microsoftgraph
Authentication bug with 2.26.1 and PowerShell Desktop (5.1)
Describe the bug
I am trying to use the latest release in PowerShell 5.1 and hitting an authentication error relating to an invalid claims request. The initial authentication via Connect-MgGraph is successful but on running any subsequent cmdlets the following error is received (when using interactive user auth flow):
Message: AADSTS901001: Invalid request. The claims request parameter value '{"access_token":{"xms_cc":{"' is invalid.
If using DeviceCode authentication the following errors are seen:
Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
These errors are not seen if the first authentication occurs in PowerShell 7, but if the first authentication occurs in PowerShell 5 the module is broken across both 5 and 7.
Fully removing 2.26.1 and downgrading to 2.24 resolves this issue.
Expected behavior
The expected behaviour is that the Graph cmdlets function when authenticating in PowerShell Desktop (5.1) and do not throw an authentication claims error.
Have seen this issue with multiple tenants and have reproduced on Windows 10, Windows 11 and Windows Server 2022.
How to reproduce
There are quite a few variants of this but the definitive way to reproduce:
- On a fresh install of Windows, run
Install-Module Microsoft.Graph - Run:
Connect-MgGraph - Run any Mg cmdlet e.g.
Get-MgUser -UserId $UPN
At this point the error will be thrown.
SDK Version
2.26.1
Latest version known to work for scenario above?
2.24
Known Workarounds
- Downgrade to 2.24
- Ensure fresh install and authentication of 2.26.1 is performed in PowerShell 7
Debug output
DEBUG: [CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'Get'.
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'DeviceCode', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, AdministrativeUnit.Read.All, Agreement.Read.All, AgreementAcceptance.Read.All, Analytics.Read, APIConnectors.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, ConsentRequest.Read.All, CrossTenantInformation.ReadBasic.All, CrossTenantUserProfileSharing.Read.All, CustomSecAttributeAssignment.Read.All, CustomSecAttributeDefinition.Read.All, DelegatedPermissionGrant.ReadWrite.All, Device.Read.All, DeviceManagementApps.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, DeviceManagementServiceConfig.Read.All, Directory.AccessAsUser.All, Directory.Read.All, DirectoryRecommendations.Read.All, Domain.Read.All, EduAdministration.Read, EduAssignments.Read, email, EntitlementManagement.Read.All, Group.Read.All, GroupMember.Read.All, IdentityProvider.Read.All, IdentityRiskEvent.Read.All, IdentityRiskyServicePrincipal.Read.All, IdentityRiskyUser.Read.All, IdentityUserFlow.Read.All, InformationProtectionPolicy.Read, MailboxSettings.Read, ManagedTenants.Read.All, Member.Read.Hidden, openid, Organization.Read.All, OrgContact.Read.All, Policy.Read.All, PrivilegedAccess.Read.AzureAD, PrivilegedAccess.Read.AzureADGroup, PrivilegedAccess.Read.AzureResources, profile, Reports.Read.All, RoleManagement.Read.CloudPC, RoleManagement.Read.Directory, RoleManagementPolicy.Read.Directory, SecurityActions.Read.All, SecurityAlert.Read.All, SecurityEvents.Read.All, SecurityIncident.Read.All, ServiceHealth.Read.All, ServiceMessage.Read.All, ServicePrincipalEndpoint.Read.All, SharePointTenantSettings.Read.All, Sites.Read.All, Subscription.Read.All, TeamSettings.Read.All, ThreatHunting.Read.All, ThreatIndicators.Read.All, UnifiedGroupMember.Read.AsGuest, User.Read, User.Read.All, User.ReadBasic.All, UserAuthenticationMethod.Read.All].
