Comments (3)
The cmdLet uses an call to a native endpoint in EntraID.
Graph PowerShell supports permission grants: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent
This option should be implemented in M365dsc.
from microsoft365dsc.
Error AADSTS50076 appears to be a wide spread problem. In varying forms of response, in general, Microsoft advise as a workaround to this problem is "Setup a separate user account (or dedicated service account) that has limited access and strong credentials that are regularly rotated. This account must be excluded from Conditional Access MFA enforcing policy."
I'm unable to find reference to an all encompassing Microsoft documentation which acknowledges this issue. I would assume many have raised a support ticket related to AADSTS50076, however, there is no evidence to suggest Microsoft are actively working on a solution (that I could find nor validate).
If de-scoping the account from MFA isn't workable, I may suggest exploring other securing criterion Conditional Access has to offer. A purpose built policy scoped only for this one account. Enforcing that the Device being used to run the commands be Managed (by Intune, SCCM or another MDM) and Compliant might suffice in reducing attack vectors.
You may even want a hardened VDI, with an IP range restricted Conditional Access policy scope to the one dedicated account for Microsoft365DSC tasks. Obviously, quite extreme, but not uncommon.
Alternatively, it is suggested to grant Admin Consent to the permissions required on the Service Principal, manually, through the Entra portal GUI, then omit the -AdminConsent
switch from the command set going forward.
from microsoft365dsc.
@RJEMDM For an 'initial setup and ongoing maintenance' command like Update-M365DSCAzureAdApplication, it seems unlikely that people are trying to automate this in a script etc.
For all of the Microsoft365DSC workloads, it is possible to use an interactive prompt supporting MFA. It should be possible to get this to work here too (as it used to until recently) without requiring insecure workarounds or manual steps.
@andikrueger 's suggestion should do the job by using the existing Graph credential, if I understand it correctly.
from microsoft365dsc.
Related Issues (20)
- Add the "EnabledExceptAnonymous" option for MeetingChatEnabledType within the TeamsMeetingPolicy.
- Problem generating MOF HOT 2
- DSCParser error when generating reports. HOT 11
- New-M365DSCDeltaReport: "No discrepancies have been found!" when adding an exclusion to Conditional Access Policies HOT 2
- Compare-M365DSCConfigurations and functions that call it have a serious problem HOT 5
- Unable to access DSC components using -AccessTokens (@("AADAuthorizationPolicy"))
- start_http.bat
- SPOApp: Do not retrieve app installed directly via the SharePoint Store.
- Security & Compliance: MSFT_SCDLPCompliancePolicy Error HOT 1
- AADConditionalAccessPolicy: DeviceFilterMode and ApplicationsFilterMode must allow empty string value
- Exporting Exchange configuration fails authentication, not able to get exception HOT 2
- Assert-M365DSCBlueprint: Empty HTML Report HOT 3
- IntuneDeviceEnrollmentPlatformRestriction: Not exporting the default policy HOT 1
- New-M365DSCDeltaReport: Error $typeStaticMethods = [] | gm - ... Missing type name after '[' HOT 5
- QUESTION: How to deploy the same settings on multiple policies in a future-proof manner
- EXO Connectivity broken with release 1.24.522.1 HOT 4
- AADConditionalAccessPolicy: Signin-frequency configurations not updating
- IntuneSettingCatalogASRRulesPolicyWindows10: Latest two Attack Surface Reduction rules not supported
- SPO export: Getting multiple The collection has not been initialized errors
- Get-M365DSCCompiledPermissionList with -AccessType Read returns Write permissions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from microsoft365dsc.