Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Highlighted
Level 5 Contributor

Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi,

This is probably something @idwilliams or @JanoschUlmer may be familiar with, I have read through the very similar thread about AADSTS50076 here:

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Refresh-token-lifetime-error-AADSTS50076/td-p/8204

 

The error I'm getting is:

 

StatusCodeError: 400 - 
{"error":"interaction_required",
"error_description":"AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'SampleBECApp'.
Trace ID: 27735909-04ee-423f-906c-1d83eaa0bc00
Correlation ID: 250543c2-4ba2-4acc-bd25-13b7b1a97e53
Timestamp: 2020-02-02 20:48:47Z",
"error_codes":[50078],
"timestamp":"2020-02-02 20:48:47Z",
"trace_id":"27735909-04ee-423f-906c-1d83eaa0bc00",
"correlation_id":"250543c2-4ba2-4acc-bd25-13b7b1a97e53",
"suberror":"basic_action"}

Or:

 

 

AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.
Trace ID: 942769b9-1a92-4323-8762-4662b8253700
Correlation ID: 970ee2a0-48be-4541-a033-2d4cbd77769c
Timestamp: 2020-02-06 18:55:56Z

 

 

What I'm trying to do: I have scheduled weekly task to renew my RefreshTokens for accessing Azure AD / Graph and ExchangeOnline PowerShell (originally created using Kelvin's script as per: https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/m-p/15421/highlight/true#M125  ) because the RefreshTokens expire every day.

This worked well for about 30 days. Then about 2 weeks ago I started getting the first error (refererencing 'SampleBECApp').

 

However the Azure AD App is still renewing just fine: I use a scheduled node.js JavaScript with the current RefreshToken to make a request to: https://login.microsoftonline.com/MY-TENANT-ID/oauth2/token, save the new refresh_token and all is good, even today. (the headers reference the Azure AD App ID and Secret created by Kelvin's script)

 

I do the same thing for the Exch Online Refresh Token, except the headers reference Client ID = a0c73c16-a7e3-4564-9a95-2bdf47383716 (which is the well-known Client ID for ExO PowerShell). And I started getting the first error.

 

Thinking it was my process, I tried using PartnerCenter PowerShell's New-PartnerAccessToken cmdlet (again, using my Tenant ID and the last valid Refresh Token, and the ApplicationID = the well-known Client ID). And I got the second error.

 

I did some digging and reading (such as the AADSTS50076 thread). We DO have Conditional Access enabled, as we are trying Duo, and that's the only Policy - for the Duo test users. The Secuirty Defaults / Baseline Policies are not enabled. All users have MFA turned on for their accounts. The Azure AD MFA "multi-factor authentication service settings" page has "remember multi-factor authentication" enabled for 60 days, if that matters. But I find that I am prompted to re-MFA every 30 days anyway, which is about the time my script stopped working.

- So it seems like since I Consented originally, using my MFA account, and now 30 days later I'm being told my MFA has expired.

- Jasonch's comments in the other thread imply each RefreshToken exchanged for a new RefreshToken should have a new 90 day lifetime and you won't have to do MFA again.

EDIT to add: I've checked the AccessToken and they're "pwd" and "mfa" in the "amr" section. Also, while I can't renew the ExO PS RefreshToken, I can still USE it to connect to clients' ExO PS just fine, well for 60 more days...

 

Why can I renew the Azure AD / Graph Refresh Token but not the Exchange Online PowerShell Refresh Token?

 

I found this curious: if I use one of our customer/client TENANT-IDs in place of mine for in the URL to login.microsoftonline.com it works! And I can use the resulting RefreshToken to access other clients' Exch Online tenancies. It's like "my tenancy requires MFA, and it's been 30+ days since I did MFA so now I need to do MFA again because of our polices, but if I use a tenant of client to get a new RefreshToken, they policies apply - which doesn't have MFA enforced".

 

In fact: I have the Integration Sandbox set up as well, and it doesn't have any Policies, and it's working fine, even after 30 days.

