Authentication bug with 2.26.1 and PowerShell Desktop (5.1)

[sentient-sloth]

Describe the bug

I am trying to use the latest release in PowerShell 5.1 and hitting an authentication error relating to an invalid claims request. The initial authentication via Connect-MgGraph is successful but on running any subsequent cmdlets the following error is received (when using interactive user auth flow):

Message: AADSTS901001: Invalid request. The claims request parameter value '{"access_token":{"xms_cc":{"' is invalid.

If using DeviceCode authentication the following errors are seen:

Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.

These errors are not seen if the first authentication occurs in PowerShell 7, but if the first authentication occurs in PowerShell 5 the module is broken across both 5 and 7.

Fully removing 2.26.1 and downgrading to 2.24 resolves this issue.

Expected behavior

The expected behaviour is that the Graph cmdlets function when authenticating in PowerShell Desktop (5.1) and do not throw an authentication claims error.

Have seen this issue with multiple tenants and have reproduced on Windows 10, Windows 11 and Windows Server 2022.

How to reproduce

There are quite a few variants of this but the definitive way to reproduce:

1. On a fresh install of Windows, run Install-Module Microsoft.Graph
2. Run: Connect-MgGraph
3. Run any Mg cmdlet e.g. Get-MgUser -UserId $UPN

At this point the error will be thrown.

SDK Version

2.26.1

Latest version known to work for scenario above?

2.24

Known Workarounds

1. Downgrade to 2.24
2. Ensure fresh install and authentication of 2.26.1 is performed in PowerShell 7

Debug output

DEBUG: [CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'Get'.

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'DeviceCode', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line
Tools'.

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, AdministrativeUnit.Read.All, Agreement.Read.All, AgreementAcceptance.Read.All, Analytics.Read,
APIConnectors.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, ConsentRequest.Read.All,
CrossTenantInformation.ReadBasic.All, CrossTenantUserProfileSharing.Read.All, CustomSecAttributeAssignment.Read.All,
CustomSecAttributeDefinition.Read.All, DelegatedPermissionGrant.ReadWrite.All, Device.Read.All, DeviceManagementApps.Read.All,
DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, DeviceManagementServiceConfig.Read.All,
Directory.AccessAsUser.All, Directory.Read.All, DirectoryRecommendations.Read.All, Domain.Read.All, EduAdministration.Read, EduAssignments.Read, email,
EntitlementManagement.Read.All, Group.Read.All, GroupMember.Read.All, IdentityProvider.Read.All, IdentityRiskEvent.Read.All,
IdentityRiskyServicePrincipal.Read.All, IdentityRiskyUser.Read.All, IdentityUserFlow.Read.All, InformationProtectionPolicy.Read, MailboxSettings.Read,
ManagedTenants.Read.All, Member.Read.Hidden, openid, Organization.Read.All, OrgContact.Read.All, Policy.Read.All, PrivilegedAccess.Read.AzureAD,
PrivilegedAccess.Read.AzureADGroup, PrivilegedAccess.Read.AzureResources, profile, Reports.Read.All, RoleManagement.Read.CloudPC,
RoleManagement.Read.Directory, RoleManagementPolicy.Read.Directory, SecurityActions.Read.All, SecurityAlert.Read.All, SecurityEvents.Read.All,
SecurityIncident.Read.All, ServiceHealth.Read.All, ServiceMessage.Read.All, ServicePrincipalEndpoint.Read.All, SharePointTenantSettings.Read.All,
Sites.Read.All, Subscription.Read.All, TeamSettings.Read.All, ThreatHunting.Read.All, ThreatIndicators.Read.All, UnifiedGroupMember.Read.AsGuest,
User.Read, User.Read.All, User.ReadBasic.All, UserAuthenticationMethod.Read.All].

