Getting started: LCS Authorization?

[OranguTech]

Hello, this module looks great, however getting started has been a bit tricky.

From what I've gathered (from blog posts), Get-D365LcsApiToken is the first step.

Fortunately we've already been able to make use of the LCS "DB Movement" API, using the MSAL.PS module to get an auth token.
(We have a working App Registration w/ delegated permissions granted, and a user account that doesn't have MFA enabled.)

Get-D365LcsApiToken -ClientId $AppReg -Username $Service_userName -Password ($notSecret) -LcsApiUri 'https://lcsapi.gov.lcs.microsoftdynamics.us' -EnableException -Verbose -ErrorVariable APITokenError

Gives only [Invoke-Authorization] Something went wrong while working against Azure Active Directory (AAD) | Response status code does not indicate success: 400 (Bad Request)

Grabbing the error yields

Invoke-RestMethod: {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.

However, I've triple checked the username/password as being correct. I tried the default LCS url ('https://lcsapi.lcs.dynamics.com') since our User/Reg is a different, commercial Azure AD, but It's failing on the auth part, I don't think it's even attempting to talk to LCS yet.

Checking the (machine-generated) password, I see it has a backslash \ in it. I've tried going through get-d365lcsapitoken.ps1 -> invoke-passwordgrant.ps1 -> invoke-authorization.ps1 (and convert-hashtoargstringswitch ) to troubleshoot but so far everything looks like it's okay. (Running our password string through [System.Uri]::EscapeDataString and back through UnescapeDataString shows it seems fine)

Any further ideas on troubleshooting this without changing the password?

Again, same user/password and appregistration works using MSAL.PS

[Splaxi]

Because the error is: AADSTS50126 - You are hitting the Azure AD endpoint, but it fails.

I can see that you are working with gov - which is a first time for me.

If you can obtain the token and pass it into jwt.ms / jwt.io - then we can learn more about the token and see if that leads us some places.

I have a gut feeling: We are hitting the NON-GOV Azure AD endpoint - but MSAL.PS redirects you correctly. The token analysis will show more.

[FH-Inway]

Thanks for reporting. As @Splaxi mentioned, the gov endpoint is a new one for us, I don't think I've seen any mentions of that, like, anywhere 😄

As a potential workaround, have you tried using the token obtained with MSAL.PS with the other d365fo.tools LCS cmdlets?

Apart from the token analysis, you can also try tools like Fiddler to analyze and compare the LCS requests sent out by MSAL.PS and Get-D365LcsApiToken.

On a more general note, you are right, the authorization with LCS is something many are struggling with. We try our best to provide help, but more often than not, the issue is not with d365fo.tools, but the setup of user/app registration/LCS/AD. Suffice to say, it is a complex topic, especially if you wander off the most commonly used path.

I will try to get myself acquainted with MSAL.PS and see if that uncovers anything useful.

[OranguTech]

Oh wow, thanks for both replies, (I'm rather new to dealing w/most of this). I should have specified: Azure AD tenant where the user and app reg are in is commercial Azure, only the final LCS project/endpoint is gov, however we can test using our/the commercial one as well. (We have some projects in commercial, are in process of migrating to gov)

Decoding the JWT I see that the "aud"(ience) field has the gov LCS URL, which makes sense as when calling MSAL module we specify -Scope 'https://lcsapi.gov.lcs.microsoftdynamics.us/.default'

I see both Invoke-PasswordGrant and Invoke-Authorization handle -Scope, I haven't tested those directly yet, but I bet that's the problem. Assuming that works, would you like a discussion on that as a feature request? Easiest likely would be to simply ingest/pass on the -scope param, though I suppose you could (also) have a handler that enumerates the various known endpoints.)

[Splaxi]

I would like you to compare 2 tokens, one from each. My gut feeling is saying that iss(uer) would be totally different...

[FH-Inway]

No luck with MSAL.PS so far on my end. I am also hampered by not having access to an Azure AD I can play around with.

@OranguTech If you can, please provide the script you use to obtain the token with MSAL.PS. The documentation for Get-MsalToken is not very helpful (at least to me).
If the -Scope parameter of the authorization request turns out to be the issue, we can surely create a feature request. If you can, try changing the scope and authorization provider URI (see below) in Get-D365LcsApiToken.