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://graph.microsoft.com/v1.0/users/user@domain
Headers: FeatureFlag : 00000003 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19045; en-US),PowerShell/5.1.19041.5486
Body:
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: [CmdletException]: Received exception with message 'AuthenticationFailedException - DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. : at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) at Azure.Identity.DeviceCodeCredential.<GetTokenImplAsync>d__44.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Azure.Identity.DeviceCodeCredential.<GetTokenAsync>d__41.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Kiota.Authentication.Azure.AzureIdentityAccessTokenProvider.<GetAuthorizationTokenAsync>d__14.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.<AuthenticateRequestAsync>d__13.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.<SendAsync>d__12.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Users.<UserGetUser_Call>d__237.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.Graph.PowerShell.Users.<UserGetUser_Call>d__237.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Users.<UserGetUser>d__231.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get.<ProcessRecordAsync>d__66.MoveNext()'
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
Confirm DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. At line:1 char:1
- Get-MgUser -UserId $UPN -Debug
-
+ CategoryInfo : NotSpecified: (:) [Get-MgUser_Get], AuthenticationFailedException + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get
DEBUG: [CmdletEndProcessing]: - Get-MgUser end processing.
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
Configuration
OS: Windows 10
Name Value
PSVersion 5.1.19041.5486 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.19041.5486 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
Other information
No response
I have installed latest version of MG Graph PS module i.e. 2.26/2.26.1 on Windows 11 device. Post authenticating it using Connect-mggraph command it will again prompt for authentication for any cmdlet I am running and it fails with the error (mentioned in below screenshot) without letting me select the account for authentication.
With PowerShell 7 it works but it fails with PowerShell 5.1. It all works well with version 2.25 on the same machine with PowerShell 5.1 itself.
Hi @sentient-sloth it seems like authentication is being dropped in PowerShell 5. However, I have not yet been able to reproduce the issue. We are currently investigating but in case of new findings please share so that we can get to a solution quickly.
All. This seems to fail in a normal PS session, but works in an admin PS session.
I use Connect-MgGraph -ContextScope Process to connect as a different user than the ps session. Once connected in a normal session, I run my command (in this instance I've been using $all = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All) In the normal session I get another auth prompt but cannot add any details and it disappears quickly with the error appearing in the session.
If the above is run from an admin session, the second auth prompt doesn't occur and the command completes successfully.
PS 5.1, Microsoft.MgGraph 2.26.1
Hello @sentient-sloth ,
If I connect my graph with AuthType AppOnly, it works fine for me. With admin or other things it fails for me. Just an FYI.
@timayabi2020 I'm surprised you can't reproduce, I can consistently recreate this behaviour on a fresh install of Windows (10, 11, 2022 tested). The default behaviour for a fresh OS is for PS to run with admin rights so with PS5 the module is getting installed in the system module directory (C:\Program Files\WindowsPowerShell\Modules\), not the user module directory as shown in your example. I'm going to test installing in the user context and see if that makes a difference for me and will report back, but definitely seems to be a bug here for PS5.
You also mention depreciation of auth for PS5 - can you provide a source for this info? Will affect a lot of people if that's being depreciated as PS5 is still the standard for most people in my experience given its the default available shell.
Hello @sentient-sloth ,
If I connect my graph with AuthType AppOnly, it works fine for me. With admin or other things it fails for me. Just an FYI.
I also connect via an App and the issue does not occur.
Some additional updates:
- It doesn't matter if the module is installed in the user or system profile, as long as it's all done in PS5 it will fail
- As noted by a few others above, if you configure AppOnly authentication it bypasses this error
- If the authentication token is generated by PS7 it will successfully work in PS5 (e.g.
Connect-MgGraphis completed in PS7 and the token in~\AppData\Local\.IdentityService\is generated, this will then be used by PS5 successfully.
Hopefully this can be resolved in the next release as App based auth is not a good workaround for me and am currently asking clients to roll back the module version to solve this.
Hi all, I am also getting a mix of this issue and the duplicate tagged issue #3203. I use PS5 to test my code before adding it to Azure Runbooks. Please note that Azure Runbooks in the Azure Government Cloud still only uses PS5, the PS7 is in preview and is the older 7.1 version. I'm happy to provide more logs if it would help. I have verified that I don't get the issue in 2.25.0, but I do see the errors with both 2.26.0 and 2.26.1. We are currently forcing the use of the 2.25.0 modules as a workaround, until this can be resolved.
Hi @timayabi2020, Is there any way to test the pre-release version of MG graph PS module? We have a tool that has dependency on MG Graph module. Since our tool will install the latest version of MG graph module and if there is any issue (Like what we've seen with 2.26 & 2.26.1) with newer version MG graph module , then it will impact our production deployment. We would like to test upcoming MG Graph version prior get it released. So that we can ensure it does not impact our production deployment. Please suggest.
