msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Connect-MgGraph : Invalid JWT access token in Azure Functions
Describe the bug
Connect-MgGraph in Azure Functions (locally with Vs Code) fails with error invalid JWT token regardless of using Accesstoken, certificate of clientsecret
Expected behavior
Succesful authentication
How to reproduce
Create an Azure Function (Powershell) in VsCode and provide connect-mggraph in the script (using accesstoken, client secret of certificate). The connection will fail with error invalid JWT token
The same code runs succesful outside the Azure Functions runtime
SDK Version
Microsoft.Graph.Authentication 2.x
Latest version known to work for scenario above?
1.28
Known Workarounds
Use version 1.x
Debug output
Click to expand log
```Connect-MgGraph -ClientId {Redacted} -TenantId {Redacted} -Certificate $cert -Debug ClientCertificateCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId: False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] MSAL MSAL.Desktop with assembly version '4.60.1.0'. CorrelationId(c7987f17-f3bf-49e6-8a09-b5be82f2f439) False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === AcquireTokenForClientParameters === SendX5C: False ForceRefresh: False
False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === Request Data === Authority Provided? - True Scopes - https://graph.microsoft.com/.default Extra Query Params Keys (space separated) - ApiId - AcquireTokenForClient IsConfidentialClient - True SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - c7987f17-f3bf-49e6-8a09-b5be82f2f439 UserAssertion set: False LongRunningOboCacheKey set: False Region configured:
False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === Token Acquisition (ClientCredentialRequest) started: Scopes: https://graph.microsoft.com/.default Authority Host: login.microsoftonline.com False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [Instance Discovery] Instance discovery is enabled and will be performed False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [Region discovery] Not using a regional authority. Request [8c991d47-87d8-420d-af78-bd3cb2b4410b] POST https://login.microsoftonline.com/{redacted}/oauth2/v2.0/token x-client-SKU:REDACTED x-client-Ver:REDACTED x-client-OS:REDACTED x-client-current-telemetry:REDACTED x-client-last-telemetry:REDACTED x-ms-lib-capability:REDACTED client-request-id:REDACTED return-client-request-id:REDACTED x-app-name:REDACTED x-app-ver:REDACTED Content-Type:application/x-www-form-urlencoded x-ms-client-request-id:8c991d47-87d8-420d-af78-bd3cb2b4410b x-ms-return-client-request-id:true User-Agent:azsdk-net-Identity/1.11.0 (.NET Core 3.1.32; Microsoft Windows 10.0.22621) client assembly: Azure.Identity Response [8c991d47-87d8-420d-af78-bd3cb2b4410b] 200 OK (00.1s) Cache-Control:no-store, no-cache Pragma:no-cache Strict-Transport-Security:REDACTED X-Content-Type-Options:REDACTED P3P:REDACTED client-request-id:REDACTED x-ms-request-id:8936197d-304d-4b2c-b6ae-a443f51f2f00 x-ms-ests-server:REDACTED x-ms-clitelem:REDACTED x-ms-srs:REDACTED X-XSS-Protection:REDACTED Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828
Content-Length:1828
False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] ScopeSet was missing from the token response, so using developer provided scopes in the result. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Checking client info returned from the server.. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Saving token response to cache.. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [SaveTokenResponseAsync] ID Token not present in response. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Cannot determine home account ID - or id token or no client info and no subject False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs... False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Looking for scopes for the authority in the cache which intersect with https://graph.microsoft.com/.default False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Intersecting scope entries count - 0 False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === Token Acquisition finished successfully: False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] AT expiration time: 8/8/2024 1:34:32 PM +00:00, scopes: https://graph.microsoft.com/.default. source: IdentityProvider False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Fetched access token from host login.microsoftonline.com. ClientCertificateCredential.GetToken succeeded. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId: ExpiresOn: 2024-08-08T13:34:32.9833602+00:00
Connect-MgGraph: Invalid JWT access token.