 

What am I missing or what do I need to do? I want to have an unattended script that runs and renews my RefreshTokens, I don't want to have to re-do interactive MFA every 30 days, and I'd rather not use a client tenant ID if I don't have to. It works for AAD/Graph, just not Exchange Online PowerShell.

 

Thanks for your help!

   --Saul

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Microsoft

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

@sansbacher : I have just talking to a colleague on this - and he mentioned something interesting - that really the setting you have set "remember MFA for 60 days" might cause this - since it will revoke the MFA token (Access token you are using to get a new refresh token).

 

So we would suggest that this setting is disabled. Or you can do the opposite test - set it to 1 day, maybe on friday evening, and check if the script fails until sunday - at least the impact to other users be minimal then.

 

And again I would like to add that shoot me an mail if this still doesn't work, the colleague I have talked to might be able to help further.

View solution in original post

28 REPLIES 28
Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

I haven't had any replies so I thought I would post an update:

 

The error happened again this past Sunday (I do renewals of the RefreshTokens every week).

 

Using a client's TenantID still works (I assume because the tenant doesn't have MFA enforced for its users).

 

Since there is no error renewing the Integration Sandbox's Exchange Online RefreshToken (the Sandbox's Azure AD Tenant has Secuirty Defaults enabled) I wondered if Conditional Access was the culprit. So I made a CA Policy that targeted just me, and just enforced MFA. Same error.

 

Then I added the IP addres of the server used to run the weekly renewal task to the "MFA Trusted IPs" list - no error! (but also no MFA prompt when I logged into, say, Azure Portal from a browser on that machine)

 

So that's where it sits now: Either I need to use a Client's Tenant ID to do the renewal (not desirable, clients come and go), or I exclude MFA for just my account from just that server's IP (also not desirable, but at least IPs change less frequently than clients).

 

Unless anyone else ( @JanoschUlmer ?) has another suggestion I'm inclinded to leave it as the second choice since we control this server. Otherwise: how do I go about renewing the Exchange Online PowerShell RefreshToken before the 90-day expiration without having to interactively "refresh my multi-factor authentication" every 30 days?  (which defeats the point of doing all that one-time interactive Consent stuff and then allowing it to work unattended thereafter)

 

[Or who should I contact to ask?]

 

Thanks,

    --Saul

Highlighted
Microsoft

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hoping @idwilliams has a solution for this.

Also as Partner you can get guidance by opening an advisory request via partner.microsoft.com/support or by contacting askpts@microsoft.com directly via email. if you have ASfP/Premier support raise a ticket (Cloud Consult) via your SAM/TAM

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Thanks @JanoschUlmer 

 

Not having heard anything I went ahead and send an email to askpts (I tried to find a web-form or something under /support link but I couldn't, or maybe wasn't sure what I was looking for). In the email I included all the info about our partner number/organization name, etc. And I referenced this thread for additional details but did include all the relevant info.

 

Thanks again for your help, hopefully they're able to provide a solution or point me in the right direction. Creating a proper, non-excluding CA Polict would work, or maybe explain what the issue is on their end if it's nothing I can do.

 

If I here back I will post back!

   --Saul

 

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

@JanoschUlmer  / @idwilliams ,

 

I sent Microsoft an email to that askpts@ address on the 28th, I've heard nothing back (not an NDR, or a ticket number, nothing. And I did check my O365 spam quarantine). 

 

I checked my PasswordState vault and no issues with the RefreshToken renewals since I implemented the Conditional Access Policy exception.

 

I couldn't find any other support link from partner.microsoft.com/support so I think I'm just going to have to leave it as-is. It's not ideal but it's working without errors, and the Partner Secuirty Requirements has 100% for "Through API or SDK" and "Through Partner Center portal" - which is what matters, and I can't continue to chase this.

 

If anyone else encounters this I'll leave this thread here in case it helps them or in case they happen to come across a solutuion.

 

Thanks,

   --Saul

Highlighted
Visitor 1

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Yes, Partner Advisory Services requests can sometimes take weeks for an initial response. My experience is that the next step there is that a "specialist" contacts you and will send you some links after performing his own "bing-ing". You'll probably will get a link to this post back from him 🙂

Did you hear anything back yet? I'm facing exactly the same issue. We do have ASfP/Premier Support so i will raise a ticket as well.

