I am looking for a way that I can run 'New-CsOnlineSession' from a web-app using an oauth token. The WebApp will be responsible for authenticating a user. This will use Microsoft Modern Authentication which will handle two factor authentication and consent.
I have registered an App in the Azure Portal and given the User Impersonation permission for Skype For Business Powershell Server Application.
How ever when I connect with a token that is obtained using the WebApp I get an error that the wrong audience is being used.
Below is the transcript from my powershell session. Once I have this working in powershell, the idea is that the WebApp will execute the powershell commands, so any way of doing this where PowerShell prompts for the credentials will not work.
PS C:\WINDOWS\system32> $token = ConvertTo-SecureString -String $oauthtoken -AsPlainText -Force
PS C:\WINDOWS\system32> $session = New-CsOnlineSession -OAuthAccessToken $token -Verbose
VERBOSE: OAuthAccessToken is provided.
VERBOSE: Determining domain to administer
VERBOSE: AdminDomain = 'mydomain.onmicrosoft.com'
VERBOSE: Discovering PowerShell endpoint URI
VERBOSE: TargetUri = 'https://admin2e.online.lync.com/OcsPowershellOAuth'
VERBOSE: AuthUri = 'https://login.windows.net/common/oauth2/authorize', ClientId = 7716031e-6f8b-45a4-b82b-922b1af0fbb4
VERBOSE: Validating authentication token.
New-CsOnlineSession : OAuthAccessToken has invalid audience https://teamsconfigapi-int.trafficmanager.net, expected https://admin2e.online.lync.com/OcsPowershellOAuth.
At line:1 char:12
+ $session = New-CsOnlineSession -OAuthAccessToken $token -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-CsOnlineSession
Could you try setting the -OverrideAccessTokenResourceUri to the specified URL.