Configuration
Windows 11 X64 - clean install Name Value
PSVersion 7.0.13 PSEdition Core GitCommitId 7.0.13 OS Microsoft Windows 10.0.22621 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
Other information
No response
Since the status of this issue is "needs Investigation" I just did some additional troubleshooting, the problem seems to be some missing dependency in the Function Runtime:
[2024-10-07T13:28:20.337Z] ERROR: Invalid JWT access token.
[2024-10-07T13:28:20.338Z]
[2024-10-07T13:28:20.339Z] Exception :
[2024-10-07T13:28:20.340Z] Type : Microsoft.Graph.PowerShell.AuthenticationException
[2024-10-07T13:28:20.341Z] TargetSite :
[2024-10-07T13:28:20.342Z] Name : DecodeToObject
[2024-10-07T13:28:20.345Z] DeclaringType : Microsoft.Graph.PowerShell.Authentication.Core.Utilities.JwtHelpers, Microsoft.Graph.Authentication.Core, Version=2.9.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
[2024-10-07T13:28:20.347Z] MemberType : Method
[2024-10-07T13:28:20.348Z] Module : Microsoft.Graph.Authentication.Core.dll
[2024-10-07T13:28:20.350Z] StackTrace :
[2024-10-07T13:28:20.351Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.JwtHelpers.DecodeToObject[T](String jwtString)
[2024-10-07T13:28:20.352Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.UserProvidedTokenCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
[2024-10-07T13:28:20.353Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.UserProvidedTokenCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
[2024-10-07T13:28:20.354Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.SignInAsync(IAuthContext authContext, CancellationToken cancellationToken)
[2024-10-07T13:28:20.355Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.AuthenticateAsync(IAuthContext authContext, CancellationToken cancellationToken)
[2024-10-07T13:28:20.356Z] at Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph.ProcessRecordAsync()
[2024-10-07T13:28:20.357Z] at Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph.ProcessRecordAsync()
[2024-10-07T13:28:20.358Z] Message : Invalid JWT access token.
[2024-10-07T13:28:20.359Z] InnerException :
[2024-10-07T13:28:20.359Z] Type : System.IO.FileNotFoundException
[2024-10-07T13:28:20.360Z] Message : Could not load file or assembly 'Microsoft.Bcl.AsyncInterfaces, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. Het systeem kan het opgegeven bestand niet vinden.
[2024-10-07T13:28:20.361Z] FileName : Microsoft.Bcl.AsyncInterfaces, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51
[2024-10-07T13:28:20.362Z] TargetSite :
[2024-10-07T13:28:20.364Z] Name : GetAsyncEnumerableInterface
[2024-10-07T13:28:20.365Z] DeclaringType : System.Text.Json.Serialization.IAsyncEnumerableConverterFactory, System.Text.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51
[2024-10-07T13:28:20.366Z] Executed 'Functions.Time1' (Succeeded, Id=38a8fd80-611f-409e-b946-dd3d70c23b58, Duration=7203ms)
[2024-10-07T13:28:20.366Z] MemberType : Method
[2024-10-07T13:28:20.369Z] Module : System.Text.Json.dll
This issue is not new so it seems, but in this case the issue is isolated to only local function runtimes.
https://learn.microsoft.com/en-us/answers/questions/1479392/azure-function-powershell-microsoft-graph-powershe
I tried the solution in that topic (switch to certain module version and ExtensionBundle) but no change.
Hi @rfolkers, apologies for the delayed response on this issue. However, I couldn't replicate your issue because I managed to execute the function app successfully using the latest Microsoft Graph PowerShell SDK version.
Please upgrade to the latest SDK version (2.25.0) by defining the exact version in your requirements.psd1 file or manually pre-install the modules using the Kudu environment. You can refer to this articleon how to do that.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was actually resolved, in local.settings.json, FUNCTIONS_WORKER_RUNTIME_VERSION was set to ~7. After changing this to 7.4 the issue was resolved.