Confidential application is not allowed to authenticate to Azure Portal AAD

[brenosilva]

Hello!

I´m trying to run Monkey365 on a machine-to-machine way in order to avoid account/password prompt. However i´m seeing this error:
Confidential application is not allowed to authenticate to Azure Portal AAD

I created an account with Global Reader privilege on my Microsoft 365 tenant, then went to Azure AD and Registered an App. Set the Owner with the same user and create a secret.

I´m running it like this:

Invoke-Monkey365 -ClientId ae******-6a**-6d--****** -ClientSecret ("app_secret_is_here" | ConvertTo-SecureString -AsPlainText -Force) -Instance Azure -Analysis All -TenantID eaf-34ef-2096-1100-******* -ExportTo PRINT
: Confidential application is not allowed to authenticate to Azure Portal AAD

FYI: If i use -PromptBehavior SelectAccount with the same account, it works.

I would appreciate more information how i can get it running
Thanks

[brenotenchisecurity]

@silverhack
Please, can you provide more details how can we use Monkey365 using appid + secret key ?
Thank you

[silverhack]

Hi @brenotenchisecurity,

Examples about how to run Monkey365 with Client Credentials flow are described here

[brenosilva]

Hi @silverhack, thanks for your attention. I´m following the examples.

I registred an App and granted all Read/Read.All MS Graph permissions to it. Then i used the appid to run monkey365 as a non-interactive mode.

However it does not downloaded any JSON file as it did on Interactive mode. Any idea ?

Here is the output in verbose mode:

PS C:> Invoke-Monkey365 -ClientId APPIDHERE -ClientSecret ("SECRETHERE" | ConvertTo-SecureString -AsPlainText -Force) -Instance Microsoft365 -Analysis ExchangeOnline,IRM,MicrosoftForms,MicrosoftTeams,PurView,SharepointOnline -TenantID ********-126d-2094-1234-***********1 -ExportTo JSON -outDir c:\reports
: Confidential application is not allowed to authenticate to Azure Portal AAD
DETAILED MODE: GET with 0-byte payload
: System.Net.WebException: Remote server returned error: (403) prohibited.
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
: Missing TenantName
: Unable to connect To Exchange Online
: Confidential application is not allowed to authenticate to
https://ps.compliance.protection.outlook.com/Powershell-LiveId
DETAILED MODE: GET with 0-byte payload
: System.Net.WebException: Remote server returned error: (403) prohibited.
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
: Missing TenantName
: Unable to connect to Exchange Compliance Center
: Confidential application is not allowed to authenticate to Microsoft Teams
DETAILED MODE: GET with 0-byte payload
: System.Net.WebException: Remote server returned error: (403) prohibited.
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
: Unable to get token for SharePoint Online
DETAILED MODE: GET with 0-byte payload
: System.Net.WebException: Remote server returned error: (403) prohibited.
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
: Unable to get token for SharePoint Online
DETAILED MODE: GET with 0-byte payload
: System.Net.WebException: Remote server returned error: (403) prohibited.
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
em Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
: Unable to get token for SharePoint Online
The property 'TenantName' was not found on this object. Check if the property exists.
No C:\monkey365\core\analysis\Invoke-M365Scanner.ps1:39 caractere:9

•     $new_subscription = [ordered]@{
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
  • FullyQualifiedErrorId : PropertyNotFoundStrict

: [12:55:22:117] - [Get-PSGraphServicePrincipalDirectoryRole] - Unable to get permissions for
fdd79f09-6adc-496d-98a5-4b6675fd2dab - warning - ms365user - RBACPermissionError
The property 'CompanyInfo' was not found on this object. Check if the property exists.
No C:\monkey365\core\init\Get-ExecutionInfo.ps1:40 caractere:9

•     $default_domain = $O365Object.Tenant.CompanyInfo.verifiedDoma ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
  • FullyQualifiedErrorId : PropertyNotFoundStrict

The property 'name' was not found on this object. Check if the property exists.
No C:\monkey365\core\init\Get-ExecutionInfo.ps1:100 caractere:13

•         $user_profile = [ordered]@{
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
  • FullyQualifiedErrorId : PropertyNotFoundStrict

