Policy rules failed

Question

Policy rules failed

Closed this issue 3 years ago · 7 comments

Looks as if this does not work in environments with policies around role expiration and MFA (and possibly others).

We need the ability to set a schedule, perhaps with an -Expiration parameter where the user could set 'X' hours that would match the policy restrictions set in their environment. For example, we only allow taking the GA role for 3 hours max.

Also when retrieving MSAL token, I've seen MFA handled as such: Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId "XXX" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}

Would be great to see these supported.

Answer 1 · 2021-08-03T11:15:46.000Z

Hi Shaun!

Did you try the -DurationInHours parameter? It has a default value of 8, but can be overridden with a custom value.

I ran into the MFA requirement issue myself recently, I'll look into whether it is a way to handle this inside the PIM commands.

Answer 2 · 2021-08-03T11:35:52.000Z

I found the following in the documentation:

If you require multi-factor authentication for role activation, there is currently no way for PowerShell to challenge the user when they activate their role. Instead, users will need to trigger the MFA challenge when they connect to Azure AD by following this blog post from one of our engineers. If you are developing an app for PIM, one possible implementation is to challenge users and reconnect them to the module after they receive a "MfaRule" error.

I will try to look into implementing this in the module.

Answer 3 · 2021-08-03T12:39:40.000Z

Version 0.5.0.0 is now published - with support for roles which requires Mfa activation. Could you update and see if it works for you?

My own testing looks good:

Answer 4 · 2021-08-04T06:51:34.000Z

Hi Jan!

I still got an error with 0.5.0.0:

AzureADPreview\Get-AzureADMSPrivilegedResource : Error occurred while executing GetAzureADMSPrivilegedResources
Code: invalid_grant
Message: {"Name":"MsalUiRequiredException","Message":"AADSTS50076: Due to a configuration change made by your
administrator, or because you moved to a new location, you must use multi-factor authentication to access.......<snipped>

It might be related to the fact I have multiple tenants and multiple subscriptions and its choosing the wrong one.

In the meantime after some further investigation, this kind of implementation works for me (after setting my $UserName and $tenantID)

$MsResponse = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}

$AadResponse = Get-MSALToken -Scopes @("https://graph.windows.net/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common"

$ConnectAADResponse = Connect-AzureAD -AadAccessToken $AadResponse.AccessToken -MsAccessToken $MsResponse.AccessToken -AccountId: "$UserName" -tenantId: "$TenantID"

```

Answer 5 · 2021-08-04T07:28:51.000Z

Thanks for reporting. Could you try 0.6.1? I have changed the module to always use token based authentication when calling Connect-AzureAD.

Answer 6 · 2021-08-04T22:08:02.000Z

This time the token based auth worked, and I was prompted for MFA! Nice.

Answer 7 · 2021-08-05T06:37:22.000Z

Excellent, I`ll close this issue then.