Failed to get Exchange Auth Headers
RyanE3IT opened this issue · 6 comments
After implementing I would continue to get this error from the runs logs. Failed to get Exchange Auth Headers
When looking through the script files I found that -appid has a random application ID as the value.
Forking and changing to -appid $env:$ApplicationID solved this issue.
For the exchange auth token it needs to be that hard coded app ID as that is the ID for the MS App it uses to get the token with the permissions you need. The issue is likely to be with your refresh tokens.
So that is a different error where the company doesn't have their default domain added to Hudu as a website. And its failed to login to that tenant with delegated permissions. Can you check you can access them through partner.microsoft.com and then make sure you have done everything here https://www.gavsto.com/secure-application-model-for-the-layman-and-step-by-step/. There is a test script there.
Also there might be place holder text at the start or end of one of the tokens you copy and pasted. Give yourself permissions to the keyvault and have a check of all the values to make sure there isn't something wrong there. If you fix it stop the function app, rename the setting to something else in the function app options. Start it again. Stop it, rename it back and then start it again.
Hi,
Sorry I should have mentioned that the "domain not found" was just there for additional info, incase it helped. It was expected myside. I have not imported that domain into Hudu. Sorry about that.
The tokens appeared correct after giving myself rights and checking them. Delegated access working, using the account setup for the Hudu SAM. I can login and manage clients domains and get into exchange portal without any issues. However I am getting the failures on the test script which seem to imply permissions issues.
It loops through all the tenants with the same issue. The second screen does indicate some form of MFA issue. We do have conditional access setup, not sure if this could have any impact. CIPP working without any issue. But I will carrying on digging. If you do have any pointers, It would be gladly appreciated
For conditional access you need to make sure it only enforces Microsoft MFA and not anything else like Duo on the service account you used. Without that it doesn't get the strong auth token it needs.
Hi Luke,
I was able to get it sorted. Thanks for the pointers. We were only using Microsoft MFA, But while running the initial scripts to generate the tokens, I was not getting a MFA prompt at any stage. It would just run through and give me the tokens. revoked sessions and cleared the "allow remembered devices" option in 2FA. Once I got the 2FA prompt in the scripts, Those tokens worked successfully.
Thanks again for your time.