maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Azure Devops Pipeline Incorrectly Uses "Microsoft Graph Command Line Tools" Service Principal

Open awdavies90 opened this issue 5 months ago • 2 comments

I initially wanted to add this as a comment on #855 as think (reading between the lines a bit) that I might be seeing the same/similar issue but didn't have permissions, so have raised as a new issue....

In Azure Devops I am running the following:

- task: AzurePowerShell@5
  displayName: 'Run Maester'
  inputs:
    azureSubscription: 'maester-prod'
    ScriptType: 'InlineScript'
    azurePowerShellVersion: 'LatestVersion'
    pwsh: true
    Inline: |
      Get-AzContext

      # Connect to Microsoft Graph
      $accessToken = (Get-AzAccessToken).Token | ConvertTo-SecureString -AsPlainText -Force
      Connect-MgGraph $accessToken

      Invoke-Maester ...

Get-AzContext correctly returns the service principal that I want to use (which has all the necessary MS Graph permissions), but when a token is generated and used to connect to MS Graph, a different service principal is used (Microsoft Graph Command Line Tools): Image

Invoke-Maester then fails at Test-MtContext as the SP being used doesn't have the necessary MS Graph permissions: Image

Is this related to the "common issue" mentioned on #855 or something different altogether?

Extra Info:

  • Process is running on an "Azure Pipelines" agent so is using the latest versions of Azure Powershell and Graph modules: Az: v12.5.0 Az.Accounts: v5.1.1 Microsoft.Graph: v2.29.1 Maester: v1.3.0
  • Have performed the same commands using the same service principal locally (with the only difference being the use of client id & secret instead of federated auth) and could not recreate the issue.

Apologies @merill I'm getting a 403 when trying to add a new comment.

Here's the output with Get-MgContext | ConvertTo-Json added. Get-MgContext shows the same wrong client id. I'm assuming as it's not something you've come across, that it's one for MS Support? Image

@kentbjoh It's the same story when trying $accessToken = (Get-AzAccessToken -ResourceTypeName MSGraph).Token I'm afraid

awdavies90 avatar Aug 01 '25 11:08 awdavies90

That doesn't sound right. The accesstoken should use the token which includes the original client id.

Can you add a Get-MgContext and try seeing what it shows?

Something like this

Get-MgContext | ConvertTo-Json

merill avatar Aug 10 '25 03:08 merill

Try fetch the access token this way. I believe this was a fairly recent change from MS

$accessToken = (Get-AzAccessToken -ResourceTypeName MSGraph).Token

kentbjoh avatar Aug 12 '25 18:08 kentbjoh