Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Thanks Janosch, this setting is for remembering MFA on trusted devices. The user will get a popup asking them not to remind for MFA for xx days. 

I don't think that this setting is used in the scenario we are talking about, because in our AAD it is set to 14 days so we would have been running into issues a lot earlier. We're currently over the 90 days limit (replacing the token with the newly received refreshtoken every time we use it) with this setting on 14.

 

thanks,

Ad

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

I agree... but.... my RefreshToken renewal script failed consistently, I disabled that "Remember MFA" setting and it worked a few hours later!

 

I could go back and re-enable it and do tests, but that "remember" setting was set for 60 days when I re-did the consent in April (though someone had changed it to 30 days by the time I went to disable it) and the error I was getting (the AADSTS50078 one) happened at basically 59 or 60 days.

 

I was skeptical too, but short of changing it back and possibly waiting again, I don't know what else to say. When I'd contacted MS support in early April their answer was "we made changed to the Exch Online app, that's why you need to re-consent, it'll be fine after". I can't confirm if that's also true - but having disabled the "remember MFA" setting has my renewal script working. So I'm happy 🙂

 

@advdb1 - what was it that finally fixed your issue? Maybe that "remember" setting is one of several related options and you have something else set (or unset) that I don't (or do)?

 

   --Saul

Highlighted
Level 2 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Not sure, but there are 2 things that are remarkable:

- MS Support stating that there was an extra consent needed in March/April, which is the period I consented for the last time

- We have been using different scripting to obtain the first RefreshToken, I used

$token = New-PartnerAccessToken -Module ExchangeOnline

yours was:

$Exchangetoken = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -Scopes 'https://outlook.office365.com/.default' -Tenant 'myTenantDomain.com' -UseDeviceAuthentication

It might be that the "-UseDeviceAuthentication" flag that you used has a relation with the "remember MFA for X days" setting, because this setting is used for remembering MFA on trusted devices.

 

You said that you used this script because you needed to run it for access to your customers Exchange Online, but this is also possible with the "-Module ExchangeOnline" flag. The token you get is for the tenant from the user you have used in the next step to get the token. Apart from some special security-related functions you can do almost everything as delegated admin so you would not need to get a token for each customer.

Next, acquire your AccessToken and skip Basic Authentication by creating a credential object from the username and acquired accesstoken and then connect to Exchange Online with:

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?DelegatedOrg="contoso.onmicrosoft.com"&BasicAuthToOAuthConversion=true -Credential $credential -Authentication Basic -AllowRedirection

 

This is the way I connect and it still works fine after the first issues in the beginning of the year...

 

Highlighted
Level 5 Contributor

Re: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'

Hi @advdb1 ,

 

I don't think either of  those constitute the problem:

 

-Module ExchangeOnline and -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' are equivalent, the MS support tech confirmed that the 'a0c73...' GUID is the Well Known GUID for Exchange Online PowerShell. In fact if you look at the PartnerCenter PowerShell Module source, in Models\Authentications\PowerShellModule.cs it has:

private const string ExchangeOnlineApplicationId = "a0c73c16-a7e3-4564-9a95-2bdf47383716";

(and it also adds "https://outlook.office365.com/.default" to the scopes) The MS Tech told me that the -Module parameter was added later, as a convenience.

 

The MS Tech also didn't see a problem with using -UseDeviceAuthentication, which from looking at the source appears to also be the original experience to authenticate/consent, the new one being directly launching a browser window for you. But the end result is the same:

 

In Authenticators\DeviceCodeAuthenticator.cs and Authenticators\InteractiveUserAuthenticator.cs they both return: "An instance of "AuthenticationToken" that represents the access token generated as result of a successful authentication."

 

And I use the RefreshToken exactly as you describe: I use just that one Token to access all our clients/customers using Delegated Admin Permissions, creating the "Bearer AccessToken" for the $credential, and then a New-PSSession using the DelegatedOrg=customer.domain.com.

 

I don't know why my original Token (created before Jan 1st) stopped working in February (MS claims because they made a change on the back-end) but the new one was working since April until this month, but having disabled the "remember MFA" it is now working again - with no other changes. If it makes it to mid July then it will be over 90 days.

 

The only change I made was to disable "remember MFA" and it started working again. I don't know any more than that - but if I come across any other errors I will definitely report back!

   --Saul