msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Token authentication breaks when using certain commands

Open insomniacc opened this issue 2 years ago • 4 comments

Describe the bug Running the following command breaks my authentication I'd previously configured with Connect-MgGraph:

Invoke-MGGraphRequest -uri "https://api.accessreviews.identitygovernance.azure.com/v1.0/identityGovernance/accessReviews/definitions/<AccessReviewID>/instances/<InstanceID>/contactedReviewers/`$count"

Subsequent commands using Get-Mg commands just fail with the following output for example: Get-MgIdentityGovernanceAccessReviewDefinition_List: The server responded with a Request Error, Status: NotFound

The only way to proceed is to re-run Connect-MgGraph. It seems that the authentication is being broken and the commands do not gracefully handle the issue / complain about authentication in an explicit way.

Expected behavior

  1. if authentication breaks, subsequent commands should throw an exception/error related to authentication.
  2. Issuing a get method with Invoke-MgGraphRequest should not break authentication set by Connect-MgGraph

Debug Output

PS > Invoke-MGGraphRequest -uri "https://api.accessreviews.identitygovernance.azure.com/v1.0/identityGovernance/accessReviews/definitions/<AccessReviewID>/instances/<InstanceID>/contactedReviewers/`$count" -debug
VERBOSE: GET https://api.accessreviews.identitygovernance.azure.com/v1.0/identityGovernance/accessReviews/definitions/<AccessReviewID>/instances/<InstanceID>/contactedReviewers/$count with 0-byte payload

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: GET /v1.0/identityGovernance/accessReviews/definitions/<AccessReviewID>/instances/<InstanceID>/contactedReviewers/$count HTTP/1.1
HTTP: api.accessreviews.identitygovernance.azure.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.19045; en-GB) PowerShell/7.2.16 Invoke-MgGraphRequest


VERBOSE: received 0-byte response of content type 

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: GET https://api.accessreviews.identitygovernance.azure.com/v1.0/identityGovernance/accessReviews/definitions/<AccessReviewID>/instances/<InstanceID>/contactedReviewers/$count
HTTP/1.1 404 Not Found
X-Powered-By: ASP.NET
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Tue, 14 Nov 2023 15:54:35 GMT
Content-Length: 0


Invoke-MgGraphRequest: GET https://api.accessreviews.identitygovernance.azure.com/v1.0/identityGovernance/accessReviews/definitions/<AccessReviewID>/instances/<InstanceID>/contactedReviewers/$count
HTTP/1.1 404 Not Found
X-Powered-By: ASP.NET
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Tue, 14 Nov 2023 15:54:35 GMT
Content-Length: 0


PS > $AccessReviews = Get-MgIdentityGovernanceAccessReviewDefinition -All -debug
DEBUG: [CmdletBeginProcessing]: - Get-MgIdentityGovernanceAccessReviewDefinition begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientSecret', ContextScope: 'Process', AppName: '90 Day Access Review'.
DEBUG: [Authentication]: - Scopes: [AccessReview.ReadWrite.Membership, Group.Read.All, AccessReview.ReadWrite.All, Group.Create, User.Read.All, Mail.Read, AccessReview.Read.All, Mail.Send, GroupMember.ReadWrite.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://api.accessreviews.identitygovernance.azure.com/v1.0/identityGovernance/accessReviews/definitions

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19045; en-GB),PowerShell/7.2.16
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.9.0
client-request-id             : f24c7b00-e972-4e87-80f9-0c0235b570f1

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
NotFound

Headers:
X-Powered-By                  : ASP.NET
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains; preload
Date                          : Tue, 14 Nov 2023 15:56:30 GMT

Body:



Get-MgIdentityGovernanceAccessReviewDefinition_List: The server responded with a Request Error, Status: NotFound
DEBUG: [CmdletEndProcessing]: - Get-MgIdentityGovernanceAccessReviewDefinition end processing.

Module Version

> get-module Microsoft.Graph* | select Name,Version

Name                                            Version
----                                            -------
Microsoft.Graph                                 2.9.0
Microsoft.Graph.Applications                    2.9.0
Microsoft.Graph.Authentication                  2.9.0
Microsoft.Graph.Bookings                        2.9.0
Microsoft.Graph.Calendar                        2.9.0
Microsoft.Graph.ChangeNotifications             2.9.0
Microsoft.Graph.CloudCommunications             2.9.0
Microsoft.Graph.Compliance                      2.9.0
Microsoft.Graph.CrossDeviceExperiences          2.9.0
Microsoft.Graph.DeviceManagement                2.9.0
Microsoft.Graph.DeviceManagement.Actions        2.9.0
Microsoft.Graph.DeviceManagement.Administration 2.9.0
Microsoft.Graph.DeviceManagement.Enrollment     2.9.0
Microsoft.Graph.DeviceManagement.Functions      2.9.0
Microsoft.Graph.Devices.CloudPrint              2.9.0
Microsoft.Graph.Devices.CorporateManagement     2.9.0
Microsoft.Graph.Devices.ServiceAnnouncement     2.9.0
Microsoft.Graph.DirectoryObjects                2.9.0
Microsoft.Graph.Education                       2.9.0
Microsoft.Graph.Files                           2.9.0
Microsoft.Graph.Groups                          2.9.0
Microsoft.Graph.Identity.DirectoryManagement    2.9.0
Microsoft.Graph.Identity.Governance             2.9.0
Microsoft.Graph.Identity.Partner                2.9.0
Microsoft.Graph.Identity.SignIns                2.9.0
Microsoft.Graph.Mail                            2.9.0
Microsoft.Graph.Notes                           2.9.0
Microsoft.Graph.People                          2.9.0
Microsoft.Graph.PersonalContacts                2.9.0
Microsoft.Graph.Planner                         2.9.0
Microsoft.Graph.Reports                         2.9.0
Microsoft.Graph.SchemaExtensions                2.9.0
Microsoft.Graph.Search                          2.9.0
Microsoft.Graph.Security                        2.9.0
Microsoft.Graph.Sites                           2.9.0
Microsoft.Graph.Teams                           2.9.0
Microsoft.Graph.Users                           2.9.0
Microsoft.Graph.Users.Actions                   2.9.0
Microsoft.Graph.Users.Functions                 2.9.0

Environment Data PSVersion 7.2.16

insomniacc avatar Nov 14 '23 15:11 insomniacc

@insomniacc what I've noticed is that the base url (https://api.accessreviews.identitygovernance.azure.com/v1.0) you are using is cached after calling an API with Invoke-MGraphRequest and subsequent cmdlet calls append that base url to the API path associated with a cmdlet. image

However, when you call Invoke-MgGrphRequest with graph's base url (https://graph.microsoft.com/v1.0) within the same session, you won't get an error for subsequent cmdlet executions. Therefore, it's not really an authentication issue.

timayabi2020 avatar Nov 16 '23 09:11 timayabi2020

I'm not sure why this has been marked as author feedback. What exactly is it you need from me? The bug is outlined in my original comment and also confirmed by timayabi2020 please can this be assigned to someone to fix?

insomniacc avatar Jun 08 '24 15:06 insomniacc