Playwright Post 6 - Automating Canvas App MFA login for Playwright unattended for Canvas apps

Overview:  Modern security makes automating logins requiring MFA rather difficult.  This post looks at possible approaches to automate the login.

Option 1. Turn off MFA—not really, but you can set a conditional rule in EntraId to not perform MFA. This is not an option in many enterprises.

Option 2. Time-based One-Time Password (TOTP)—Microsoft Authenticator makes this pretty difficult. At least I can't do it, as the APIS are relatively limited. This is kind of expected, as it's a security measure.

Option 3. Programmatically acquire an access token without browser automation, use MSAL with a client secret or certificate (for confidential clients). 

Option 4.  Use Playwright to record the login and intercept the access token once logged in.  Then you can store it and use it.  There are a few easy options to get the session:

4.1. Retrieve the access token from the response once logged in

4.2. Retrieve from your local storage:

  const token = await page.evaluate(() => {

    return window.localStorage.getItem('adal.idtoken') || window.sessionStorage.getItem('adal.idtoken');

  });

4.3. Retrieve the token using Playwrite at the command run level

Note: This adds the token to my repository. Don't save the token to your repository if you don't realise that the Access/Bearer token will expire depending on what your EntraId sets. The default is 1 hour.

Option 4.3.1. Like option 4.3, use the refresh token to silently generate a new Access token. You store the refresh token during the recorded login (by default, it lasts for 90 days) to generate a new access token when you need it.

Option 4.3.2.  Take it further back to generate the refresh token using the access code you get at the original login, renew the "refresh token", and generate a new access token to run your tests.

If you decide to store your access token, refresh token or code, don't store them in your code repo.  You know why if you got this far.

Thought: as a refresh token works for 90 days on a sliding scale, I've never used the option 4.3.2, as by storing the refresh token, all I need to do is to extend the refresh token by using it to get an access token and the refresh token has 90 days from that point. 

This is the plan I'm thinking of using:

1. Store the refresh token in Azure Key Vault (AKV).
2. Your app retrieves the refresh token from AKV.
3. Uses the refresh token to get a new access token.
4. Store the new access token to run my ALM/CI/CD playwright tests

Playwright Series

Playwright Post 1 - Overview of E2E testing using Playwright

Playwright Post 2 - Continuously Test/Monitor Canvas apps and website with MFA enabled

Playwright Post 3 - Add App Insights logging inside your Playwright tests 

Playwright Post 4 - 6 Min walkthru of Playwright testing with Azure Monitor

Playwright Post 5 - Understanding how Playwright works

Playwright Post 6 - Unattended testing when secured with MFA (this post)

Playwright Post 4 - 6 Min walkthru of Playwright testing with Azure Monitor

Overview: Install VS Code and Playwright Extensions, create tests, set MFA for Canvas Apps/Power Apps, loop through Power App applications and check the home page is loading, write logs to Azure App Insights and show via the Azure Dashboard.

6 min - annotated Playwright setup and use video

====================

BDD in playwright playwright-bdd - npm

Cucumber in Playwright GitHub - dhrumil-soni-th/playwright-cucumber-learning

GitHub - mxschmitt/awesome-playwright: A curated list of awesome tools, utils and projects using Playwright

GitHub - mxschmitt/awesome-playwright: A curated list of awesome tools, utils and projects using Playwright

GitHub - mxschmitt/awesome-playwright: A curated list of awesome tools, utils and projects using Playwright

========================

Playwright Series

Playwright Post 1 - Overview of E2E testing using Playwright 

Playwright Post 2 - Continuously Test/Monitor Canvas apps and website with MFA enabled 

Playwright Post 3 - Add App Insights logging inside your Playwright tests 

Playwright Series - Post 4 - 6 Min walkthru of Playwright testing with Azure Monitor (this post)

Playwright Post 5 - Understanding how playwright works

Playwright Post 6 - Unattended testing when secured with MFA 

Other Posts

Upgrading two C# Blazor web applications and verifying using Playwright - super fast 

Mendix - Part 2 - Diving deeper (E2E automation testing of Mendix using Playwright)

Low-code testing with playwright walkthru

Continiously Monitor Apps using Playwright with TS

Testing Canvasa apps with Playwright using C# (rather use TS, it's better)

Playwright series - Post 2 - Refactored TS code for Consciously verify Apps in Production

Overview: Create a function with Playwright tests that loops through all my production apps, logs in, and validates the Page title load on each app's home page.

