Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

AAD: InvalidAuthenticationToken

Open dominicbuehrer opened this issue 1 year ago • 2 comments

Description of the issue

I am trying to export the configuration for AAD using M365dsc, but since the module update, I get an authentication error 'InvalidAuthenticationToken' for every component in AAD. This worked fine before, and the export still works for SPO.

Microsoft 365 DSC Version

1.25.305.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

Export-M365DSCConfiguration `
	-Components $CustomComponents `
        -Path ("$LogPath\$Workload") `
        -FileName ("$($Workload)_$($Mode)_ConfigurationData.ps1") `
        -ConfigurationName ("$($Workload)_$($Mode)_ConfigurationData.psd1") `
        -ApplicationId $ApplicationId `
        -TenantId $TenantId `
        -CertificateThumbprint $CertificateThumbprint

$Components = AADAccessReviewDefinition,AADAccessReviewPolicy,AADActivityBasedTimeoutPolicy,AADAdminConsentRequestPolicy,AADAdministrativeUnit,AADAttributeSet,AADAuthenticationContextClassReference,AADAuthenticationFlowPolicy,AADAuthenticationMethodPolicy,AADAuthenticationMethodPolicyAuthenticator,AADAuthenticationMethodPolicyEmail,AADAuthenticationMethodPolicyExternal,AADAuthenticationMethodPolicyFido2,AADAuthenticationMethodPolicyHardware,AADAuthenticationMethodPolicyQRCodeImage,AADAuthenticationMethodPolicySms,AADAuthenticationMethodPolicySoftware,AADAuthenticationMethodPolicyTemporary,AADAuthenticationMethodPolicyVoice,AADAuthenticationMethodPolicyX509,AADAuthenticationStrengthPolicy,AADAuthorizationPolicy,AADClaimsMappingPolicy,AADConditionalAccessPolicy,AADConnectorGroupApplicationProxy,AADCrossTenantAccessPolicy,AADCrossTenantAccessPolicyConfigurationDefault,AADCustomAuthenticationExtension,AADCustomSecurityAttributeDefinition,AADDeviceRegistrationPolicy,AADDomain,AADEntitlementManagementAccessPackage,AADEntitlementManagementAccessPackageCatalog,AADEntitlementManagementAccessPackageCatalogResource,AADEntitlementManagementConnectedOrganization,AADEntitlementManagementRoleAssignment,AADEntitlementManagementSettings,AADExternalIdentityPolicy,AADFeatureRolloutPolicy,AADFederationConfiguration,AADGroupEligibilitySchedule,AADGroupLifecyclePolicy,AADGroupsNamingPolicy,AADGroupsSettings,AADIdentityB2XUserFlow,AADIdentityGovernanceProgram,AADIdentityProtectionPolicySettings,AADNamedLocationPolicy,AADOnPremisesPublishingProfilesSettings,AADPasswordRuleSettings,AADRoleDefinition,AADRoleSetting,AADSecurityDefaults,AADSocialIdentityProvider,AADTenantDetails,AADTokenLifetimePolicy

Verbose logs showing the problem

[2025.03.07 03:50:34]
{InvalidOperation}
System.Exception: [InvalidAuthenticationToken] : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
"Error during Export:"
at Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference<Process>, C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Beta.Identity.SignIns\2.26.1\exports\ProxyCmdletDefinitions.ps1: line 18438
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\DSCResources\MSFT_AADAuthenticationContextClassReference\MSFT_AADAuthenticationContextClassReference.psm1: line 359
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\Modules\M365DSCReverse.psm1: line 683
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\Modules\M365DSCUtil.psm1: line 1512
TenantId: .onmicrosoft.com



[2025.03.07 03:50:36]
{OperationStopped}
System.Management.Automation.RuntimeException: Could not retrieve Authentication Flow Policy
"Error retrieving data:"
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\DSCResources\MSFT_AADAuthenticationFlowPolicy\MSFT_AADAuthenticationFlowPolicy.psm1: line 82
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\DSCResources\MSFT_AADAuthenticationFlowPolicy\MSFT_AADAuthenticationFlowPolicy.psm1: line 351
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\Modules\M365DSCReverse.psm1: line 683
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.305.1\Modules\M365DSCUtil.psm1: line 1512
TenantId: .onmicrosoft.com

Environment Information + PowerShell Version

Name                           Value
----                           -----
PSVersion                      5.1.14393.7783
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.7783
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

dominicbuehrer avatar Mar 07 '25 16:03 dominicbuehrer

@dominicbuehrer This looks to me as if Continuous Access Evaluation is blocking the export. Does it fail immediately? Can you potentially disable CaE for testing purposes?

FabienTschanz avatar Jun 19 '25 06:06 FabienTschanz

@FabienTschanz Yes, it fails automatically. Unfortunately, I cannot deactivate CaE because it fails in the production environment. I authenticate using an app registration and certificate. Is it possible to exclude this from CaE?

dominicbuehrer avatar Jun 19 '25 12:06 dominicbuehrer

@dominicbuehrer What you probably can do is create a specific Conditional Access Policy that only targets the Service Principal used for M365DSC and exclude it from the other ones that enforce CaE. That way, you can most likely avoid issues with it. But I did not try it and I'm not that experienced with CA policies.

FabienTschanz avatar Nov 10 '25 11:11 FabienTschanz

Closing this one - If there is anything you want to add, feel free to do so @dominicbuehrer.

FabienTschanz avatar Dec 10 '25 20:12 FabienTschanz