 

Ad

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi @advdb ,

 

No, no response yet. But if it takes a while (and maybe longer due to the current pandemic and all...) then I guess that's to be expected. I didn't know that, thanks for the info. I Bing'd too (and the usual search) but nothing really.

 

We are or have ASfP/Premier too (I just discovered based on some other emails - not even sure what ASfP is...) and I mentioned it in an email chain to our rep - but nothing back from them either. To be honest: I've sort of left this on the back burner/considered it closed for now. But I'm game to re-engage if someone is willing to assist.

 

If you hear from your support and get some progress please let me know! 

  --Saul

 

 

Highlighted
Microsoft

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

@sansbacher : With ASfP you have a dedicted service account manager (SAM) you can reach out to and open a cloud consult that will be handled with higher priority. 

Btw, a response time of several weeks definitively not OK. I'm working in this team, and at least for the areas I support (Germany, Austria, Switzerland mainly - but not limited to) the SLA for an initial response of 1 day is met most of the times. It might take a bit longer to get a solution, but at least the initial response should have happened. 

 

More info on ASfP: https://partner.microsoft.com/en-us/support/advanced-cloud-support

Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi Saul,

 

Still working with support, but I did not get beyond the "by design" answer yet. Will be continued.

In the mean time I also posted this question on the "Partner Center SDK and API" Yammer group (if you have access to this group you can follow it there as well). These guys are also looking in to it. Will let you know when there's progress again.

Cheers!

Ad

 

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi @advdb1 - I am in some Yammer groups but I couldn't find that group, can you post a link to the Group and/or Discussion so I can join?

 

I didn't get a chance to contact MS Support (at least not the correct address - AskPTS wasn't the correct place, but Janosch pointed me in the right direction!) so I will re-submit now. If you Personal Message me your case number I can reference it, or I can send you mine when I get it. Might as well not have them duplicate their efforts.

 

Thanks again!

   --Saul

Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Thanks @advdb1 ,

 

I clicked the link last Friday and it said "Your request has been submitted to an admin for approval". It's still pending as I don't have access yet 😞

 

But I did get through to Microsoft and I guess the SAM for AfsP is only to escalate existing issues, I needed to open an actual case first - but the person here who manages all that opened a Cloud Consult which did the trick!

 

For your benefit, and @JanoschUlmer 's (who has also been super helpful) here's what I was told:

 

Microsoft made a change to something internal for Exchange Online PowerShell on Janurary 31st, 2020 -- right around when I discovered the problem. The Tech believes that was the issue - since it wasn't 90 days and everything else worked.

 

So he suggested I request an all new Exch Online RefreshToken following: https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0  (the 

$token = New-PartnerAccessToken -Module ExchangeOnline

part)

 

Because I'm mainly concerned about access to our customers' Exch Online and had followed Kelvin's script I asked about re-running just the Exch Online line from that script. He said that should be the same. And there was NO need to create a new Azure AD NativeApp. So I didn't.

 

Here's what I did:

  1. Disabled my Conditional Access Policy and confirmed that I get the AADSTS50078 error when trying to renew my existing Exch Online PS RefreshToken
  2. Updated my PartnerCenter PowerShell module (3.0.8) - just in case [needed to remove/reinstall as the signing cert has changed]
  3. Backed up my existing ExO Refresh Token, just in case
  4. Re-requested a NEW Exch Online Refresh Token using Kelvin's script:

The line I used was:

$Exchangetoken = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -Scopes 'https://outlook.office365.com/.default' -Tenant 'myTenantDomain.com' -UseDeviceAuthentication

Note: this AppID (a0c73-blah-blah) is the Well Known ExO PS App ID, and should be the same as using the new -Module ExchangeOnline option. You can use your tenantdomain.com or your Guid form for the Tenant.

 

This will give you a URL to go to and a code to enter, you'll need to use the UPN you want to use when connecting, same as before - an account with MFA enabled, and Partner Center delegated access, etc.