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/users/user@domain

Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19045; en-US),PowerShell/5.1.19041.5486

Body:

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: [CmdletException]: Received exception with message 'AuthenticationFailedException - DeviceCodeCredential authentication failed: Object reference
not set to an instance of an object. : at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean
isCredentialUnavailable)
at Azure.Identity.DeviceCodeCredential.d__44.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.DeviceCodeCredential.d__41.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Kiota.Authentication.Azure.AzureIdentityAccessTokenProvider.d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.d__13.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.PowerShell.Users.<UserGetUser_Call>d__237.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.PowerShell.Users.<UserGetUser_Call>d__237.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.PowerShell.Users.d__231.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get.d__66.MoveNext()'

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):

Confirm
DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
At line:1 char:1

• Get-MgUser -UserId $UPN -Debug

•   + CategoryInfo          : NotSpecified: (:) [Get-MgUser_Get], AuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get
  
  

DEBUG: [CmdletEndProcessing]: - Get-MgUser end processing.

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):

Configuration

OS: Windows 10

Name Value

---

PSVersion 5.1.19041.5486
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.5486
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Other information

No response

[mayur-3877]

I have installed latest version of MG Graph PS module i.e. 2.26/2.26.1 on Windows 11 device. Post authenticating it using Connect-mggraph command it will again prompt for authentication for any cmdlet I am running and it fails with the error (mentioned in below screenshot) without letting me select the account for authentication.

With PowerShell 7 it works but it fails with PowerShell 5.1. It all works well with version 2.25 on the same machine with PowerShell 5.1 itself.

[timayabi2020]

Hi @sentient-sloth it seems like authentication is being dropped in PowerShell 5. However, I have not yet been able to reproduce the issue. We are currently investigating but in case of new findings please share so that we can get to a solution quickly.

[ratty67]

All. This seems to fail in a normal PS session, but works in an admin PS session.

I use Connect-MgGraph -ContextScope Process to connect as a different user than the ps session. Once connected in a normal session, I run my command (in this instance I've been using $all = Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All) In the normal session I get another auth prompt but cannot add any details and it disappears quickly with the error appearing in the session.

If the above is run from an admin session, the second auth prompt doesn't occur and the command completes successfully.

PS 5.1, Microsoft.MgGraph 2.26.1

[msurana2806]

Hello @sentient-sloth ,

If I connect my graph with AuthType AppOnly, it works fine for me.
With admin or other things it fails for me.
Just an FYI.

[sentient-sloth]

@timayabi2020 I'm surprised you can't reproduce, I can consistently recreate this behaviour on a fresh install of Windows (10, 11, 2022 tested). The default behaviour for a fresh OS is for PS to run with admin rights so with PS5 the module is getting installed in the system module directory (C:\Program Files\WindowsPowerShell\Modules\), not the user module directory as shown in your example. I'm going to test installing in the user context and see if that makes a difference for me and will report back, but definitely seems to be a bug here for PS5.

You also mention depreciation of auth for PS5 - can you provide a source for this info? Will affect a lot of people if that's being depreciated as PS5 is still the standard for most people in my experience given its the default available shell.

[secretworkpersona]

Hello @sentient-sloth ,

If I connect my graph with AuthType AppOnly, it works fine for me. With admin or other things it fails for me. Just an FYI.

I also connect via an App and the issue does not occur.

[sentient-sloth]

Some additional updates:

• It doesn't matter if the module is installed in the user or system profile, as long as it's all done in PS5 it will fail
• As noted by a few others above, if you configure AppOnly authentication it bypasses this error
• If the authentication token is generated by PS7 it will successfully work in PS5 (e.g. Connect-MgGraph is completed in PS7 and the token in ~\AppData\Local\.IdentityService\ is generated, this will then be used by PS5 successfully.

Hopefully this can be resolved in the next release as App based auth is not a good workaround for me and am currently asking clients to roll back the module version to solve this.

[AJF-SD]

Hi all, I am also getting a mix of this issue and the duplicate tagged issue #3203. I use PS5 to test my code before adding it to Azure Runbooks. Please note that Azure Runbooks in the Azure Government Cloud still only uses PS5, the PS7 is in preview and is the older 7.1 version. I'm happy to provide more logs if it would help. I have verified that I don't get the issue in 2.25.0, but I do see the errors with both 2.26.0 and 2.26.1. We are currently forcing the use of the 2.25.0 modules as a workaround, until this can be resolved.