD/Graph, just not Exchange Online PowerShell.

 

Thanks for your help!

   --Saul

1 ACCEPTED SOLUTION
Microsoft

@sansbacher : I have just talking to a colleague on this - and he mentioned something interesting - that really the setting you have set "remember MFA for 60 days" might cause this - since it will revoke the MFA token (Access token you are using to get a new refresh token).

 

So we would suggest that this setting is disabled. Or you can do the opposite test - set it to 1 day, maybe on friday evening, and check if the script fails until sunday - at least the impact to other users be minimal then.

 

And again I would like to add that shoot me an mail if this still doesn't work, the colleague I have talked to might be able to help further.

View solution in original post

28 REPLIES 28
Level 4 Contributor

AADSTS7000215

Invalid client secret is provided. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.

AADSTS7000222

InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://aka.ms/certCreds

AADSTS700005

InvalidGrantRedeemAgainstWrongTenant - Provided Authorization Code is intended to use against other tenant, thus rejected. OAuth2 Authorization Code must be redeemed against same tenant it was acquired for (/common or /{tenant-ID} as appropriate)

Level 5 Contributor

I haven't had any replies so I thought I would post an update:

 

The error happened again this past Sunday (I do renewals of the RefreshTokens every week).

 

Using a client's TenantID still works (I assume because the tenant doesn't have MFA enforced for its users).

 

Since there is no error renewing the Integration Sandbox's Exchange Online RefreshToken (the Sandbox's Azure AD Tenant has Secuirty Defaults enabled) I wondered if Conditional Access was the culprit. So I made a CA Policy that targeted just me, and just enforced MFA. Same error.

 

Then I added the IP addres of the server used to run the weekly renewal task to the "MFA Trusted IPs" list - no error! (but also no MFA prompt when I logged into, say, Azure Portal from a browser on that machine)

 

So that's where it sits now: Either I need to use a Client's Tenant ID to do the renewal (not desirable, clients come and go), or I exclude MFA for just my account from just that server's IP (also not desirable, but at least IPs change less frequently than clients).

 

Unless anyone else ( @JanoschUlmer ?) has another suggestion I'm inclinded to leave it as the second choice since we control this server. Otherwise: how do I go about renewing the Exchange Online PowerShell RefreshToken before the 90-day expiration without having to interactively "refresh my multi-factor authentication" every 30 days?  (which defeats the point of doing all that one-time interactive Consent stuff and then allowing it to work unattended thereafter)

 

[Or who should I contact to ask?]

 

Thanks,

    --Saul

Microsoft

Hoping @idwilliams has a solution for this.

Also as Partner you can get guidance by opening an advisory request via partner.microsoft.com/support or by contacting askpts@microsoft.com directly via email. if you have ASfP/Premier support raise a ticket (Cloud Consult) via your SAM/TAM

Level 5 Contributor

Thanks @JanoschUlmer 

 

Not having heard anything I went ahead and send an email to askpts (I tried to find a web-form or something under /support link but I couldn't, or maybe wasn't sure what I was looking for). In the email I included all the info about our partner number/organization name, etc. And I referenced this thread for additional details but did include all the relevant info.

 

Thanks again for your help, hopefully they're able to provide a solution or point me in the right direction. Creating a proper, non-excluding CA Polict would work, or maybe explain what the issue is on their end if it's nothing I can do.

 

If I here back I will post back!

   --Saul

 

Level 5 Contributor

@JanoschUlmer  / @idwilliams ,

 

I sent Microsoft an email to that askpts@ address on the 28th, I've heard nothing back (not an NDR, or a ticket number, nothing. And I did check my O365 spam quarantine). 

 

I checked my PasswordState vault and no issues with the RefreshToken renewals since I implemented the Conditional Access Policy exception.

 

I couldn't find any other support link from partner.microsoft.com/support so I think I'm just going to have to leave it as-is. It's not ideal but it's working without errors, and the Partner Secuirty Requirements has 100% for "Through API or SDK" and "Through Partner Center portal" - which is what matters, and I can't continue to chase this.

 

If anyone else encounters this I'll leave this thread here in case it helps them or in case they happen to come across a solutuion.

 

Thanks,

   --Saul

Visitor 1

Yes, Partner Advisory Services requests can sometimes take weeks for an initial response. My experience is that the next step there is that a "specialist" contacts you and will send you some links after performing his own "bing-ing". You'll probably will get a link to this post back from him 🙂

Did you hear anything back yet? I'm facing exactly the same issue. We do have ASfP/Premier Support so i will raise a ticket as well.

 

Ad

Level 5 Contributor

Hi @advdb ,

 

No, no response yet. But if it takes a while (and maybe longer due to the current pandemic and all...) then I guess that's to be expected. I didn't know that, thanks for the info. I Bing'd too (and the usual search) but nothing really.