 

I confirmed the $Exchangetoken.AccessToken has both MFA and PWD in the AMR section of the JWT (using https://adfshelp.microsoft.com/JwtDecoder/GetToken )

I also confirmed in Azure that the Azure AD Native App still had green checks for the API Permission Consents.

 

  1. Stored this new $Exchangetoken.RefreshToken in my "Password Vault"
  2. Tested my headless/unattended Exch Online PowerShell scripts (which pull the RefreshToken), they worked.
  3. Tested my RefreshToken renewal scripts, they worked.
  4. I didn't create a new Azure AD App or re-enable the Conditional Access Policy, or do anything else.
  5. Did all the same for my Integration Sandbox - just so I can keep things consistent for testing purposes.

Now I need to wait and see if it continues to work! (the renewals I mean) I've set a reminder for ~30 days from now and for ~90 days from now, though I'd get an error report if it fails to renew any Sunday. I said I would re-open the MS Service Request if it did. But fingers crossed!

 

Maybe this will help with your request, or you can pass this along to the Yammer group [or nudge the admins to approve me]. Or if you get some other answer please let me know.

 

Thanks for all your help, everyone! And if it ends up failing again I'll report back.

   --Saul

 

Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

It seems that my token has lasted for more than 30 days now. I'm not sure, but it's closer to 2 months now.

@sansbacher how are things at your side developing? 

Think I'll have to wait until the magical 90 days event now.

In the meantime, the PartnerCenter guys have added the Exchange Online PM to this issue, I'll let you know if anything new comes up.

 

Stay safe all!

 

Highlighted
Level 4 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

AADSTS7000215

Invalid client secret is provided. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.

AADSTS7000222

InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://aka.ms/certCreds

AADSTS700005

InvalidGrantRedeemAgainstWrongTenant - Provided Authorization Code is intended to use against other tenant, thus rejected. OAuth2 Authorization Code must be redeemed against same tenant it was acquired for (/common or /{tenant-ID} as appropriate)

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi @advdb1 ,

 

It was just 30 days this past weekend (the 9th) and all my Refresh Tokens renewed on the 10th without issue, which is great! I too will wait another 60 days and see if they continue to renew after a total of 90 days, and then put this matter to bed.

 

What did you end up doing? Recreating a new ExO Refresh Token from scratch, like I did?

(I've still not received approval for the CloudPartnerCommunity Yammer group, so I can't see your post)

If you hear of anything new, or if yours stops working let me know!

 

For @Lewis-H - yes, you can see many of the AAD errors here: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes#aadsts-error-codes 

But the error Advdb1 and I were getting (AADSTS50078) isn't listed

 

Hope you had a good weekend, stay well!

   --Saul

 

Highlighted
Level 3 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

It's like we're living the same life...

 

This has never really been a problem overly for me because I actively Refresh the Exchange "Refresh" token every 28 days anyway and essentially re-consent.


Get this though, though that Refresh token works fine for 95% of the clients we are delegated for, for a few of them I still get this error:

"New-PartnerAccessToken : AADSTS50078: Presented multi-factor authentication has expired due to pop... "

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Haha, the same cursed life! 😉

 

So you generate and manually (interactively) Consent to a new ExO Refresh Token every 28 days? Why?

 

It's valid for 90 days, and if you redeem it for an Access Token you get a new Refresh Token - another 90 days. So I renew mine every Sunday. My goal is to not have to manually/interactively Consent again - the whole point of Automation is to avoid manual intervention! 😀

[In December I'll have to generate a new Azure AD Native App client secret for the PartnerCenter access, which I can generate for 2 years, I'm okay with that]

 

I've also never had a problem with our clients, if I have Delegated Access working it works. The only time it doesn't it turns out they're a former client who has finally revoked our access.

 

I'm hoping all this gets pulled into some useful documentation at some point. Or maybe I should put it up somewhere. But I'm hoping MS irons out the bugs and updates all the modules and it all "just works"...

  --Saul

 

Highlighted
Visitor 1

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

@Gavsto I'm coming across the same thing. The vast majority of our clients are connecting just fine, but just a handful of them I'm getting that error...

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi @advdb1 ,

 

Is your Exchange Online Refresh Token still working? Did you end up getting any else from your PartnerCenter guys?

