SOLVED: Exchange Online Management PowerShell Connect-ExchangeOnline bug "A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles"

While you're here why not check out our Exchange audit and documentation tool?


If you're using the Exchange Online Management PowerShell cmdlets you may notice that the following error:

A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles

This error appears in version 3.7.0 (and persists in version 3.7.1) when the following change was made.

Integrated WAM (Web Account Manager) in Authentication flows to enhance security.

You notice that this error occurs in PowerShell ISE but not in a PowerShell, the issue also appears in any Windows based applications - for example a WinForms application that tries to execute Connect-ExchangeOnline

PowerShell ISE


A .NET console application does work correctly.

.NET console application




While you're here why not check out our Exchange audit and documentation tool?


The error occurs because Microsoft has made the (correct) decision that when an interactive login prompt it must have a parent window so that the dialog doesn't appear behind another window thereby not visible to the user. This is implemented by the MSAL library.

However the code they used to determine the parent window can be seen below.

/// <summary>
/// Initializes the Public Client Application or extract from map
/// if already present. Also it enters the instance in the map if newly created.
/// </summary>
/// <returns>An instance of PCA from the map or intializes and returns it</returns>
private IPublicClientApplication GetPublicClientInstance()
{
    IPublicClientApplication publicClientApplication;
    if (!MSALTokenProvider.publicClientApplicationMap.TryGetValue(this.context.AzureADAuthorizationEndpointUri, out publicClientApplication))
    {
        BrokerOptions brokerOption = new BrokerOptions(BrokerOptions.OperatingSystems.Windows);
        publicClientApplication = (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? PublicClientApplicationBuilder.Create(this.context.ClientAppId).WithAuthority(this.context.AzureADAuthorizationEndpointUri, true).WithRedirectUri(this.context.ClientAppRedirectUri.ToString()).WithClientCapabilities(new string[] { "cp1" }).Build() : PublicClientApplicationBuilder.Create(this.context.ClientAppId).WithAuthority(this.context.AzureADAuthorizationEndpointUri, true).WithRedirectUri(this.context.ClientAppRedirectUri.ToString()).WithClientCapabilities(new string[] { "cp1" }).WithParentActivityOrWindow(new Func<IntPtr>(ParentWindowHandle.GetConsoleOrTerminalWindow)).WithBroker(brokerOption).Build());MSALTokenProvider.publicClientApplicationMap.TryAdd(this.context.AzureADAuthorizationEndpointUri, publicClientApplication);
    }
    return publicClientApplication;
}

As seen in the code above this uses the GetConsoleWindow low level API to determine the handle of the parent console window.
https://learn.microsoft.com/windows/console/getconsolewindow


"We do not recommend using this content in new products"

They are using dated methods that they don't recommend themselves, but more importantly they are looking for a console window and therefore if you're not running a console app then there's no handle returned from the method.


The issue persists in ExchangeOnlineManagement version 3.7.1 so it's a concern that Microsoft are not going to fix this issue.


Workaround 1: Downgrade

In the mean time you can uninstall the latest versions and roll-back to version 3.6.0 which didn't have the issue.

Uninstall-Module -Name ExchangeOnlineManagement -AllVersions -Force
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.6.0 -Force


Workaround 2: Open a console window

You can also open a console window in PowerShell ISE or your windows application, this is not great as it opens a console window in the background.

$consoleSupportSource = @’
using System;
using System.Runtime.InteropServices;
public class ConsoleSupportMethods
{
   [DllImport("kernel32.dll", SetLastError = true)]
   public static extern int AllocConsole();

   [DllImport("kernel32.dll", SetLastError = true)]
   public static extern int FreeConsole();
}
‘@

Add-Type -TypeDefinition $consoleSupportSource
try
{
   [ConsoleSupportMethods]::AllocConsole();
   Connect-ExchangeOnline;
}
catch
{
   throw;
}
finally
{
   [ConsoleSupportMethods]::FreeConsole();
}

 


Workaround 3: Handle MSAL Authentication yourself

The best solution is to handle the MSAL authentication yourself and then pass an access token to Connect-ExchangeOnline. The Exchange team are constantly shunning standards (the whole backend of these cmdlets are a botched REST API that passes the cmdlet name) so you're really stuck with the cmdlets but you can at least rid yourself of their authentication code.