 

We are or have ASfP/Premier too (I just discovered based on some other emails - not even sure what ASfP is...) and I mentioned it in an email chain to our rep - but nothing back from them either. To be honest: I've sort of left this on the back burner/considered it closed for now. But I'm game to re-engage if someone is willing to assist.

 

If you hear from your support and get some progress please let me know! 

  --Saul

 

 

Level 2 Contributor

Hi Saul,

 

Still working with support, but I did not get beyond the "by design" answer yet. Will be continued.

In the mean time I also posted this question on the "Partner Center SDK and API" Yammer group (if you have access to this group you can follow it there as well). These guys are also looking in to it. Will let you know when there's progress again.

Cheers!

Ad

 

Level 5 Contributor

Hi @advdb1 - I am in some Yammer groups but I couldn't find that group, can you post a link to the Group and/or Discussion so I can join?

 

I didn't get a chance to contact MS Support (at least not the correct address - AskPTS wasn't the correct place, but Janosch pointed me in the right direction!) so I will re-submit now. If you Personal Message me your case number I can reference it, or I can send you mine when I get it. Might as well not have them duplicate their efforts.

 

Thanks again!

   --Saul

Level 2 Contributor
Level 5 Contributor

Thanks @advdb1 ,

 

I clicked the link last Friday and it said "Your request has been submitted to an admin for approval". It's still pending as I don't have access yet 😞

 

But I did get through to Microsoft and I guess the SAM for AfsP is only to escalate existing issues, I needed to open an actual case first - but the person here who manages all that opened a Cloud Consult which did the trick!

 

For your benefit, and @JanoschUlmer 's (who has also been super helpful) here's what I was told:

 

Microsoft made a change to something internal for Exchange Online PowerShell on Janurary 31st, 2020 -- right around when I discovered the problem. The Tech believes that was the issue - since it wasn't 90 days and everything else worked.

 

So he suggested I request an all new Exch Online RefreshToken following: https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0  (the 

$token = New-PartnerAccessToken -Module ExchangeOnline

part)

 

Because I'm mainly concerned about access to our customers' Exch Online and had followed Kelvin's script I asked about re-running just the Exch Online line from that script. He said that should be the same. And there was NO need to create a new Azure AD NativeApp. So I didn't.

 

Here's what I did:

  1. Disabled my Conditional Access Policy and confirmed that I get the AADSTS50078 error when trying to renew my existing Exch Online PS RefreshToken
  2. Updated my PartnerCenter PowerShell module (3.0.8) - just in case [needed to remove/reinstall as the signing cert has changed]
  3. Backed up my existing ExO Refresh Token, just in case
  4. Re-requested a NEW Exch Online Refresh Token using Kelvin's script:

The line I used was:

$Exchangetoken = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -Scopes 'https://outlook.office365.com/.default' -Tenant 'myTenantDomain.com' -UseDeviceAuthentication

Note: this AppID (a0c73-blah-blah) is the Well Known ExO PS App ID, and should be the same as using the new -Module ExchangeOnline option. You can use your tenantdomain.com or your Guid form for the Tenant.

 

This will give you a URL to go to and a code to enter, you'll need to use the UPN you want to use when connecting, same as before - an account with MFA enabled, and Partner Center delegated access, etc.

 

I confirmed the $Exchangetoken.AccessToken has both MFA and PWD in the AMR section of the JWT (using https://adfshelp.microsoft.com/JwtDecoder/GetToken )

I also confirmed in Azure that the Azure AD Native App still had green checks for the API Permission Consents.

 

  1. Stored this new $Exchangetoken.RefreshToken in my "Password Vault"
  2. Tested my headless/unattended Exch Online PowerShell scripts (which pull the RefreshToken), they worked.
  3. Tested my RefreshToken renewal scripts, they worked.
  4. I didn't create a new Azure AD App or re-enable the Conditional Access Policy, or do anything else.
  5. Did all the same for my Integration Sandbox - just so I can keep things consistent for testing purposes.

Now I need to wait and see if it continues to work! (the renewals I mean) I've set a reminder for ~30 days from now and for ~90 days from now, though I'd get an error report if it fails to renew any Sunday. I said I would re-open the MS Service Request if it did. But fingers crossed!

 

Maybe this will help with your request, or you can pass this along to the Yammer group [or nudge the admins to approve me]. Or if you get some other answer please let me know.

 

Thanks for all your help, everyone! And if it ends up failing again I'll report back.

   --Saul

 

Level 2 Contributor

It seems that my token has lasted for more than 30 days now. I'm not sure, but it's closer to 2 months now.