 

Because guess what?.... My weekly "Refresh Token renewal script" FAILED with the SAME error yesterday. It worked on Sunday May 31st, but on June 7th it failed with:

 

StatusCodeError: 400 - {"error":"interaction_required","error_description":"AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'SampleBECApp'.\r\nTrace ID: 2ec39824-ea1d-4bdd-aec5-84e85aad1e00\r\nCorrelation ID: b199483c-155f-4996-8ca0-bcdd531de912\r\nTimestamp: 2020-06-07 19:48:46Z","error_codes":[50078],"timestamp":"2020-06-07 19:48:46Z","trace_id":"2ec39824-ea1d-4bdd-aec5-84e85aad1e00","correlation_id":"b199483c-155f-4996-8ca0-bcdd531de912","suberror":"basic_action"}

 

I did the previous manual re-request and consent to the Exchange Online app on April 9th (as noted above). Which means this failed somewhere between 52 and 60 days ago. So it didn't even make the 90 days lifetime of the RefreshToken!

[Using the REST API to do this, I didn't try the PartnerCenter PowerShell module, but last time the error was the same]

 

Unless you have found a solution I'm seriously leaning towards just adding back that temporary Conditional Access policy to exclude MFA for the account on just that machine/IP and calling it a day!

[I also confirmed that no existing Conditional Access policies are applying. So just the default settings, plus "Remember multi-factor authentication" for 60 days - could that be it? Do I need to press internal IT to disable that?]

 

I can't keep "fixing" something that is supposed to work, I can't keep manually updating something that should be automated. I have other things to work on, and I've already told my boss "this MFA/CSP Partner Center thing is all fixed" 2 or 3 times now! I don't even know if it's worth re-opening another ticket with Microsoft for something that may take 30-60 days to reoccur, make a change and wait 3-6 months to see if it's really fixed...

 

@idwilliams Do you know if there's been another change to the back-end with internal Exchange Online that requires us to do another manual change?

@JanoschUlmer Have you heard anyone else having this problem? Do we have confirmation that any one else has requested an Exchange Online Refresh Token 90+ days ago and have been renewing it ever since with no problems?

 

It's frustrating since we (the community) had to piece together how to make 

 

@KelvinTegelaar I re-read your original post on MFA/Secure App Model, and your new post - have you run into this before? Have you had any issues renewing the Exchange Online refresh token?

 

Thanks to all who read and may have any advice!

  --Saul

 

Highlighted
Microsoft

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Excluding this account from MFA would not achieve anything, since when accessing the end customer tenant with delegated admin credentials would require to use MFA regardless of what you are configuring (also the "remember MFA option" won't have an effect when accessing the end customers tenant).

 

 

I'm trying to seek for more help internally - could you summarize the whole solution here (or via mail) - so the full script you are using, how the token is refreshed, the version of ExO powershell modules etc.? The thread is unfortunately going on for a long time, and it is difficult to keep track on how your solution looks like exactly 🙂 I know, this is even more work, but it would help assessing where the problem might be.

 

Also I wonder since you regularly replace the old refresh token with the new one, how old was the new token you have been using? Usually we recommend replacing it more often - so not wait to the full extend of 90 days. So did you last time refresh the token successfully 52-60 days ago, or did the just refreshed token fail after a few days? But maybe I did understand your comment wrong...

 

Also, even though it seems to be tedious, please open a support ticket. You can also open a 2nd ticket to get an exception for the MFA requirement to access end customers, this may be a temporary relief: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#how-to-submit-a-request-for-technical-exception 

Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi Saul and others!

 

I'm still waiting for my refreshtoken to expire. The token is refreshed at least 5 days a week so it should live until the secret is expired. Unfortunately I did not write down the day I created it, so I still have to guess how long the lifetime has been by now. However on May 5th my assumption was close to 2 months, so we should be at or over 3 months now. 

Anyway, I created the first one with 

$token = New-PartnerAccessToken -Module ExchangeOnline

and I am connecting from a .Net application using a WSManConnectionInfo object with a ShellUri ""http://schemas.microsoft.com/powershell/Microsoft.Exchange" for the connection to "https://outlook.office365.com/powershell-liveid/". With this connection I create a RunSpace. So I guess this is Exchange Online Powershell V1. Don't know if this can be done with the V2 set, but it sill works fine.

