ErrorUpdatingUser - is not like a error

[JustITPL]

Hi,

In PowerShell, when I want to disable MFA on a user and MFA doesn't have permission to do so, I don't have a PowerShell error and cannot use "-ErrorAction".

[redhook62]

Hi,

As you can imagine, this is not reproducible if the configuration is correct.
I invite you to calmly reread all the Prerequisites part in 01- Installation.
We tested with PowerShell, PowerShell Remoting, and with the console. no problem of ascent.

regards

[JustITPL]

Ok, AD user in MFA config can't do change attributes in specific OU and I know that, it's okay for me. This is not the point.
It's problem with MFA showing errors.

It's in code. I don't know C# but I can see the difference in the code. Remote or local Powershell doesn't matter in this case.

See lines 795 and 1319 - it's different: Link

The screen shows the difference in errors. In the last command, powershell should write "TEST", not red text.

[redhook62]

Hi,

Yes of course it's in the code ...
However, the Access is denied message does come from your active directory, we do not invent the reason for the error. the problem is therefore on your side.

You could be more specific on some points.

• Is it only with test@test.com that you have a problem ?
• Does the problem apply to all users ?
• is the domain test.com the domain name of forest activedirectory ?
• Is this an Active Directory TopLevelName ?
• Is this user test@test.com active in ADDS ?
• Is this a Privileged user ? since you have a problem of access rights on ADDS (when writing it seems)
• Can you see and edit this user with the console?
• etc....

You must also have detailed logs in the EventLog of your server.

As indicated above, we are not able to reproduce your case. Although we have multiple test platforms (SQL / ADDS), multiple forests and subdomains, multiple versions of adfs.

So without more information there will be no possible fixes.
We provide help on the code (GitHub) for developers, and on the primary configuration of the msi, in the context of full compliance with the prerequisites. We do not assume the configuration of your ADDS or SQL Servers drills, this is totally outside the scope of this Open-Source project

regards

[JustITPL]

I know why I got the error, but the problem is how MFA presents some errors in PowerShell.
Second Error it's not typical PowerShell Error and I can't use -ErrorAction in command - this is my issue.

[redhook62]

Hi,

In first place, it's not desirable to mix up the problems.
As a general rule, only open an issue when it is a verified bug !!!, and not when "F ** k, this don't work for me !" ,
If you have proposals for changes, put them in the "Pull Requests" even if it is not a question of code, but simply of constructive ideas.
when that doesn't apply, why not open a discussion ?

For your problem, yes it is not the same type of exceptions.

first, the user is not known (usually or not registered in MFA), and above all you pass a precise indentity (-Identity), there is only one user to process, therefore, if it's not good -> Script Terminating Error.

If it's a collection which is passed in parameters, we are not "Killing" the script for one user error and just showing this error on console.
Leaving the script to run for the other entries in the collection, no terminating error is thrown.

So, "Mr PowerShell", the request is justified, but it is an evolution and not a bug...

When an identity is passed, regardless of the error, the script must be terminated (standard powershell error)
If instead it is a user collection, what we can do is include the error message in "stderr" standard error output without having to terminate the script.

So, we will add a systematic terminating error if an identity is provided.
In the case of a collection, we will continue to not stop the script, but rather than just showing the error for each entry, we will redirect this error to the standard "stderr" error stream.

Let us know if it's OK for you

regrads

[redhook62]

Done in version 3.1.2103.7