Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SetupNavContainer.ps1 Cannot bind parameter 'AccessToken'. Cannot convert the value of type "System.String" to type "System.Security.SecureString". #206

Open
hhout opened this issue Jul 6, 2023 · 1 comment
Open

SetupNavContainer.ps1 Cannot bind parameter 'AccessToken'. Cannot convert the value of type "System.String" to type "System.Security.SecureString". #206

hhout opened this issue Jul 6, 2023 · 1 comment
Labels
Need more info

Comments

@hhout
Copy link

hhout commented Jul 6, 2023

Hi,

When deploying Azure environments on basis of the nav-arm-templates we ran into an issue in nav-arm-templates/master/SetupNavContainer.ps1

The procedure that creates the Aad Apps for BC is raising the below error:

New-AadAppsForBC Telemetry Correlation Id: 4a9ec360-0353-4dbe-8a6e-ca56f13a45f1
Connect-MgGraph : Cannot bind parameter 'AccessToken'. Cannot convert the "eyJ0e...aSw" value of type "System.String" to type "System.Security.SecureString".
At C:\Program Files\WindowsPowerShell\Modules\bccontainerhelper\5.0.3\AzureAD\New-AadAppsForBc.ps1:82 char:42
+ ...       Connect-MgGraph -AccessToken $bcAuthContext.accessToken | Out-N ...
+                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Connect-MgGraph], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

The procedure uses BcAuthContext to create the Aad Apps for BC in nav-arm-templates/master/SetupNavContainer.ps1:

       try {
            $authContext = New-BcAuthContext -tenantID $aadDomain -credential $Office365Credential -scopes "https://graph.microsoft.com/.default"
            if (-not $authContext) {
                $authContext = New-BcAuthContext -includeDeviceLogin -scopes "https://graph.microsoft.com/.default" -deviceLoginTimeout ([TimeSpan]::FromSeconds(0))
                AddToStatus $authContext.message
                $authContext = New-BcAuthContext -deviceCode $authContext.deviceCode -deviceLoginTimeout ([TimeSpan]::FromMinutes(30))
                if (-not $authContext) {
                    throw "Failed to authenticate with Office 365"
                }
            }
            $AdProperties = New-AadAppsForBC `
                -bcAuthContext $authContext `
                -appIdUri $appIdUri `
                -publicWebBaseUrl $publicWebBaseUrl `
                -IncludeExcelAadApp `
                -IncludeApiAccess `
                -IncludeOtherServicesAadApp `
                -preAuthorizePowerShell

In navcontainerhelper/AzureAD/New-AadAppsForBc.ps1 it tries to connect to MsGraph by using the accessToken but Connect-MgGraph -AccessToken requires a Secure String but $bcAuthContext.accessToken is a String:

 # Connect to Microsoft.Graph
    if (!$useCurrentMicrosoftGraphConnection) {
        if ($bcAuthContext) {
            $bcAuthContext = Renew-BcAuthContext -bcAuthContext $bcAuthContext
            $jwtToken = Parse-JWTtoken -token $bcAuthContext.accessToken
            if ($jwtToken.aud -ne 'https://graph.microsoft.com') {
                Write-Host -ForegroundColor Yellow "The accesstoken was provided for $($jwtToken.aud), should have been for https://graph.microsoft.com"
            }
            Connect-MgGraph -AccessToken $bcAuthContext.accessToken | Out-Null
        }
        else {
            if ($accessToken) {
                Connect-MgGraph -accessToken $accessToken | Out-Null
            }
            else {
                Connect-MgGraph -Scopes 'Application.ReadWrite.All' | Out-Null
            }
        }
    }

As a workaround we resolved the issue for now and changed our local version of nav-arm-templates/master/SetupNavContainer.ps1 to connect first with MgGraph using the Secure String and using this connection via parameter -useCurrentMicrosoftGraphConnection instead of -bcAuthContext:

               $authContext.AccessToken = ConvertTo-SecureString $authContext.AccessToken -AsPlainText -Force
               Connect-MgGraph -AccessToken $AuthContext.accessToken | Out-Null

                $AdProperties = New-AadAppsForBC `
                -appIdUri $appIdUri `
                -publicWebBaseUrl $publicWebBaseUrl `
                -IncludeExcelAadApp `
                -IncludeApiAccess `
                -IncludeOtherServicesAadApp `
                -preAuthorizePowerShell `
                -useCurrentMicrosoftGraphConnection

In this case its successfully creating the app registrations.
@freddydk
Copy link
Contributor

I think this problem was fixed in ContainerHelper since this.
Let me know if this is still a problem.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Need more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@freddydk @hhout