The property 'name' was not found on this object. Check if the property exists.
No C:\monkey365\core\init\Get-ExecutionInfo.ps1:107 caractere:9

•     $execution_info = [pscustomobject]@{
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
  • FullyQualifiedErrorId : PropertyNotFoundStrict

: [12:55:27:359] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:362] - [Get-MonkeyEXOActiveSyncOrgInfo] - The Exchange ActiveSync organisation settings query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoActiveSyncEmptyResponse
: [12:55:27:400] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:435] - [Get-AntiPhishingInfo] - Unable to get Anti-Phishing. No PsSession was found - warning -
ms365user - ExoAntiPhishPsSessionError
: [12:55:27:437] - [Get-MonkeyEXOAntiPhishingPolicy] - The Exchange Online AntiPhishing policy query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoAntiPhishPolicyEmptyResponse
: [12:55:27:469] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:472] - [Get-MonkeyEXOPhishFilterPolicy] - The Exchange Phish filter policy query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoPhishFilterResponse
: [12:55:27:497] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:531] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:541] - [Get-MonkeyEXOSafeLinkPolicy] - The Exchange Online safe link policy query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoSafeLinkPolicyResponse
: [12:55:27:578] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:620] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:622] - [Get-MonkeyEXOSafeAttachmentRule] - The Exchange Online safe attachment rules query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoSafeAttachmentRulesResponse
: [12:55:27:659] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:683] - [Get-MonkeyEXOAuthenticationPolicy] - The Exchange Online authentication policy query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoAuthPolicyEmptyResponse
: [12:55:27:714] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:717] - [Get-MonkeyEXOHostedConnectionFilterPolicy] - The Exchange Online hosted connection filter
policy query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoHostedConnectionEmptyResponse
: [12:55:27:748] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:751] - [Get-MonkeyEXOHostedContentFilterPolicy] - The Exchange Online Hosted content filter policy
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoHostedContentEmptyResponse
: [12:55:27:783] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:784] - [Get-MonkeyEXOHostedContentFilterRule] - The Exchange Online Hosted content filter rule query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoHostedContentEmptyResponse
: [12:55:27:809] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:811] - [Get-MonkeyEXOInboundConnectorInfo] - The Exchange Online inbound connector query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoInboundConnectorEmptyResponse
: [12:55:27:845] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:847] - [Get-MonkeyEXOOutboundConnector] - The Exchange Online outbound connector query did not return
any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoOutboundConnectorEmptyResponse
: [12:55:27:879] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:882] - [Get-MonkeyEXOOutboundSpamFilterPolicy] - The Exchange Online hosted outbound spam filter
policy query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoOutboundSpamFilterResponse
: [12:55:27:913] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:916] - [Get-MonkeyEXOTransportConfig] - The Exchange Online transport config query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoTransportConfigResponse
: [12:55:27:947] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:950] - [Get-MonkeyEXOTransportRule] - The Exchange Online transport rules query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoTransportRulesResponse
: [12:55:27:974] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:27:985] - [Get-MonkeyEXODevicePolicy] - The Exchange Online device policy query did not return any data
in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoDevicePolicyEmptyResponse
: [12:55:28:008] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:011] - [Get-MonkeyEXOMobileDeviceMailboxPolicy] - The Exchange Online mobile device mailbox policy
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoMobileDeviceMailboxEmptyResponse
: [12:55:28:043] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:075] - [Get-MonkeyEXODKIMConfiguration] - The Exchange Online DKIM signing configuration query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoDKIMEmptyResponse
: [12:55:28:078] - [Get-MonkeyEXOCASMailbox] - The Exchange Online CAS (Client Access Settings) mailboxes query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoCASMailboxesEmptyResponse
: [12:55:28:113] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:116] - [Get-MonkeyEXOMailBoxRetentionPolicy] - The Exchange Online mailbox retention policy query did
not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoMailboxRetentionPolicyEmptyResponse
: [12:55:28:148] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:150] - [Get-MonkeyEXOOWAMailboxPolicy] - The Exchange Online hosted OWA Mailbox policy query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoOWAMailboxResponse
: [12:55:28:175] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:177] - [Get-MonkeyEXOMalwareFilterPolicy] - The Exchange Online malware filter policy query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
ExoMalwareFilterPolicyEmptyResponse
: [12:55:28:209] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:212] - [Get-MonkeyEXOMalwareFilterRule] - The Exchange Online malware filter rule query did not return
any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoMalwareFilterRuleEmptyResponse
: [12:55:28:245] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:248] - [Get-MonkeyEXOOrgConfig] - The Exchange Online organisation configuration query did not return
any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoOrgConfigEmptyResponse
: [12:55:28:282] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:285] - [Get-MonkeyEXOPolicyConfig] - The Exchange Online policy config query did not return any data
in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoPolicyConfigResponse
: [12:55:28:321] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:324] - [Get-MonkeyEXORemoteDomain] - The Exchange Online remote domain query did not return any data
in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoRemoteDomainResponse
: [12:55:28:357] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:359] - [Get-MonkeyEXOSharingPolicy] - The Exchange Online sharing policy query did not return any data
in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoSharingPolicyResponse
: [12:55:28:363] - [Get-PSExoAdminApiObject] - Unable to connect to Exchange Online API. Null token detected -
info - ms365user -
: [12:55:28:374] - [Get-MonkeyEXOUser] - The Exchange Online users query did not return any data in
********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoUsersEmptyResponse
: [12:55:28:379] - [Get-PSExoAdminApiObject] - Unable to connect to Exchange Online API. Null token detected -
info - ms365user -
: [12:55:28:384] - [Get-MonkeyEXOUsersMailbox] - The Exchange Online mailboxes query did not return any data in
********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoMailboxesEmptyResponse
: [12:55:28:395] - [Get-MonkeyEXOUsersMailbox] - The Exchange Online mailbox forwarding query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoMailboxesEmptyResponse
: [12:55:28:397] - [Get-MonkeyEXOUsersMailbox] - The Exchange Online mailbox permissions query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - ExoMailboxesEmptyResponse
: [12:55:28:421] - [Test-EXOConnection] - Not connected to Exchange Online - warning - ms365user -
ExoConnectionError
: [12:55:28:455] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:488] - [Get-MonkeyEXOActivityAlert] - The Security and Compliance activity alerts query did not return
any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SecCompActivityAlertsEmptyResponse
: [12:55:28:515] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:516] - [Get-MonkeyEXOProtectionAlert] - The Exchange Online protection alert query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SecCompProtectionAlertResponse
: [12:55:28:552] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:575] - [Get-MonkeyEXOAdminAuditLogConfig] - The Security and Compliance Admin audit log config query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SecCompLogConfigEmptyResponse
: [12:55:28:610] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:654] - [Get-MonkeyPurviewSupervisoryReviewPolicy] - The Microsoft Purview: Supervisory review policy
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SecCompSupervisoryPolicyEmptyResponse
: [12:55:28:688] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:719] - [Get-MonkeyEXOComplianceTag] - The Security and Compliance tags query did not return any data
in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SecCompTagsEmptyResponse
: [12:55:28:743] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:753] - [Get-MonkeyEXOLabelPolicy] - The Security and Compliance label policy query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SecCompLabelPolicyEmptyResponse