Steps:

1. Create the spec.ts code that reads app.json to loop thru and validate sites

2. Record and Store the session state for all future test runs (Used for MFA in the tests runs)

3. Create an apps.json file containing URLs to open and validate

4. After running the test, you'll see that the 3 tests were completed successfully. In my case, there were 2 Power Apps with MFA enabled and an anonymous public website that had been checked.

Optional: 

Create short cuts to run your tests using PowerShell

PS C:\repos\PW> npx playwright test -g "Prod-CanvasApps" --project=chromium --headed

Next Steps:

Run continuously using the Azure Playwright Service.

=========================

Playwright Series

Playwright Post 1 - Overview of E2E testing using Playwright

Playwright Post 2 - Continuously Test/Monitor Canvas apps and website with MFA enabled (this post)

Playwright Post 3 - Add App Insights logging inside your Playwright tests 

Playwright Post 4 - 6 Min walkthru of Playwright testing with Azure Monitor

Playwright Post 5 - Understanding how playwright works

Playwright Post 6 - Unattended testing when secured with MFA 

Other Posts

Upgrading two C# Blazor web applications and verifying using Playwright - super fast 

Mendix - Part 2 - Diving deeper (E2E automation testing of Mendix using Playwright)

Low-code testing with playwright walkthru

Continiously Monitor Apps using Playwright with TS

Testing Canvasa apps with Playwright using C# (rather use TS, it's better)

Use Postman to get your MFA Bearer token

Short recording to show how to get my Bearer token using my Microsoft AAP account.

Get MFA bearer token using postman

I used this post to help me: Authorizing requests overview | Postman Learning Center

Microsoft Azure MFA Notes (Az-300)

Study Notes on Multi Factor Authentication:

• AAD MFA: for 2nd factor done via Text, MS Authenticator, Phone Call 
• Azure MFA Server - For AD on-prem. MFA.  Most advanced set op options for integrating on-prem. infrastructure with MFA cloud service.  Download and install on a Windows server.  Don't need to AD Connect sync accounts to Azure AD (AAD).

• Azure MFA Server needs to use the Azure MFA Service to send SMS and Text authentication and MS Authenticator.
• The Azure MFA Server downloan includes a GDPR.exe utility for generation GDPR reports for a user.
• MFA billing is per User and is included in AD premium licences
• Conditional Access - so don't need for every user but when advanced roles can enforce MFA
• Azure SDK is only a Web Service since 2018
• ADFS has 2 MFA approaches/options: Azure MFA Server - no need to replicate users to AAD or ADFS 3 (Win 2016) upwards can use cloud based (no Azure MFA Server required).
• Password Stuffing - Hacker uses compromised password on different sites as people tend to reuse.
• Know e.g. password, or something you have e.g. RSA token, something you are e.g. fingerprint.  MFA must use 2 or more of these types.  Out-of-band device e.g. you phone using MS Authenticator.
• As a general rule with the 2nd factor Auth on Azure, if you want to add a pin to the auth, you can't use the cloud service but need to be using Azure MFA Server.
• OATH tokens for RSA or other outside token MFA (also for offline on phone via MSAuthenticator) but it requires Azure MFA Server to implement.  Azure portal also has basic OATH integration for 3rd party vendors.

MCAS overview MSIgnite London

Work in progress from MSIgniteTour London

Microsoft Cloud app security brokers (CASB) helps manage Shadow IT, detect high-risk OAuth apps, and control high-risk user sessions in real-time for your Office 365 environment.

Covers:

1. Azure AD (AAD)
2. Threat protection
3. Information protection 
4. SaaS e.g. box, SPO, ODfB

Shadow IT discovery:

Log collector uses proxy or proxy logs.  Find apps people are using.  

Can write back to block app usage at the proxy.  See people using dodgy saas apps. Supports script generation for most devices.

OAuth e.g. G-suite, attackers faking to get access to user info.  MCAS has risk score for apps used. Show all usage, correct users access.

O365 apps:

Check all apps against score:

MCAS protects for:

• Malicious employees
• Malware & ransomware
• Rogue applications
• Compromised accounts

Investigate:

Helps investigate abnormal behaviour.  Alert and highlight concerns.  Gain insight into user activity.

Can take action such as lock account, or req re-login.

File security:

Prevent sensitive info in the cloud, uses MIP Framework that uses AIP. Show public internet available info, only show SaaS services business control.  Can also force governance on 3rd party SaaS such as box

Block download of data:

Conditional access, so user using an unmanaged device, route user thru MCAS.  Can calc risk and decide on how they access e.g., an unmanaged device could for MFA.  Lots of controls, boilerplate web access, block, MFA, ...