The following sample code uses the MSAL libraries that are installed as part of the Exchange PowerShell cmdlets so you don't need to install these separately.

$msalPath = [System.IO.Path]::GetDirectoryName((Get-Module ExchangeOnlineManagement).Path);
Add-Type -Path "$msalPath\Microsoft.IdentityModel.Abstractions.dll";
Add-Type -Path "$msalPath\Microsoft.Identity.Client.dll";
[Microsoft.Identity.Client.IPublicClientApplication] $application = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create("fb78d390-0c51-40cd-8e17-fdbfab77341b").WithDefaultRedirectUri().Build();
$result = $application.AcquireTokenInteractive([string[]]"https://outlook.office365.com/.default").ExecuteAsync().Result;
Connect-ExchangeOnline -AccessToken $result.AccessToken -UserPrincipalName $result.Account.Username; 



Comments

  1. Joost14 March 2025 at 06:34

    - Get-Module needs a -ListAvailable (or an Import-Module ExchangeOnlineManagement), or you get an error when you haven't loaded the module yet
    - How do you log in using a different accountname? When I give a different accountname, I get the MFA popup for my own windows account.
    - And this works until Entra feels that you need to verify your MFA data, then you get a 'your browser is not supported' error.

    ReplyDelete
    Replies
    1. David Homer14 March 2025 at 07:15

      Hello, yes you should probably import module first but I found on my system I didn't have to.

      - How do you log in using a different accountname? When I give a different accountname, I get the MFA popup for my own windows account.
      Where do you mean? In the MSAL code you can provide a login hint so that the system tries to automatically login with a specific account - do you mean that? Or that the system tries to log you in with a specific account?

      Sometimes you get locked into an account with the Microsoft login prompt but you can often click Back to get to a list of accounts.

      Login hints and prompts also affect this.

      https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.client.acquiretokeninteractiveparameterbuilder.withloginhint?view=msal-dotnet-latest

      https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.client.acquiretokeninteractiveparameterbuilder.withprompt?view=msal-dotnet-latest

      We use this code

      Prompt prompt = !String.IsNullOrEmpty(LoginHint) ? Prompt.NoPrompt : Prompt.SelectAccount;
      AuthenticationResult result = Task.Run(async () => await application.AcquireTokenInteractive(scopes).WithPrompt(prompt).WithLoginHint(LoginHint).WithExtraScopesToConsent(extraScopes).ExecuteAsync().ConfigureAwait(false)).GetAwaiter().GetResult();



      Delete

Post a Comment

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

Image
When you're using the new "Modern" date and time settings in Windows Server 2016, 2019, 2022, Windows 10 and Windows 11 you may find that you can't set the correct date and time and the value "Some settings are managed by your organization". - While you're here - Why not check out our Windows Server Documentation and Audit Tool? The simplest way around this is to go back to the proper control panel using Start, Run, "Control.exe" and searching for "Set the date".  Within here you can set the date and time manually as required If you try and click the Change time zone button you may again get access denied... To resolve this open an elevated command prompt by right clicking the command prompt and selecting Run as Administrator  From there run the command rundll32.exe shell32.dll,Control_RunDLL timedate.cpl This will open the Data and Time control panel app elevated as an Administrator.
Read more

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Image
When you start the trivial FTP (TFTP) server application TFTPD32 or TDTPD64 you may see the following error Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions. This can be because another application is using this port. The easiest way to check if (and which) application is using the port is as administrator run an elevated command prompt and enter netstat -anb > ports.txt Then open ports.txt in Notepad and search for :69, you'll quickly be able to see the process using the required port - While you're here - Why not check out our Windows Server Documentation and Audit Tool?
Read more