@sansbacher how are things at your side developing? 

Think I'll have to wait until the magical 90 days event now.

In the meantime, the PartnerCenter guys have added the Exchange Online PM to this issue, I'll let you know if anything new comes up.

 

Stay safe all!

 

Level 5 Contributor

Hi @advdb1 ,

 

Is your Exchange Online Refresh Token still working? Did you end up getting any else from your PartnerCenter guys?

 

Because guess what?.... My weekly "Refresh Token renewal script" FAILED with the SAME error yesterday. It worked on Sunday May 31st, but on June 7th it failed with:

 

StatusCodeError: 400 - {"error":"interaction_required","error_description":"AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'SampleBECApp'.\r\nTrace ID: 2ec39824-ea1d-4bdd-aec5-84e85aad1e00\r\nCorrelation ID: b199483c-155f-4996-8ca0-bcdd531de912\r\nTimestamp: 2020-06-07 19:48:46Z","error_codes":[50078],"timestamp":"2020-06-07 19:48:46Z","trace_id":"2ec39824-ea1d-4bdd-aec5-84e85aad1e00","correlation_id":"b199483c-155f-4996-8ca0-bcdd531de912","suberror":"basic_action"}

 

I did the previous manual re-request and consent to the Exchange Online app on April 9th (as noted above). Which means this failed somewhere between 52 and 60 days ago. So it didn't even make the 90 days lifetime of the RefreshToken!

[Using the REST API to do this, I didn't try the PartnerCenter PowerShell module, but last time the error was the same]

 

Unless you have found a solution I'm seriously leaning towards just adding back that temporary Conditional Access policy to exclude MFA for the account on just that machine/IP and calling it a day!

[I also confirmed that no existing Conditional Access policies are applying. So just the default settings, plus "Remember multi-factor authentication" for 60 days - could that be it? Do I need to press internal IT to disable that?]

 

I can't keep "fixing" something that is supposed to work, I can't keep manually updating something that should be automated. I have other things to work on, and I've already told my boss "this MFA/CSP Partner Center thing is all fixed" 2 or 3 times now! I don't even know if it's worth re-opening another ticket with Microsoft for something that may take 30-60 days to reoccur, make a change and wait 3-6 months to see if it's really fixed...

 

@idwilliams Do you know if there's been another change to the back-end with internal Exchange Online that requires us to do another manual change?

@JanoschUlmer Have you heard anyone else having this problem? Do we have confirmation that any one else has requested an Exchange Online Refresh Token 90+ days ago and have been renewing it ever since with no problems?

 

It's frustrating since we (the community) had to piece together how to make 

 

@KelvinTegelaar I re-read your original post on MFA/Secure App Model, and your new post - have you run into this before? Have you had any issues renewing the Exchange Online refresh token?

 

Thanks to all who read and may have any advice!

  --Saul

 

Microsoft

@sansbacher : I have just talking to a colleague on this - and he mentioned something interesting - that really the setting you have set "remember MFA for 60 days" might cause this - since it will revoke the MFA token (Access token you are using to get a new refresh token).

 

So we would suggest that this setting is disabled. Or you can do the opposite test - set it to 1 day, maybe on friday evening, and check if the script fails until sunday - at least the impact to other users be minimal then.

 

And again I would like to add that shoot me an mail if this still doesn't work, the colleague I have talked to might be able to help further.

View solution in original post

Level 5 Contributor

Hi @JanoschUlmer ,

 

Sorry for the long delay - it's been super busy at work! But I wanted to reply back: you fixed it! At least your suggestion to disable the "remember MFA for X days" setting

 

I got permission from the other Internal IT staff at work to disable that setting this past Friday (I shared you information that it was going away anyway, and that "user sign-in frequency" is the replacement, which I've not needed to use). I waited 2 hours and re-ran my Refresh Token renewal script: it worked!

 

I checked my MS Office apps, web/OWA, Teams, OneDrive, phone, etc over the weekend: no MFA issues. So unchecking that "remember multi-factor authentication" setting didn't cause any problems, and the regularly scheduled weekly token renewal worked as well! So I think it's all good!

 

We have an EOTM (Employee of the Month) nomination thing at my work, how do I nominate YOU for Microsoft Employee of the Month? You deserve it, you've been super helpful and great about following up and replying in these forums. I know I, and the rest of us I'm sure, really appreciate it. Thanks so much!

 

For the benefit of anyone else who comes across this long thread, I'll answer / add some bits:

  • I did not re-create / re-consent the Exchange Online RefreshToken as I had on April 9th, there was no need (so I'm still using that originally initiated Token)
  • All I did was uncheck the "MFA service setting" regarding "remember MFA", waited a few hours and then my renewal script worked as it should.
  • I'll still be holding my breath a little until 90 days after that (which should be mid-July) to know if it's all working as it should thereafter.