I ran into this issue on Windows Server 10.0.20348 N/A Build 20348 within PS 5.1.20348.2849. I can confirm complete uninstallation of 2.26.1 and installation of 2.24 instead "resolves" the issue.
Good people. I am still not able to reproduce the issue. Could one of you share the outcome of the below command after connecting to graph. I need to see if there are any assembly conflicts
[System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object Location | Sort-Object -Property FullName | Select-Object -Property FullName, Location | Out-GridView
Interesting, I can consistently reproduce on a fresh VM both in Azure and via a local VM using an ISO to build. Here's the requested output, let me know if you'd prefer it as a CSV or otherwise:
Good people. I am still not able to reproduce the issue. Could one of you share the outcome of the below command after connecting to graph. I need to see if there are any assembly conflicts
[System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object Location | Sort-Object -Property FullName | Select-Object -Property FullName, Location | Out-GridView
I have opted for a more accessible output variety than GridView-screenshots. If you absolutely need the data as Base64-encoded Bitmap, do tell.
| FullName | Location |
|---|---|
| Azure.Core, Version=1.39.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\Azure.Core.dll |
| Azure.Identity, Version=1.11.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Azure.Identity.dll |
| EPPlus, Version=4.5.3.2, Culture=neutral, PublicKeyToken=ea159fdaa78159a1 | C:\Program Files\WindowsPowerShell\Modules\ImportExcel\7.8.10\EPPlus.dll |
| Microsoft.Bcl.AsyncInterfaces, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Microsoft.Bcl.AsyncInterfaces.dll |
| Microsoft.CertificateServices.PKIClient.Cmdlets, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll |
| Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll |
| Microsoft.Graph.Authentication, Version=2.24.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Microsoft.Graph.Authentication.dll |
| Microsoft.Graph.Authentication.Core, Version=2.24.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Microsoft.Graph.Authentication.Core.dll |
| Microsoft.Graph.Core, Version=3.1.13.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\Microsoft.Graph.Core.dll |
| Microsoft.Identity.Client, Version=4.61.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\Microsoft.Identity.Client.dll |
| Microsoft.Identity.Client.Extensions.Msal, Version=4.61.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\Microsoft.Identity.Client.Extensions.Msal.dll |
| Microsoft.IdentityModel.Abstractions, Version=7.6.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Microsoft.IdentityModel.Abstractions.dll |
| Microsoft.Kiota.Abstractions, Version=1.9.6.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Microsoft.Kiota.Abstractions.dll |
| Microsoft.Kiota.Authentication.Azure, Version=1.1.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Microsoft.Kiota.Authentication.Azure.dll |
| Microsoft.Kiota.Http.HttpClientLibrary, Version=1.4.3.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Microsoft.Kiota.Http.HttpClientLibrary.dll |
| Microsoft.Management.Infrastructure, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll |
| Microsoft.Management.Infrastructure.Native, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll |
| Microsoft.PackageManagement, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.dll |
| Microsoft.PackageManagement.ArchiverProviders, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.ArchiverProviders.dll |
| Microsoft.PackageManagement.CoreProviders, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.CoreProviders.dll |
| Microsoft.PackageManagement.MetaProvider.PowerShell, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MetaProvider.PowerShell.dll |
| Microsoft.PackageManagement.MsiProvider, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsiProvider.dll |
| Microsoft.PackageManagement.MsuProvider, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsuProvider.dll |
| Microsoft.PackageManagement.NuGetProvider, Version=2.8.5.208, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll |
| Microsoft.PowerShell.Activities, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Activities.dll |
| Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll |
| Microsoft.PowerShell.Commands.Management, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll |
| Microsoft.PowerShell.Commands.Utility, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll |
| Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll |
| Microsoft.PowerShell.PackageManagement, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PowerShell.PackageManagement.dll |
| Microsoft.PowerShell.PSReadline, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.dll |
| Microsoft.PowerShell.ScheduledJob, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll |
| Microsoft.PowerShell.Security, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll |
| Microsoft.PowerShell.Workflow.ServiceCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Workflow.ServiceCore.dll |
| Microsoft.Windows.Appx.PackageManager.Commands, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Windows.Appx.PackageManager.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Appx.PackageManager.Commands.dll |
| Microsoft.Windows.Firewall.Commands, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll |
| Microsoft.WSMan.Management, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll |
| mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
| netstandard, Version=2.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll |
| Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\Newtonsoft.Json.dll |
| PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll |
| PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll |
| System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll |
| System.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll |
| System.Activities.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll |
| System.Buffers, Version=4.0.3.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\System.Buffers.dll |
| System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll |
| System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll |
| System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll |
| System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll |
| System.Diagnostics.DiagnosticSource, Version=6.0.0.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\System.Diagnostics.DiagnosticSource.dll |
| System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll |
| System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll |
| System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll |
| System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll |
| System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll |
| System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll |
| System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll |
| System.Memory, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\System.Memory.dll |
| System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll |
| System.Net.Http.WinHttpHandler, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\System.Net.Http.WinHttpHandler.dll |
| System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll |
| System.Numerics.Vectors, Version=4.1.4.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\System.Numerics.Vectors.dll |
| System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll |
| System.Runtime.CompilerServices.Unsafe, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\System.Runtime.CompilerServices.Unsafe.dll |
| System.Runtime.InteropServices.RuntimeInformation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll |
| System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll |
| System.Runtime.WindowsRuntime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll |
| System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll |
| System.Security.Cryptography.ProtectedData, Version=4.0.5.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\System.Security.Cryptography.ProtectedData.dll |
| System.Text.Encodings.Web, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\Desktop\System.Text.Encodings.Web.dll |
| System.Text.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\System.Text.Json.dll |
| System.Threading.Tasks.Extensions, Version=4.2.0.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Authentication\2.24.0\Dependencies\System.Threading.Tasks.Extensions.dll |
| System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll |
| System.ValueTuple, Version=4.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll |
| System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a | C:\Windows\Microsoft.Net\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll |
| System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll |
| System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll |
| System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll |
| System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll |
| System.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll |
| Windows.ApplicationModel, Version=255.255.255.255, Culture=neutral, PublicKeyToken=null, ContentType=WindowsRuntime | C:\Windows\system32\WinMetadata\Windows.ApplicationModel.winmd |
| Windows.Foundation, Version=255.255.255.255, Culture=neutral, PublicKeyToken=null, ContentType=WindowsRuntime | C:\Windows\system32\WinMetadata\Windows.Foundation.winmd |
| Windows.Management, Version=255.255.255.255, Culture=neutral, PublicKeyToken=null, ContentType=WindowsRuntime | C:\Windows\system32\WinMetadata\Windows.Management.winmd |
| Windows.System, Version=255.255.255.255, Culture=neutral, PublicKeyToken=null, ContentType=WindowsRuntime | C:\Windows\system32\WinMetadata\Windows.System.winmd |
| WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll |
We have the same issue. Our tenant leverages conditional access requirements for authentication, and identity protection. Our experience seems to be the module versions that leverage the MSAL 4.61.3.0 assembly will get a usable token, but the MSAL 4.67.2.0 assembly seems to have an issue acquiring the access_token.
@lousimonetti thanks for the information. I have also been checking on the Azure Identity side to see whether there are similar issues reported. The close one that I came across is this one https://github.com/Azure/azure-sdk-for-net/issues/49174.
@timayabi2020 the Microsoft.Identity.Client dll did have a defect reported on their repo https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/5162
We are having the same/similar issues in PowerShell 7 and graph module 2.26.1. 2.25.0 works fine. Set-MGBetaUserLicense -UserId $UPN -AddLicenses $License -RemoveLicenses $coreUserLicenses. OR... Set-MGBetaUserLicense -UserId $UPN -AddLicenses $E3License -RemoveLicenses @(). We are using a Azure app and secret for authentication. Wondering if this is being looked at and when we will have a fix. I can post more details if needed
Same issue here. I'm doing a device authentication with 2.26.1 and then run get-mgBetaDirectorySetting from Microsoft.Graph.Beta.Identity.DirectoryManagement 2.26.1 which results in a Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
Name Value
---- -----
PSVersion 7.5.0
PSEdition Core
GitCommitId 7.5.0
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
In all honesty I have not been able to reproduce this issue, however there is an issue reported here with Azure.Identity which the SDK's authentication module takes a dependency on.
