Failed to get Exchange Auth Headers

Question

Failed to get Exchange Auth Headers

RyanE3IT opened this issue 2 years ago · comments

After implementing I would continue to get this error from the runs logs. Failed to get Exchange Auth Headers
When looking through the script files I found that -appid has a random application ID as the value.
Forking and changing to -appid $env:$ApplicationID solved this issue.

lwhitelock · Answer 1 · Fri Jun 10 2022 14:04:55 GMT+0800 (China Standard Time)

For the exchange auth token it needs to be that hard coded app ID as that is the ID for the MS App it uses to get the token with the permissions you need. The issue is likely to be with your refresh tokens.

binary-ops · Answer 2 · Sat Jun 11 2022 21:41:52 GMT+0800 (China Standard Time)

Hi,

I'm also battling with this. See pic below.

I've check all the app permissions and granted consent. Any pointers to troubleshoot the tokens ?

Tempted to try reuse the App id's and token's from working CIPP to see if that would work ? But ideally wanted to keep it separate

Thanks

lwhitelock · Answer 3 · Sat Jun 11 2022 22:59:18 GMT+0800 (China Standard Time)

So that is a different error where the company doesn't have their default domain added to Hudu as a website. And its failed to login to that tenant with delegated permissions. Can you check you can access them through partner.microsoft.com and then make sure you have done everything here https://www.gavsto.com/secure-application-model-for-the-layman-and-step-by-step/. There is a test script there.

Also there might be place holder text at the start or end of one of the tokens you copy and pasted. Give yourself permissions to the keyvault and have a check of all the values to make sure there isn't something wrong there. If you fix it stop the function app, rename the setting to something else in the function app options. Start it again. Stop it, rename it back and then start it again.

binary-ops · Answer 4 · Sun Jun 12 2022 15:24:25 GMT+0800 (China Standard Time)

Hi,

Sorry I should have mentioned that the "domain not found" was just there for additional info, incase it helped. It was expected myside. I have not imported that domain into Hudu. Sorry about that.

The tokens appeared correct after giving myself rights and checking them. Delegated access working, using the account setup for the Hudu SAM. I can login and manage clients domains and get into exchange portal without any issues. However I am getting the failures on the test script which seem to imply permissions issues.

It loops through all the tenants with the same issue. The second screen does indicate some form of MFA issue. We do have conditional access setup, not sure if this could have any impact. CIPP working without any issue. But I will carrying on digging. If you do have any pointers, It would be gladly appreciated

lwhitelock · Answer 5 · Sun Jun 12 2022 16:28:16 GMT+0800 (China Standard Time)

For conditional access you need to make sure it only enforces Microsoft MFA and not anything else like Duo on the service account you used. Without that it doesn't get the strong auth token it needs.

binary-ops · Answer 6 · Wed Jun 15 2022 18:40:22 GMT+0800 (China Standard Time)

Hi Luke,

I was able to get it sorted. Thanks for the pointers. We were only using Microsoft MFA, But while running the initial scripts to generate the tokens, I was not getting a MFA prompt at any stage. It would just run through and give me the tokens. revoked sessions and cleared the "allow remembered devices" option in 2FA. Once I got the 2FA prompt in the scripts, Those tokens worked successfully.

Thanks again for your time.