"Remember MFA" enabled at a CLIENT prevents Exchange Online PowerShell from working with DAP (error AADSTS50078)
This is a sort-of followup from my post regarding: Unable to renew Exchange Online PowerShell RefreshToken: Error AADSTS50078 trying to access 'SampleBECApp'
(That post was about error AADSTS50078 when I [the CSP] tried to renew my Exch Online PowerShell RefreshToken because we [the CSP] had the "remember MFA" setting enabled in our tenancy. Disabling it solved that problem, thanks again to @JanoschUlmer )
I'm now seeing more and more problems with may automated/unattended/headless PowerShell scripts accessing our CLIENTS - the common thread is that they have the "remember MFA" setting enabled (the one called "remember multi-factor authentication")
These are clients we have Delegated Admin Permissions to, where we are their CSP. I can access their Exchange Online management portal via the web portal from CSP Partner Portal no problem, and I can even access their Azure AD/Msol using Delegated Admin Permissions no problem, but I cannot access their Exch Online using PowerShell, I get the same error:
New-PartnerAccessToken : AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000'.
If I disable/uncheck their "remember MFA" setting it works. (to be clear, our 'remember MFA' setting is disabled and renewing Tokens works fine, accessing other clients' Exch Online works fine)
Has anyone else experienced this? Most of our clients have it disabled, but it seems 80% of new clients have it enabled. I've explained that Conditional Access is the way to go, that 'remember MFA' and the legacy portal will be going away, etc. (which Janosch has mentioned in the past). But some existing clients want it enabled. This means none of my Exch Online PowerShell based automations work for them.
- Has anyone else seen/experienced this?
- Is there a solution for these clients other then disabling their 'remember MFA' setting?
- Is there a way using AzureAD/Msol PowerShell (or Graph API, etc) to disable the 'remember MFA' setting via a script? (so my scripts can just disable it and log it as a warning, if we had a blanket 'no remember MFA' policy) I've not been able to find a way.
It's weird that this only affects Exchange Online. Other than this, everything is working really well. Thanks again for everyone's help and input!