"Remember MFA" enabled at a CLIENT prevents Exchange Online PowerShell from working with DAP (error AADSTS50078)
This is a sort-of followup from my post regarding: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'
(That post was about error AADSTS50078 when I [the CSP] tried to renew my Exch Online PowerShell RefreshToken because we [the CSP] had the "remember MFA" setting enabled in our tenancy. Disabling it solved that problem, thanks again to @JanoschUlmer )
I'm now seeing more and more problems with may automated/unattended/headless PowerShell scripts accessing our CLIENTS - the common thread is that they have the "remember MFA" setting enabled (the one called "remember multi-factor authentication")
These are clients we have Delegated Admin Permissions to, where we are their CSP. I can access their Exchange Online management portal via the web portal from CSP Partner Portal no problem, and I can even access their Azure AD/Msol using Delegated Admin Permissions no problem, but I cannot access their Exch Online using PowerShell, I get the same error:
New-PartnerAccessToken : AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.
If I disable/uncheck their "remember MFA" setting it works. (to be clear, our 'remember MFA' setting is disabled and renewing Tokens works fine, accessing other clients' Exch Online works fine)
Has anyone else experienced this? Most of our clients have it disabled, but it seems 80% of new clients have it enabled. I've explained that Conditional Access is the way to go, that 'remember MFA' and the legacy portal will be going away, etc. (which Janosch has mentioned in the past). But some existing clients want it enabled. This means none of my Exch Online PowerShell based automations work for them.
- Has anyone else seen/experienced this?
- Is there a solution for these clients other then disabling their 'remember MFA' setting?
- Is there a way using AzureAD/Msol PowerShell (or Graph API, etc) to disable the 'remember MFA' setting via a script? (so my scripts can just disable it and log it as a warning, if we had a blanket 'no remember MFA' policy) I've not been able to find a way.
It's weird that this only affects Exchange Online. Other than this, everything is working really well. Thanks again for everyone's help and input!
Usually I recommend not to store the refresh token generated for a specific customer, but only the (first) one you generate as Partner - and then use this to create new token(s) for accessing the end customer every time when needed. If you store & reuse/renew the customer-specific token you may run exactly into the error you describe, so for now I'm just assuming you have done it this way.
So when generating the Exchange token the first time. eg. via Device Code flow:
$ExchangeTokenPartner = New-PartnerAccessToken -Module ExchangeOnline
Only store this Refresh Token, respectively renew this token and store the refresh token for later usage:
$EXnewtoken = New-PartnerAccessToken -RefreshToken $ExchangeTokenPartner -Scopes 'https://outlook.office365.com/.default' -Module ExchangeOnline -ApplicationId $ExoAppId
Then, when connecting to a customer, always use the token from above to generate a fresh set of token for the customer context, never store the customer-specific token created in this step:
$ExchangeTokenCustomer = New-PartnerAccessToken -RefreshToken $EXnewtoken.RefreshToken -Scopes 'https://outlook.office365.com/.default' -TenantId $customertenant -ApplicationId $EXOAppId
Thanks @JanoschUlmer - but that's what I am doing 🙂 That's what's so weird.
And it works perfectly for almost all clients. I only have two RefreshTokens stored: one for my Partner Center Azure App and one for Exchange Online PowerShell - both generated by me, as a Partner in our tenancy (we're a CSP). I can renew them without any issue (so long as I keep my [CSP tenant] "remember MFA" off). They are stored in our secure PasswordVault.
And I can 'redeem' them for a new AccessToken to connect to any client/customer Tenant that we have been granted Delegated Access Permission to... so long as they (the client) keep their "remember MFA" off.
If they enable "remember MFA" then I can connect to their Azure AD but not to their Exchange Online PowerShell, I get that AADSTS50078 error.
I never store any of the customer-specific Refresh or Access Tokens - I always get new ones from my Partner Tokens.
If I go in and disable "remember MFA" for them then I can connect to their Exch Online via PS. (again, using my initial Exch Online RefreshToken to get an AccessToken for their TenantID).
Everything works fine if the CLIENT has "remember MFA" disabled, but not if they have it enabled. Any ideas? It seems like it is a problem with the Exchange Online PowerShell "App" (the one that uses App ID a0c73c16-a7e3-4564-9a95-2bdf47383716, aka -Module ExchangeOnline).
Or is anyone else experiencing this?
Or... is there a way I can disable a client's "remember MFA" using AzureAD/Msol PS - [which works]? (then I could just disable it before connecting to their ExO)
That is really strange, thought I have tested this one but maybe I have to repeat.
To your question - afaik there is no option to disable this setting via Powershell, CLI or API 😞
Since this can actually increase the number of MFA prompts for Modern Authentication clients, I would recommend customers that they disable this for their own benefit: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime#remember-multi-factor-authentication
Yup, that's what I've said.
And if you could test - or anyone else could - that would be great. Just find a working client you have DAP access to Exch Online PS to (as a CSP to a client/customer tenant), then enable "remember MFA" in their tenancy for X days and wait X days and see if you still have access [sometimes even less than X days]. If it does fail, unchecking 'remember MFA' in their tenant will fix it right away, no delay.
I've told people that setting is going away, that it should be > 90 days anyway, to use Conditional Access, etc. But it's mainly new clients, so I need to go in and fix it. However now one existing client is insisting on it; so I told the account manager "You can have my O365 ExO automation scripts/tools OR the 'remember MFA' - pick one".
Too bad there is no way to programmatically disable it 😞
Thanks for checking!
It will go away sooner or later, I expect it will be gone by the time when Exchange Online will stop supporting basic auth. And by then, you'll need to use a new ExO PowerShell version anyway - before you ask - no, I don't know when Exo v2 PowerShell will start to support delegated Partner scenarios +MFA +unattended 😉
Currently it still supports only interactive login for Partners with delegation and MFA enabled - or App-Only authentication un unattended automation scenarios, but only for a single customer (tenant).