: [12:55:28:777] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:780] - [Get-MonkeyEXOSensitivityInfoType] - The Security and Compliance Sensitivity Information Types
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SecCompDLPSentivityInfoEmptyResponse
: [12:55:28:814] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:816] - [Get-MonkeyEXOSensitivityLabel] - The Security and Compliance sensitivity labels query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SecCompSensitivityLabelsEmptyResponse
: [12:55:28:848] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:851] - [Get-MonkeyEXODLPCompliancePolicy] - The Security and Compliance DLP compliance policy query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SecCompDLPEmptyResponse
: [12:55:28:884] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:28:887] - [Get-MonkeyEXODLPInfo] - The Security and Compliance DLP compliance information query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SecCompDLPEmptyResponse
: [12:55:28:889] - [Get-MonkeyEXODLPInfo] - The Security and Compliance DLP analysis query did not return any data
in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SecCompDLPEmptyResponse
: [12:55:28:912] - [Test-EXOConnection] - Not connected to Exchange Online Compliance Center - warning -
ms365user - ExoConnectionError
: [12:55:35:614] - [Get-MonkeyAADRMConfig] - The Office 365 Rights Management: Configuration query did not return
any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - AADRMConfigEmptyResponse
: [12:55:41:413] - [Get-MonkeyAADRMMaxUseLicense] - The Office 365 Rights Management: max use license validity
status query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
AADRMMaxUseLicenseEmptyResponse
: [12:55:41:570] - [Get-MonkeyAADRMOnboarding] - The Office 365 Rights Management: Onboarding control policy query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
AADRMOnboardingControlPolicyEmptyResponse
: [12:55:41:907] - [Get-MonkeyAADRMServiceKeyInfo] - The Office 365 Rights Management: Service Key Status query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
AADRMServiceKeyStatusEmptyResponse
: [12:55:42:885] - [Get-MonkeyFormsTenantInformation] - The Microsoft 365 Forms. Tenant settings query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - FormsTenantInfoEmptyResponse
: [12:55:42:994] - [Get-MonkeyAADRMTemplate] - The Office 365 Rights Management: Templates query did not return
any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - AADRMTemplatesEmptyResponse
: [12:55:43:026] - [Get-MonkeySPSWebsForUser] - Unable to get site properties for - warning - ms365user -
SPSUnableToGetSites
: [12:55:43:030] - [Get-MonkeySharePointOnlineExternalLink] - The SharePoint Online external links query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSExternalLinksEmptyResponse
: [12:55:43:032] - [Test-SiteConnection] - Unable to connect to SharePoint Online Web API. Null token detected -
info - ms365user -
: [12:55:43:034] - [Get-MonkeySPSExternalUser] - The Sharepoint Online External Users query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSExternalUsersEmptyResponse
: [12:55:43:067] - [Get-MonkeySPSWebsForUser] - Unable to get site properties for - warning - ms365user -
SPSUnableToGetSites
: [12:55:43:078] - [Get-MonkeySPSOrphanedUser] - The Sharepoint Online Orphaned Users query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSOrphanedUsersEmptyResponse
: [12:55:43:081] - [Get-MonkeySPSOrphanedUser] - The Sharepoint Online Orphaned Groups query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSOrphanedGroupsEmptyResponse
: [12:55:43:106] - [Get-MonkeySPSWebsForUser] - Unable to get site properties for - warning - ms365user -
SPSUnableToGetSites
: [12:55:43:118] - [Get-MonkeySharePointOnlineSiteAccessRequest] - The Sharepoint Online Site access requests
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SPSAccessRequestEmptyResponse
: [12:55:43:141] - [Get-MonkeySPSWebsForUser] - Unable to get site properties for - warning - ms365user -
SPSUnableToGetSites
: [12:55:43:146] - [Get-MonkeySharePointOnlineSiteCollectionAdmin] - The Sharepoint Online External Users query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SPSExternalUsersEmptyResponse
: [12:55:43:174] - [Get-MonkeyFormsUserInfo] - The Microsoft 365 Forms. Current user info query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - FormsCurrentUserEmptyResponse
: [12:55:43:203] - [Get-MonkeySPSWebsForUser] - Unable to get site properties for - warning - ms365user -
SPSUnableToGetSites
: [12:55:43:208] - [Get-MonkeySharePointOnlineSitePermissionsInfo] - The Sharepoint Online site permissions query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SPSSitePermissionsEmptyResponse
: [12:55:43:210] - [Test-SiteConnection] - Unable to connect to SharePoint Online Web API. Null token detected -
