dennis_reinhardt
Frequent contributor

Re: O365 token generation -"interaction_required" error

Added all the mentioned URL from the MS O365 endpoint (56,59,147)

But running again into an error

2020-01-30 09:20:34,554 [INFO ]   Reading 'Computer' data from 'O365'  (ver 1.0) data source
2020-01-30 09:20:34,570 [INFO ]     Get Users from Office 365 (Transfer data from source 'O365' to FNMP)
2020-01-30 09:20:35,351 [ERROR]       The remote server returned an error: (400) Bad Request.
2020-01-30 09:20:35,367 [ERROR]       Error occurred trying to get the access token: Get-TokenSetInternal failed
2020-01-30 09:20:35,851 [INFO ]       Failed to execute Reader 'Get Users from Office 365' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\User.xml, at step line 1
Error: The remote server returned an error: (400) Bad Request.
2020-01-30 09:20:35,851 [INFO ]       All retries have been attempted for Reader 'Get Users from Office 365'
2020-01-30 09:20:35,851 [INFO ]       Completed with error in 1 second.
2020-01-30 09:20:35,851 [ERROR]     System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at ManageSoft.Compliance.Importer.Logic.PowerShellDataReader.CheckForPowerShellError()
   at ManageSoft.Compliance.Importer.Logic.PowerShellDataReader.Read()
   at ManageSoft.Compliance.Importer.Serialization.IntermediateWriter.WriteData(XmlWriter xmlWriter)
   at ManageSoft.Compliance.Importer.Serialization.IntermediateWriter.WriteData()
   at ManageSoft.Compliance.Importer.Logic.XML.SourceToTarget.ExecuteReader(IExecutionContext context, ISourceConnection sourceConn, IDataReader reader)
   at ManageSoft.Compliance.Importer.Logic.PublicObjectModel.SourceToImportedTableObject.ExecuteReader(IValidatingDataReader reader, SourceToObject STOObject)
   at ManageSoft.Compliance.Importer.Logic.PublicObjectModel.SourceToObjectImplementation.ExecuteImplementationSQL(IExecutionContext context, SourceToObject sourceToObject)
   at ManageSoft.Compliance.Importer.Logic.XML.Reader.Execute(IExecutionContext context)
   at ManageSoft.Compliance.Importer.Logic.ActionExecuter.ReaderExecuter.ExecuteSingleReader(Reader reader, Int32 procedureOrder, Version sourceDatabaseVersion)
   at ManageSoft.Compliance.Importer.Logic.ActionExecuter.ReaderExecuter.Execute()
   at ManageSoft.Compliance.Importer.Logic.ComplianceImporter.ProcessExecution(ComplianceReader p_ComplianceReader, Tenant p_Tenant, IExecutionContext p_Context)
2020-01-30 09:20:36,132 [INFO ]     Created intermediate package at C:\ProgramData\Flexera Software\Beacon\IntermediateData\I[S=O365]_20200130082035.zip
2020-01-30 09:20:36,179 [INFO ]   Time: Donnerstag, 30. Januar 2020 09:20:36
2020-01-30 09:20:36,179 [INFO ]   Total import time: 6 seconds
2020-01-30 09:20:36,179 [INFO ]   0 source data warnings
2020-01-30 09:20:36,179 [INFO ]   3 errors, 0 warnings
0 Kudos
jlu_tmg100_c
Active participant

Re: O365 token generation -"interaction_required" error

One other quirk I didn't mention:
when you click 'Generate...', the Office 365 login prompt is an Internet Explorer session, and so whatever proxy set inside IE is the one that is used, NOT the one you just entered into the connection config. So if those are different proxyies, set the IE proxy to be the same as the connection's proxy.
Once the token is generated you can set the IE proxy back to whatever it was.

j
0 Kudos
dennis_reinhardt
Frequent contributor

Re: O365 token generation -"interaction_required" error

We could now solve the problem, but we are not yet satisfied with the solution.

The Beacon Service runs in the context of a Flexera-Service Account (svc-flx). The login via RDP and the execution of the Beacon App was also done in the context of the Flexera-Service Account (svc-flx). For the O365 connection we have a dedicated O365 user available (flxo365@customer.com )

As it turns out, the O365 adapter tried to connect with the Flexera-Service Account, which of course had no permissions on the portal and therefore the "interaction_requiered" error occurred, because no login page could be opened.

As a test, we have added the Flexera-Service Account to the O365 portal and assigned appropriate rights. Since this change access is possible.

Now the question - how can we ensure a separation of the accounts and make the Beacon O365 Adapter clear that the account which is specified in the first query field for the O365 login should be used.

Thanks and Best,

Dennis

0 Kudos
Alpesh
Flexera
Flexera

Re: O365 token generation -"interaction_required" error

Hi Dennis,

I believe we have something like this earlier. This is not a beacon or FNMS issue. If you launch IE or any browser on the beacon machine and try to connect to office.com or portal.azure.com, you may see that it was trying to connect using the Service account. If you can fix that so that it prompts for a login, instead of trying to use the default credentials, this problem may go away and then beacon will be able to use the account that you specify in the connection details.

I hope this helps. Please let me know if this suggestion helps you.

Thanks!

0 Kudos
dennis_reinhardt
Frequent contributor

Re: O365 token generation -"interaction_required" error

HI @Alpesh 

what I forgot to add in my last post ... when running the O365 adapter setup a new browser windows opens (from the o365 powershell script) and asked to enter my current o365 email. Using the dedicated o365 account will cause the "interaction_required" error. As you said, looks like that the IE doesn't use the entered credentials while forwarding the login request to the o365 portal ...

0 Kudos