@Splaxi Regarding your comments on AZ endpoint and issuer, do you mean the authorization provider URI? If so, then yes, this could be a/the issue. Get-D365LcsApiToken uses https://login.microsoftonline.com/common/oauth2/token as authorization provider URI. Based on Azure AD authentication endpoints, for US government, it should be .us instead of .com.
I believe this might also be related to this old issue #608

d365fo.tools/d365fo.tools/functions/get-d365lcsapitoken.ps1

Line 145 in 1885fa3

$tokenParms.AuthProviderUri = $Script:AADOAuthEndpoint

d365fo.tools/d365fo.tools/internal/functions/update-modulevariables.ps1

Line 27 in 1885fa3

$Script:AADOAuthEndpoint = Get-PSFConfigValue -FullName "d365fo.tools.azure.common.oauth.token"

d365fo.tools/d365fo.tools/internal/configurations/configuration.ps1

Line 34 in 1885fa3

Set-PSFConfig -FullName "d365fo.tools.azure.common.oauth.token" -Value "https://login.microsoftonline.com/common/oauth2/token" -Initialize -Description "URI / URL for the Azure Active Directory OAuth 2.0 endpoint for tokens"

[OranguTech]

@FH-Inway - Nothing special, it's literally:

Get-MsalToken -ClientId $AppReg -TenantId $TennantCom -Scope 'https://lcsapi.gov.lcs.microsoftdynamics.us/.default' -UserCredential $AutoCred

$AppReg and $TenantId should be self explanatory. $AutoCred is a standard PSCredential.

@Splaxi
Working from MSAL.PS. DM me if you need more details/less obfuscated

Account                      : Account username: [email protected] environment login.windows.net home account id: AccountId:
Scopes                       : {https://lcsapi.gov.lcs.microsoftdynamics.us/user_impersonation, https://lcsapi.gov.lcs.microsoftdynamics.us/.default}
CorrelationId                : 67b59609-1234-5678-9876-60f7ff59a66b
TokenType                    : Bearer
ClaimsPrincipal              : System.Security.Claims.ClaimsPrincipal
AuthenticationResultMetadata : Microsoft.Identity.Client.AuthenticationResultMetadata
User                         :

[FH-Inway]

@OranguTech Thanks, that did the trick. Not sure what I did wrong yesterday.

So as far as I can tell, the tokens returned by Get-MsalToken and Get-D365LcsApiToken are the same. I can also successfully use the token from Get-MsalToken with Get-D365LcsDatabaseBackups.

@Splaxi For me, both tokens have "iss": "https://sts.windows.net/<tenant-guid>/". Scope is "scp": "user_impersonation".
@OranguTech If you can, please provide the iss information from the token you get.

[OranguTech]

@FH-Inway - Yup, same ISS.

One big thing I noticed, is that the MSAL.PS token is Oauth v 1. IDK how/if that plays into things, but I know when troubleshooting the fo.tools modules/functions, I was assuming v2 and using those endpoints.

More and more I'm worried I'm missing something very basic, but I'll have to see first if I can get the password changed to something without potentially escaped characters, at least temporarily.

Hopefully not obfuscated beyond usefulness:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "-KI8Q9nNR7bRofxmeZoXqbHZGaw",
  "kid": "-KI8Q9nNR7bRofxmeZoXqbHZGaw"
}.{
  "aud": "https://lcsapi.gov.lcs.microsoftdynamics.us",
  "iss": "https://sts.windows.net/<TenantID GUID>/",
  "iat": 1687560503,
  "nbf": 1687560503,
  "exp": 1687565473,
  "acr": "1",
  "aio": "ATQAy/8TAAAAdVHGaOnaf016ApE1P9vYWWDzPuJPEgHoYdEFvDGtcc6ZmCoVJZG8fxOsLYGxvNxT",
  "amr": [
    "pwd"
  ],
  "appid": "<AppID Registration GUID>",
  "appidacr": "0",
  "in_corp": "true",
  "ipaddr": "<Single IPv4 Address>",
  "name": "LCSSvcAccountName",
  "oid": "<Requestor GUID>",
  "onprem_sid": "S-1-5-<AD SID>",
  "puid": "100320029E2821AB",
  "rh": "0.ARIAF-LQEU4mCkCLoGfcwSfXLeRtPJFKKmFKqc6UXSss4uASABY.",
  "scp": "user_impersonation",
  "sub": "abcdE_Vu9PKO5f_DtEtDI0mrofMLiXhI4Y2ni_abcDef",
  "tid": "<TenantID GUID>",
  "unique_name": "[email protected]",
  "upn": "[email protected]",
  "uti": "BEKap6LjeEaIrd99whnfAA",
  "ver": "1.0",
  "wids": [
    "<NonStandardRoleAssignment? GUID>"
  ]
}.[Signature]

[OranguTech]

@FH-Inway - can you detail how to "use the token from Get-MsalToken with Get-D365LcsDatabaseBackups."?

I looked at the (blank) custom object from Get-D365LcsApiConfig, and assigned what I could deduce/copy over from my $MSALToken object, but I don't know what is required
(Is the expires on, refresh token properties required? Did I map the right property to Bearertoken, etc). My attempt results in a 500 error.