 

  • Excluding the account/UPN used for the ExO process from requiring MFA (via a Conditional Access Policy) did work (but isn't recommended) because it was just used to renew the token, using the token seemed ok; when I did that I had no issues end-customer tenants for Exch Online. [I don't have such a CA Policy now]
  • I was (and am) renewing my Refresh Tokens every 7 days, even though they last for 90 days. I had, when I posted 2 weeks ago on June 8th, successfully renewed on May 31st, but failed on Jun 7th. [I have no successfully renewed since disabling that "remember" setting]
  • I am renewing all my tokens using JavaScript and REST API requests, but I had duplicated the issue using PowerShell - the basic process is listed in the first post in this thread from Feb 6th (basically redeem a RefreshToken for an AccessToken, and just save the new RefreshToken instead). On April 9th I worked with MS support and did the interactive consent for a new Exchange Online RefreshToken. [I'm still using that token]
  • If disabling the "Remember MFA" setting hadn't worked I was going to try as you suggested and set to 1 day, and then re-consent a new Token and see if it failed to renew after 1 day. [But didn't have to, disabling "Remember MFA" worked!]

And thanks for the update @advdb1  - glad to hear yours is working still, and beyond 90 days. Makes me think mine will too - and then I'll know this is all done and working!


I hope this helps anyone else running into this issue!

   --Saul

Level 2 Contributor

Hi Saul,

 

Glad to hear that your problem is solved!

I was checking this setting "remember MFA for X days" on my side but cannot find it, at least nowhere in AAD - Security - MFA. Can you point me to it?

FYI: my refreshtoken is still working and I'm sure I have passed the 90 days in the mean time...

 

Thanks,

Ad

Microsoft

It is in the old MFA admin portal.

Azure Portal --> Azure Active Directory --> Users --> "Multi-Factor Authentication". And then in this portal under "service settings".

 

OR you can access it using the way described here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#mfa-service-settings 

Level 2 Contributor

Thanks Janosch, this setting is for remembering MFA on trusted devices. The user will get a popup asking them not to remind for MFA for xx days. 

I don't think that this setting is used in the scenario we are talking about, because in our AAD it is set to 14 days so we would have been running into issues a lot earlier. We're currently over the 90 days limit (replacing the token with the newly received refreshtoken every time we use it) with this setting on 14.

 

thanks,

Ad

Level 5 Contributor

I agree... but.... my RefreshToken renewal script failed consistently, I disabled that "Remember MFA" setting and it worked a few hours later!

 

I could go back and re-enable it and do tests, but that "remember" setting was set for 60 days when I re-did the consent in April (though someone had changed it to 30 days by the time I went to disable it) and the error I was getting (the AADSTS50078 one) happened at basically 59 or 60 days.

 

I was skeptical too, but short of changing it back and possibly waiting again, I don't know what else to say. When I'd contacted MS support in early April their answer was "we made changed to the Exch Online app, that's why you need to re-consent, it'll be fine after". I can't confirm if that's also true - but having disabled the "remember MFA" setting has my renewal script working. So I'm happy 🙂

 

@advdb1 - what was it that finally fixed your issue? Maybe that "remember" setting is one of several related options and you have something else set (or unset) that I don't (or do)?

 

   --Saul

Level 2 Contributor

Not sure, but there are 2 things that are remarkable:

- MS Support stating that there was an extra consent needed in March/April, which is the period I consented for the last time

- We have been using different scripting to obtain the first RefreshToken, I used

$token = New-PartnerAccessToken -Module ExchangeOnline

yours was:

$Exchangetoken = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -Scopes 'https://outlook.office365.com/.default' -Tenant 'myTenantDomain.com' -UseDeviceAuthentication

It might be that the "-UseDeviceAuthentication" flag that you used has a relation with the "remember MFA for X days" setting, because this setting is used for remembering MFA on trusted devices.

 

You said that you used this script because you needed to run it for access to your customers Exchange Online, but this is also possible with the "-Module ExchangeOnline" flag. The token you get is for the tenant from the user you have used in the next step to get the token. Apart from some special security-related functions you can do almost everything as delegated admin so you would not need to get a token for each customer.

Next, acquire your AccessToken and skip Basic Authentication by creating a credential object from the username and acquired accesstoken and then connect to Exchange Online with:

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?DelegatedOrg="contoso.onmicrosoft.com"&BasicAuthToOAuthConversion=true -Credential $credential -Authentication Basic -AllowRedirection

 

This is the way I connect and it still works fine after the first issues in the beginning of the year...