info - ms365user -
: [12:55:43:213] - [Get-MonkeySharePointOnlineSitesInfo] - The Sharepoint Online Sites query did not return any
data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSSitesEmptyResponse
: [12:55:43:224] - [Get-MonkeySharePointOnlineTenantAdminInfo] - The Sharepoint Online Tenant Admin details query
did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SPSTenantDetailsEmptyResponse
: [12:55:43:225] - [Test-SiteConnection] - Unable to connect to SharePoint Online Web API. Null token detected -
info - ms365user -
: [12:55:43:228] - [Test-SiteConnection] - Unable to connect to SharePoint Online Web API. Null token detected -
info - ms365user -
: [12:55:43:238] - [Get-MonkeySharePointOnlineTenantInfo] - The Sharepoint Online Tenant Details query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSTenantDetailsEmptyResponse
: [12:55:43:241] - [Get-MonkeySharePointOnlineTenantSitesProperty] - The SharePoint Online Tenant Sites query did
not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
SPSTenantSitesEmptyResponse
: [12:55:43:242] - [Test-SiteConnection] - Unable to connect to SharePoint Online Web API. Null token detected -
info - ms365user -
: [12:55:43:255] - [Get-MonkeySharePointOnlineTenantSyncClientRestriction] - The Sharepoint Online Tenant Sync
Client Restriction query did not return any data in ********-126d-2094-1234-***********1 tenant - warning -
ms365user - SPSTenantSyncEmptyResponse
: [12:55:43:294] - [Get-MonkeySPSWebsForUser] - Unable to get site properties for - warning - ms365user -
SPSUnableToGetSites
: [12:55:43:299] - [Get-MonkeySharePointOnlineWeb] - The Sharepoint Online webs query did not return any data in
********-126d-2094-1234-***********1 tenant - warning - ms365user - SPSWebsEmptyResponse
: [12:55:44:118] - [Get-MonkeyTeamsAppPermissionPolicy] - The Microsoft 365 Teams: Skype application policies
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsAppPolicyEmptyResponse
: [12:55:44:118] - [Get-MonkeyTeamsAppSetupPolicy] - The Microsoft 365 Teams: Application setup policies query did
not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsAppSettingsEmptyResponse
: [12:55:44:892] - [Get-MonkeyTeamsGuestMeetingConfiguration] - The Microsoft 365 Teams: Guest meeting
configuration query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsGuestMeetingEmptyResponse
: [12:55:44:918] - [Get-MonkeyTeamsGuestCallingConfiguration] - The Microsoft 365 Teams: Guest calling
configuration query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsGuestCallingEmptyResponse
: [12:55:45:677] - [Get-MonkeyTeamsNotificationsFeedsPolicy] - The Microsoft 365 Teams: Notifications and feeds
policy query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsOrgSettingsEmptyResponse
: [12:55:45:696] - [Get-MonkeyTeamsGuestMessagingConfiguration] - The Microsoft 365 Teams: Guest messaging
configuration query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsGuestMessagingEmptyResponse
: [12:55:46:452] - [Get-MonkeyTeamsOrgConfiguration] - The Microsoft 365 Teams: Organisation settings query did
not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsOrgSettingsEmptyResponse
: [12:55:46:503] - [Get-MonkeyTeamsSkypeClientConfiguration] - The Microsoft 365 Teams: Skype client configuration
query did not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsSkypeClientConfEmptyResponse
: [12:55:47:223] - [Get-MonkeyTeamsSkypeMeetingPolicy] - The Microsoft 365 Teams: Skype meeting policies query did
not return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsSkypeMeetingPoliciesEmptyResponse
: [12:55:47:292] - [Get-MonkeyTeamsSkypeTenantFederationSetting] - The Microsoft 365 Teams: Skype tenant
federation settings query did not return any data in ********-126d-2094-1234-***********1 tenant - warning -
ms365user - TeamsTenantFederationSettingsEmptyResponse
: [12:55:48:031] - [Get-MonkeyTeamsTargetingPolicy] - The Microsoft 365 Teams: Targeting policy query did not
return any data in ********-126d-2094-1234-***********1 tenant - warning - ms365user -
TeamsTargetingPolicyEmptyResponse
: [12:55:48:054] - [Get-MonkeyTeamsTenant] - The Microsoft 365 Teams: Tenant query did not return any data in
********-126d-2094-1234-***********1 tenant - warning - ms365user - TeamsTenantInfoEmptyResponse
: [12:55:48:825] - [Get-MonkeyTeamsUser] - The Microsoft 365 Teams: Users query did not return any data in
********-126d-2094-1234-***********1 tenant - warning - ms365user - TeamsUsersEmptyResponse
: [12:55:49:486] - [New-O365ExportObject] - Unable to create Monkey object - warning - ms365user -
MonkeyObjectError
Out-MonkeyData : Cannot bind argument to parameter 'MonkeyExportObject' because it is null.
No C:\monkey365\core\analysis\Invoke-M365Scanner.ps1:108 caractere:44