(All this is complicated a bit that I can't import the FO.Tools module and my MSAL.PS script at the same time because of the Az module conflict)

[FH-Inway]

@OranguTech I used the following script:

$token = Get-MsalToken -ClientId $LCS_ClientId -TenantId $TennantCom -Scope "https://lcsapi.lcs.dynamics.com/.default" -UserCredential $cred -Verbose
Get-D365LcsDatabaseBackups -Latest -ProjectId $LCS_ProjectId -BearerToken $token.AccessToken -LcsApiUri $LCS_ApiUri -Verbose

So you don't have to use the configuration returned by Get-D365LcsApiConfig, but supply the LCS cmdlets with the values directly. Of course, using the configuration makes things easier.
You can use Set-D365LcsApiConfig to set the fields of the object returned by Get-D365LcsApiConfig. Fields ClientId, LcsApiURI and ProjectId should be self explanatory (and need to be set). You also need to set BearerToken, which is the AccessToken returned by Get-MsalToken. That should be enough. In case you want to use Invoke-D365LcsApiRefreshToken, you also need to set RefreshToken (and depending on how you want to call it, ActiveTokenExpiresOn as well).

Could you also try https://gist.github.com/FH-Inway/cbd0e0fea95a50311bb92540ef94b6e8 ?
This is the logic that gets executed by the call chain of Get-D365LcsApiToken > Invoke-PasswordGrant > Invoke-Authorization. You can use it to supply your own values for scope and authorization provider URI, to see if those make a difference.

(All this is complicated a bit that I can't import the FO.Tools module and my MSAL.PS script at the same time because of the Az module conflict)

You can use the -AllowClobber switch of the Install-Module cmdlet to get around that conflict.

@Splaxi One more reason to merge #663 😉

[OranguTech]

@FH-Inway: Passing the (MSAL.PS) token directly worked! (🤦‍♂️)
So if that's an option for the rest of the cmdlets that we care about, it solves my immediate problem.

Thank you for the gist, it's pretty close to what I have already re-constructed, except mapping the config names to vars with lines like

#"d365fo.tools.azure.common.oauth.token"
$AADOAuthEndpoint = 'https://login.microsoftonline.com/common/oauth2/token'

Nice to know I was on the right track at least. So far that leads me to right about where I was a couple days ago, adjusting resource and scope params, getting AADSTS50126 errors and eventually locking the account. I assume/think the resource value should be https://lcsapi.gov.lcs.microsoftdynamics.us
I've tried setting scope to user_impersonation, .default. I might be able to try w/ a different user/password/app reg combo in the future.

-AllowClobber is for installing modules, I was talking about not being able to import D365FO.Tools after using the Az modules (getting the user password secret from a keyvault) due to Assembly with same name is already loaded. (And unloading previously used module doesn't unload the assembly). This is a bit of a pain for automation since that's required to get the access token, but can be worked around.

[FH-Inway]

Good to see we are making progress 😄

Yes, the resource should be US government LCS API endpoint.

In the gist script, try setting the $AADOAuthEndpoint to https://login.microsoftonline.us/common/oauth2/token (note the .us instead of the .com).

[Splaxi]

Dang you guys have been busy.

Could someone conclude where we are, what we (d365fo.tools) is missing and what @OranguTech needs in terms of getting truly unblocked?

[FH-Inway]

@Splaxi To catch you up:

• @OranguTech has a solution for the immediate issue, which is to use the token from Get-MsalToken to execute d365fo.tools LCS cmdlets.
• We are still looking into how Get-D365LcsApiToken can be made to work for https://lcsapi.gov.lcs.microsoftdynamics.us
• Next step is to test the logic from Get-D365LcsApiToken and the cmdlets called by it with https://login.microsoftonline.us/common/oauth2/token as $AADOAuthEndpoint. This can be done with https://gist.github.com/FH-Inway/cbd0e0fea95a50311bb92540ef94b6e8
• issuer from the JWT is always "iss" : "https://sts.windows.net/<tenant-guid>/"

[OranguTech]

I would amend item 3 to include further isolation of the problem. (I suspect string handling of password, but haven't proven it yet.) I have tested the logic with several combinations of scope/resource URL, but not rigorously/methodically, and I can't right now, since locking out that account isn't acceptable, and provisioning new resources isn't fast. (Requires layers of ticket requests to different orgs)

(Reminder that the account/app registration are on Commercial Az, only the target LCS is GCC)

And unfortunately for answering this question/solving this specific issue, the work priorities don't give me much more time to spend on this. :/
I'm sure I'll have more questions/start at least a couple more discussion threads. Your responsiveness and wanting to solve the problem are very appreciated. I hope to be able to submit some wiki PRs at the least.

[FH-Inway]

Your continued and timely feedback on our questions is also much appreciated. Looking forward to further discussions and PRs.