msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

Double Authentication for Delegated Permission Use on 2.26 or Newer

Open nkasco opened this issue 9 months ago • 5 comments

Describe the bug

When using Connect-MgGraph simply with the default Graph PowerShell Enterprise App on any version 2.26 or newer, specifically, when using with delegated permissions there seems to be an intermittent double auth prompt. I can't repro this at will, but I've confirmed it in both my corporate environment, personal PC environment, and corroborated with members of the PowerShell community via discord who also confirmed they've seen it as well.

Expected behavior

Single auth prompt should be persistent for the length of the PowerShell process session unless Disconnect-MgGraph is otherwise called.

How to reproduce

  1. Connect-MgGraph (no other parameters are required to repro since this is delegated permission use with auth code flow on the default Graph PowerShell enterprise app)
  2. Auth like normal using an account that has access and proper AAD role for delegated permission use (such as Directory.ReadWrite.All)
  3. After successful auth, run a subsequent cmdlet from the module (e.g. Get-MgDevice)
  4. Intermittently, it will prompt for auth again

SDK Version

2.26

Latest version known to work for scenario above?

2.25

Known Workarounds

Deal with double authentication prompts.

Debug output

No response

Configuration

No response

Other information

Don't quote me on whether this started with 2.25 or 2.26, it was right at the turn of the new year. It definitely never occurred on 2.24

nkasco avatar May 12 '25 17:05 nkasco

Also as an aside - Clearing the .mg folder did not resolve this issue

nkasco avatar May 13 '25 14:05 nkasco

I see the double auth prompt too. It's impossible to reproduce consistently...

12Knocksinna avatar May 21 '25 11:05 12Knocksinna

I don’t know if I’m having the same issue but after sign-in with Connect-MgGraph and running a command like Get-MgGroup, I get this error and no prompt for a second authentication :

Get-MgGroup : InteractiveBrowserCredential authentication failed: User canceled authentication.

Kev1661 avatar May 27 '25 19:05 Kev1661

@timayabi2020 Any chance you can look into this one? It's quite nagging and we don't know how to repro at will. I thought I recalled some significant auth changes between versions though. Seems it might need a deeper look, my guess is it's related to either the token saving or retrieving.

nkasco avatar May 27 '25 19:05 nkasco