unable to connect Office365 endpoint using MFA in Identity Manager
search cancel

unable to connect Office365 endpoint using MFA in Identity Manager

book

Article ID: 267381

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

Running standalone Identity Manager 14.4 with CP2 installed and needs to provision an Office365 endpoint.

The documentation that comes with the connector states that the Powershell module Microsoft Azure Active Directory (MSOnline) must be installed and the following commands must be executed, to check the health of the environment:

Import-Module MsOnline
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption (New-PSSessionOption -IdleTimeOut 60000)
Import-PSSession $session
get-rolegroup | format-list 

The first 3 commands are executed successfully; however, the following one returns this error:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption (New-PSSessionOption -IdleTimeOut 60000)

 

Microsoft has deprecated the usage of the Basic Authentication, this is the reason behind the "Access is denied" error message. Please find more info below:

Basic Authentication Deprecation in Exchange Online – Time’s Up - Microsoft Community Hub

Announcing Deprecation of Remote PowerShell (RPS) Protocol in Exchange Online PowerShell - Microsoft Community Hub

Connector also offers the "Certificate-Based modern authentication"; however, when the endpoint is being connected we observed in the logs that the Basic authentication is still used:

 

Why does the Office365 connector still makes use of the Basic Authentication?

Environment

Release : 14.4 CP2

Resolution

Office 365 connector was not using MFA authentication but a basic authentication.

Connector was using the older 1.0.2 version of jar definitions instead of the 1.0.5 ones which were shown in IM Management Console.

After restart of all components of the system, correct version of definitions are used.

 

Additional Information

Information is stored in Provisioning directory in eTMetaData attribute of Connector, we have replaced old information it with ones from 1.1.0 xml file, below.

Need to unzip jar <installation directory of Copnnector server>/system/com/ca/jcs/jcs-connector-o365/1.1.0/jcs-connector-o365-1.1.0.jar using zip program.

Make sure XML file is in the correct version.

Powered by Wolken Software