03-10-23 04:30 PM
Hi,
Is there a way to use the Microsoft Graph API to send a channel message if the logged in user has MFA enabled on their account?
Really struggling to get this to work.
Currently using the below objects:
MSAL.NET::Get Auth Token - Username and Password
Microsoft Graph - Teams::Send Channel Message
Microsoft Graph API works in Postman fine, just can't get it to work in Blue Prism.
If I try and used the "Get Auth Token - Username and Password" action in MSAL.NET object, I get the below error:
MSAL.Desktop.4.42.1.0.MsalClientException: ErrorCode: parsing_wstrust_response_failed
Microsoft.Identity.Client.MsalClientException: There was an error parsing WS-Trust response from the endpoint. This may occur if there is an issue with your ADFS configuration. See https://aka.ms/msal-net-iwa-troubleshooting for more details. Error Message: Federated service at https://autologon.microsoftazuread-sso.com/***REDACTED***
If I use the "Get Auth Token - Client Secret" action in MSAL.NET object, it gets the access token, however when I then go to use the "Send Channel Message" action in the Microsoft Graph - Teams webservice, I get the below error:
Internal : Unexpected error Error during Web API HTTP Request
HTTP Status Code: 403
HTTP Response Content: {"error":{"code":"Forbidden","message":"Missing role permissions on the request. API requires one of 'Teamwork.Migrate.All'. Roles on the request
From my understanding of what I've looked up is that for this error to be resolved it requires the App permissions in Azure to be set to Application-Only and the Teams Group and Channel need to have their settings changed to be in a migration state. But that the "Send Channel Message" action only works if the App permissions have Delegated access, which it does.
I've attached what the APP has been set up as.
Many thanks
06-10-23 01:35 PM
Hi @GemmaHolmes,
You either need to disable MFA on the user account or you need to look into the Blue Prism Authenticator asset on the DX. The Authenticator asset gives you the ability to perform two factor authentication within a Digital Worker.
https://digitalexchange.blueprism.com/dx/entry/9648/solution/blue-prism-authenticator
Cheers,
11-10-23 08:20 AM
Hi @ewilson
Thank you for your reply.
Would the idea of the Authenticator object be to log into the Azure App before running the Microsoft Graph - Teams API call?
A little confused how it works going through the UI as, for example, when I try and run it myself, even though MFA is enabled on my accounts, I'm already logged into my Microsoft applications (so MFA not required) and it still doesn't work. The scenario would be the same for the digital workers.
Kind regards
Gemma
31-10-23 02:18 PM
Hi @GemmaHolmes,
Apologies for the delay. The way I've used this in the past with Microsoft is to open the browser and login to something like myapps.microsoft.com. That should prompt you for credentials. If this is the first time the digital worker account is logging in you'll need to register the MFA option (see the VBO user guide for more details). Once you've successfully register for MFA using the VBO you can then perform 2FA logins using it with the specific DW user ID.
Cheers,