msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Remove-MgUserAuthenticationWindowsHelloForBusinessMethod fails with "MFA is required for a 'RemoveKey' operation, but was not performed."
Describe the bug
I have an orphan WindowsHelloForBusiness auth method linked to my tenant's global admin account that I need to delete. This WHfB token was created when I onboarded a new hire's laptop and joined it to AzureAD/EntraID. But, I have since assigned the end user as the Device owner.
I tried to remove the auth method using Remove-MgUserAuthenticationWindowsHelloForBusinessMethod but it fails with an error message stating "MFA is required for a 'RemoveKey' operation, but was not performed."
Not sure how to get the prompt to initiate the MFA signin or satisfy the requirement.
To Reproduce
- Execute the command
Remove-MgUserAuthenticationWindowsHelloForBusinessMethod -UserId [email protected] -WindowsHelloForBusinessAuthenticationMethodId '4M6vJoUXcJJgfoz-q9_bdOG1GbCVUj28aA5pH0sAOXs1'
Error generated:
Remove-MgUserAuthenticationWindowsHelloForBusinessMethod_Delete: {"odata.error":{"code":"invalid_request","message":{"lang":"en","value":"MFA is required for a 'RemoveKey' operation, but was not performed."},"values":[{"item":"subCode","value":"error_mfa_required"},{"item":"requestId","value":"b0b1adfb-382b-436e-82db-f9bca307e0e8"},{"item":"date","value":"01-09-2024 23:34:36Z"}]}}
Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-01-09T23:34:36
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 18302a92-36d4-480f-87da-f3db59ffa6f7
client-request-id : b0b1adfb-382b-436e-82db-f9bca307e0e8
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"YT1PEPF00001ABB"}}
Date : Tue, 09 Jan 2024 23:34:35 GM
Expected behavior
Authentication Method should be deleted.
Module Version
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.11.1 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}
Script 2.11.1 Microsoft.Graph.Identity.SignIns {Confirm-MgRiskyServicePrincipalCompromised, Confirm-MgRiskyUserCompromised, Get-MgDataPolicyOperation, Get-MgDataPolicyOperationCoun…
Environment Data
Name Value
---- -----
PSVersion 7.4.0
PSEdition Core
GitCommitId 7.4.0
OS Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:34 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T8103
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Screenshots
Debug Output
With -Debug (click to reveal)
DEBUG: [CmdletBeginProcessing]: - Remove-MgUserAuthenticationWindowsHelloForBusinessMethod begin processing with parameterSet 'Delete'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AccessReview.ReadWrite.All, Application.ReadWrite.All, AuditLog.Read.All, Calendars.ReadWrite, Device.ReadWrite.All, Directory.AccessAsUser.All, Directory.ReadWrite.All, Files.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, Mail.ReadWrite, MailboxSettings.ReadWrite, MultiTenantOrganization.ReadWrite.All, openid, Organization.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.AuthenticationMethod, profile, Reports.Read.All, SecurityActions.ReadWrite.All, SecurityEvents.ReadWrite.All, SharePointTenantSettings.ReadWrite.All, Sites.FullControl.All, Sites.Read.All, Sites.ReadWrite.All, User.Read.All, User.ReadWrite.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite, UserAuthenticationMethod.ReadWrite.All, email].
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove-MgUserAuthenticationWindowsHelloForBusinessMethod_Delete" on target "Call remote 'DELETE
/users/{user-id}/authentication/windowsHelloForBusinessMethods/{windowsHelloForBusinessAuthenticationMethod-id}' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
DELETE
Absolute Uri:
https://graph.microsoft.com/v1.0/users/gadmin%40contoso.com/authentication/windowsHelloForBusinessMethods/4M6vJoUXcJJgfoz-q9_bdOG1GbCVUj28aA5pH0sAOXs1
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Macintosh; Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:34 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T8103; en-US),PowerShell/7.4.0
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.11.1
client-request-id : d1d068f8-08e1-4be4-ab2b-b64de918d18
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : a592e4b4-a4dc-418b-bf4e-081def817d16
client-request-id : d1d068f8-08e1-4be4-ab2b-b64de918d18e
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"YT1PEPF00001ABB"}}
Date : Tue, 09 Jan 2024 23:43:48 GM
Body:
{
"error": {
"code": "accessDenied",
"message": "{\"odata.error\":{\"code\":\"invalid_request\",\"message\":{\"lang\":\"en\",\"value\":\"MFA is required for a 'RemoveKey' operation, but was not performed.\"},\"values\":[{\"item\":\"subCode\",\"value\":\"error_mfa_required\"},{\"item\":\"requestId\",\"value\":\"d1d068f8-08e1-4be4-ab2b-b64de918d18e\"},{\"item\":\"date\",\"value\":\"01-09-2024 23:43:48Z\"}]}}",
"innerError": {
"message": "{\"odata.error\":{\"code\":\"invalid_request\",\"message\":{\"lang\":\"en\",\"value\":\"MFA is required for a 'RemoveKey' operation, but was not performed.\"},\"values\":[{\"item\":\"subCode\",\"value\":\"error_mfa_required\"},{\"item\":\"requestId\",\"value\":\"d1d068f8-08e1-4be4-ab2b-b64de918d18e\"},{\"item\":\"date\",\"value\":\"01-09-2024 23:43:48Z\"}]}}",
"date": "2024-01-09T23:43:48",
"request-id": "a592e4b4-a4dc-418b-bf4e-081def817d16",
"client-request-id": "d1d068f8-08e1-4be4-ab2b-b64de918d18e"
}
}
}
Remove-MgUserAuthenticationWindowsHelloForBusinessMethod_Delete: {"odata.error":{"code":"invalid_request","message":{"lang":"en","value":"MFA is required for a 'RemoveKey' operation, but was not performed."},"values":[{"item":"subCode","value":"error_mfa_required"},{"item":"requestId","value":"d1d068f8-08e1-4be4-ab2b-b64de918d18e"},{"item":"date","value":"01-09-2024 23:43:48Z"}]}}
Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-01-09T23:43:48
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : a592e4b4-a4dc-418b-bf4e-081def817d16
client-request-id : d1d068f8-08e1-4be4-ab2b-b64de918d18e
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"YT1PEPF00001ABB"}}
Date : Tue, 09 Jan 2024 23:43:48 GM
DEBUG: [CmdletEndProcessing]: - Remove-MgUserAuthenticationWindowsHelloForBusinessMethod end processing.
I too am seeing this issue. I believe you cannot act upon your own keys but I have no confirmation right now. MFA is blocking seems suspect and I don't see any errors or fails in signin logs.