 

Highlighted
Microsoft

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

@sansbacher : I have just talking to a colleague on this - and he mentioned something interesting - that really the setting you have set "remember MFA for 60 days" might cause this - since it will revoke the MFA token (Access token you are using to get a new refresh token).

 

So we would suggest that this setting is disabled. Or you can do the opposite test - set it to 1 day, maybe on friday evening, and check if the script fails until sunday - at least the impact to other users be minimal then.

 

And again I would like to add that shoot me an mail if this still doesn't work, the colleague I have talked to might be able to help further.

View solution in original post

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi @JanoschUlmer ,

 

Sorry for the long delay - it's been super busy at work! But I wanted to reply back: you fixed it! At least your suggestion to disable the "remember MFA for X days" setting

 

I got permission from the other Internal IT staff at work to disable that setting this past Friday (I shared you information that it was going away anyway, and that "user sign-in frequency" is the replacement, which I've not needed to use). I waited 2 hours and re-ran my Refresh Token renewal script: it worked!

 

I checked my MS Office apps, web/OWA, Teams, OneDrive, phone, etc over the weekend: no MFA issues. So unchecking that "remember multi-factor authentication" setting didn't cause any problems, and the regularly scheduled weekly token renewal worked as well! So I think it's all good!

 

We have an EOTM (Employee of the Month) nomination thing at my work, how do I nominate YOU for Microsoft Employee of the Month? You deserve it, you've been super helpful and great about following up and replying in these forums. I know I, and the rest of us I'm sure, really appreciate it. Thanks so much!

 

For the benefit of anyone else who comes across this long thread, I'll answer / add some bits:

  • I did not re-create / re-consent the Exchange Online RefreshToken as I had on April 9th, there was no need (so I'm still using that originally initiated Token)
  • All I did was uncheck the "MFA service setting" regarding "remember MFA", waited a few hours and then my renewal script worked as it should.
  • I'll still be holding my breath a little until 90 days after that (which should be mid-July) to know if it's all working as it should thereafter.

 

  • Excluding the account/UPN used for the ExO process from requiring MFA (via a Conditional Access Policy) did work (but isn't recommended) because it was just used to renew the token, using the token seemed ok; when I did that I had no issues end-customer tenants for Exch Online. [I don't have such a CA Policy now]
  • I was (and am) renewing my Refresh Tokens every 7 days, even though they last for 90 days. I had, when I posted 2 weeks ago on June 8th, successfully renewed on May 31st, but failed on Jun 7th. [I have no successfully renewed since disabling that "remember" setting]
  • I am renewing all my tokens using JavaScript and REST API requests, but I had duplicated the issue using PowerShell - the basic process is listed in the first post in this thread from Feb 6th (basically redeem a RefreshToken for an AccessToken, and just save the new RefreshToken instead). On April 9th I worked with MS support and did the interactive consent for a new Exchange Online RefreshToken. [I'm still using that token]
  • If disabling the "Remember MFA" setting hadn't worked I was going to try as you suggested and set to 1 day, and then re-consent a new Token and see if it failed to renew after 1 day. [But didn't have to, disabling "Remember MFA" worked!]

And thanks for the update @advdb1  - glad to hear yours is working still, and beyond 90 days. Makes me think mine will too - and then I'll know this is all done and working!


I hope this helps anyone else running into this issue!

   --Saul

Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi Saul,

 

Glad to hear that your problem is solved!

I was checking this setting "remember MFA for X days" on my side but cannot find it, at least nowhere in AAD - Security - MFA. Can you point me to it?

FYI: my refreshtoken is still working and I'm sure I have passed the 90 days in the mean time...

 

Thanks,

Ad

Highlighted
Microsoft

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

It is in the old MFA admin portal.

Azure Portal --> Azure Active Directory --> Users --> "Multi-Factor Authentication". And then in this portal under "service settings".

 

OR you can access it using the way described here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#mfa-service-settings