HI @timayabi2020, I trust you disconnected mggraph from PowerShell 7(in case if you are connected to mggraph through PS 7) and then try to connect from PS 5? Also, hope you tried to do fresh install of module from PS 5. If you connect mggraph through PS 7, then it works with PS 5 as well. Sharing this to just confirm since you are not able to reproduce the issue.
Yeah I'm surprised you can't reproduce as I can consistently reproduce this on fresh installs of Windows 10, 11, Server 2019, 2022 and 2025 without fail by just using PS 5.1 and installing the latest module. Have confirmed today that 2.27 is still broken for this issue.
Anyone please confirm the behavior when WAM is enabled and also when disabled.
To disable/enable WAM use Set-MgGraphOption -EnableLoginByWAM $False|$True
When setting that option to true I get the following error during authentication.
@timayabi2020 I can reproduce it. If there's anything you'd like me to test, let me know.
PS C:\Users\niccodan> get-module
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.26.1 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}
Script 2.26.1 Microsoft.Graph.Identity.SignIns {Confirm-MgRiskyServicePrincipalCompromised, Confirm-MgRiskyUserCompromised, Disable-MgMeAuthenticationPhoneMethodSmsSignIn, Disable-MgUserAuthenticationPhoneMethodSmsSi…
Manifest 7.0.0.0 Microsoft.PowerShell.Management {Add-Content, Clear-Content, Clear-Item, Clear-ItemProperty…}
Manifest 7.0.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object…}
Script 2.3.6 PSReadLine {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler…}
PS C:\Users\niccodan> $PSVersionTable
Name Value
---- -----
PSVersion 7.5.1
PSEdition Core
GitCommitId 7.5.1
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
We're seeing the same error with Get-MgGroupPlannerPlanTask. Using VSCode, PowerShell 7.4.4
Reproduced in Docker
I was able to reproduce the issue using the container image mcr.microsoft.com/dotnet/sdk:10.0.100-preview.4-nanoserver-ltsc2025. Note that you must run the container as ContainerAdministrator, otherwise no package provider is available:
docker run --user ContainerAdministrator -it --rm mcr.microsoft.com/dotnet/sdk:10.0.100-preview.4-nanoserver-ltsc2025
Although we're using Microsoft 365 operated by 21Vianet (Azure China), the same issue appears likely to occur in global/public cloud environments as well.
Fails with Microsoft.Graph 2.28
The following sequence fails with version 2.28:
Install-Module Microsoft.Graph
Connect-MgGraph -Environment China -TenantId 'ura.partner.onmschina.cn' -ClientId '00000000-0000-0000-0000-000000000000' -Scopes "User.Read.All" -UseDeviceCode
Get-MgUser
Error:
Get-MgApplication_List: DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
Succeeds with Microsoft.Graph 2.24
Downgrading to version 2.24 resolves the issue:
Install-Module Microsoft.Graph -RequiredVersion 2.24
Connect-MgGraph -Environment China -TenantId 'ura.partner.onmschina.cn' -ClientId '00000000-0000-0000-0000-000000000000' -Scopes "User.Read.All" -UseDeviceCode
Get-MgUser
Output:
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
...
Workaround: Use -ContextScope Process
Using -ContextScope Process appears to bypass the issue, even with version 2.28, which suggests the problem might be related to cached context when using the default CurrentUser scope:
Connect-MgGraph -Environment China -TenantId 'ura.partner.onmschina.cn' -ClientId '00000000-0000-0000-0000-000000000000' -Scopes "User.Read.All" -UseDeviceCode -ContextScope Process
We're also experiencing this issue, luckily not affecting our automations since they all leverage MSI/client+secret/certificates.
-ContextScope Process seems to be a valid work-around for now.
I think this might be related to https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3350
Yep, it's still broken. As noted above, it works if you set the context to Process so it appears the fault is in the local storage of the Auth token (as it doesn't get stored when limited to the local process), with only the code tied to PS 5.1 broken, as core is fine.