Update-M365DSCAzureAdApplication doesn't work when setting admin consent with multi-factor authentication enabled about microsoft365dsc HOT 3 OPEN

The cmdLet uses an call to a native endpoint in EntraID.

Graph PowerShell supports permission grants: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent

This option should be implemented in M365dsc.

from microsoft365dsc.

Error AADSTS50076 appears to be a wide spread problem. In varying forms of response, in general, Microsoft advise as a workaround to this problem is "Setup a separate user account (or dedicated service account) that has limited access and strong credentials that are regularly rotated. This account must be excluded from Conditional Access MFA enforcing policy."

I'm unable to find reference to an all encompassing Microsoft documentation which acknowledges this issue. I would assume many have raised a support ticket related to AADSTS50076, however, there is no evidence to suggest Microsoft are actively working on a solution (that I could find nor validate).

If de-scoping the account from MFA isn't workable, I may suggest exploring other securing criterion Conditional Access has to offer. A purpose built policy scoped only for this one account. Enforcing that the Device being used to run the commands be Managed (by Intune, SCCM or another MDM) and Compliant might suffice in reducing attack vectors.

You may even want a hardened VDI, with an IP range restricted Conditional Access policy scope to the one dedicated account for Microsoft365DSC tasks. Obviously, quite extreme, but not uncommon.

Alternatively, it is suggested to grant Admin Consent to the permissions required on the Service Principal, manually, through the Entra portal GUI, then omit the -AdminConsent switch from the command set going forward.

from microsoft365dsc.

@RJEMDM For an 'initial setup and ongoing maintenance' command like Update-M365DSCAzureAdApplication, it seems unlikely that people are trying to automate this in a script etc.

For all of the Microsoft365DSC workloads, it is possible to use an interactive prompt supporting MFA. It should be possible to get this to work here too (as it used to until recently) without requiring insecure workarounds or manual steps.

@andikrueger 's suggestion should do the job by using the existing Graph credential, if I understand it correctly.

from microsoft365dsc.