•     Out-MonkeyData -MonkeyExportObject $MonkeyExportObject
  

•                                        ~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Out-MonkeyData], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Out-MonkeyData

[silverhack]

Hi @brenosilva,

There are multiple endpoints in Microsoft 365 in which the Client Credentials grant type is supported. However, there are some endpoints such as the Azure AAD Portal API that don't support service principals, so Client Credentials grant type is not supported. Only interactive users (Interactive browser authentication and Resource Owner Password Credentials valid flows) are allowed to access this endpoint.

Having said that, Monkey365 should switch between Graph/Microsoft Graph (in which the Client Credentials flow is an approved method) and Azure AAD portal API in cases in which the grant type is not supported, so I'll open a new issue in order to track it.

Cheers,

[brenosilva]

Hi @silverhack, thanks for you attention

So, i´m understading it is a limitation on Microsoft side and no Monkey365 side. Is it correct ?

Also looks like Global Reader permission is only valid on Interactive mode, is it correct ?

For non-interactive mode i need to specific App permission for MS Graph during application registration as described here https://learn.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis
Please see : Specify the permissions your app requires to access the Office 365 Management APIs section on URL.

If it is correct, could you please provide information about what kind of API permissions are necessary for Monley365 ?

Thanks

[silverhack]

Hi @brenosilva hope you're doing well,

Yes. It's a limitation on Microsoft side, as that application was configured to support only the Interactive browser authentication flow.

Monkey365 will require that the provided identity have only read-operation permissions, according to the principle of least privilege. This is a list with examples about how to create a Service Principal for using Certificate based authentication or app-only authentication for SharePoint online or Exchange Online:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

Hope that helps,

[brenosilva]

@silverhack Thanks for the input.

I already assigned Global Reader, Exchange Administrator, Sharepoint Administrator and also Global Administrator to try to retrieve information using client-id and secret. However i still see the issues mentioned here #29 (reply in thread)

Maybe i see to set a Redirect URL when Registering Monkey365 app ? It is empty on my side
Thanks

[silverhack]

Hi @brenosilva,

Nope. Redirect URL is not necessary. Regarding permissions, it seems that you're trying to access to all Microsoft 365 applications using the client credential flow (AppId + Secret), which is NOT supported for some of the Microsoft-owned applications.

For example, for SharePoint Online, the AppId+Secret flow is NOT supported. Certificate-based credentials is the only one approved flow for use in SharePoint Online. Please, refer to the Microsoft docs, as it's not a Monkey365 issue. More information about how to create an Azure AD app for app-only access token using self-signed certificate for authenticating SharePoint Online can be seen here:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

Please, also note that not all Microsoft applications are supporting the client credentials flow. For example, the Teams application is not fully supporting the client credentials auth flow, so you'll get an 401 "access denied" or (400) "Bad Request" messages with Monkey365.

Hope that helps,

[brenosilva]

@silverhack Thanks

Got it worked with clientid+ secret for some O365_*
I will try using certificate to understand the difference.

Thanks!

[Mastix95]

Hello @silverhack

I'm trying to do a Certificate-based Authentication to a SharepointOnline and I'm receiving this same error. I registered the app with a Global Administrator account on my Microsoft365 tenant, and assigned it a self-signed certificate and the needed permissions, following the link you provided in the thread:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

These are the parameters I'm using:

$param = @{
ClientId = 'Client-Id-goes-here';
certificate = 'Path\to\certificate.pfx';
CertFilePassword = ("Certificate private key goes here" | ConvertTo-SecureString -AsPlainText -Force);
Instance = 'Microsoft365';
Analysis = 'SharePointOnline';
TenantID = 'TenantId goes here';
ExportTo = @("EXCEL","CSV","JSON","HTML");
}

Any idea of what can be failing? Let me know if I can provide more info.

Thank you in advance!

[silverhack]

Hi @Mastix95 hope you're doing well,

Thanks for catching that. I can reproduce your issue and I have opened a new bug in the issues section. As a workaround, I'd recommend to give your application permissions over the old Microsoft Graph API until the issue is resolved.

Thanks in advance,