Authentication bug with 2.26.1 and PowerShell Desktop (5.1)

[sentient-sloth]

Describe the bug

I am trying to use the latest release in PowerShell 5.1 and hitting an authentication error relating to an invalid claims request. The initial authentication via Connect-MgGraph is successful but on running any subsequent cmdlets the following error is received (when using interactive user auth flow):

Message: AADSTS901001: Invalid request. The claims request parameter value '{"access_token":{"xms_cc":{"' is invalid.

If using DeviceCode authentication the following errors are seen:

Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.

These errors are not seen if the first authentication occurs in PowerShell 7, but if the first authentication occurs in PowerShell 5 the module is broken across both 5 and 7.

Fully removing 2.26.1 and downgrading to 2.24 resolves this issue.

Expected behavior

The expected behaviour is that the Graph cmdlets function when authenticating in PowerShell Desktop (5.1) and do not throw an authentication claims error.

Have seen this issue with multiple tenants and have reproduced on Windows 10, Windows 11 and Windows Server 2022.

How to reproduce

There are quite a few variants of this but the definitive way to reproduce:

1. On a fresh install of Windows, run Install-Module Microsoft.Graph
2. Run: Connect-MgGraph
3. Run any Mg cmdlet e.g. Get-MgUser -UserId $UPN

At this point the error will be thrown.

SDK Version

2.26.1

Latest version known to work for scenario above?

2.24

Known Workarounds

1. Downgrade to 2.24
2. Ensure fresh install and authentication of 2.26.1 is performed in PowerShell 7

Debug output

DEBUG: [CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'Get'.

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'DeviceCode', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, AdministrativeUnit.Read.All, Agreement.Read.All, AgreementAcceptance.Read.All, Analytics.Read, APIConnectors.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, ConsentRequest.Read.All, CrossTenantInformation.ReadBasic.All, CrossTenantUserProfileSharing.Read.All, CustomSecAttributeAssignment.Read.All, CustomSecAttributeDefinition.Read.All, DelegatedPermissionGrant.ReadWrite.All, Device.Read.All, DeviceManagementApps.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, DeviceManagementServiceConfig.Read.All, Directory.AccessAsUser.All, Directory.Read.All, DirectoryRecommendations.Read.All, Domain.Read.All, EduAdministration.Read, EduAssignments.Read, email, EntitlementManagement.Read.All, Group.Read.All, GroupMember.Read.All, IdentityProvider.Read.All, IdentityRiskEvent.Read.All, IdentityRiskyServicePrincipal.Read.All, IdentityRiskyUser.Read.All, IdentityUserFlow.Read.All, InformationProtectionPolicy.Read, MailboxSettings.Read, ManagedTenants.Read.All, Member.Read.Hidden, openid, Organization.Read.All, OrgContact.Read.All, Policy.Read.All, PrivilegedAccess.Read.AzureAD, PrivilegedAccess.Read.AzureADGroup, PrivilegedAccess.Read.AzureResources, profile, Reports.Read.All, RoleManagement.Read.CloudPC, RoleManagement.Read.Directory, RoleManagementPolicy.Read.Directory, SecurityActions.Read.All, SecurityAlert.Read.All, SecurityEvents.Read.All, SecurityIncident.Read.All, ServiceHealth.Read.All, ServiceMessage.Read.All, ServicePrincipalEndpoint.Read.All, SharePointTenantSettings.Read.All, Sites.Read.All, Subscription.Read.All, TeamSettings.Read.All, ThreatHunting.Read.All, ThreatIndicators.Read.All, UnifiedGroupMember.Read.AsGuest, User.Read, User.Read.All, User.ReadBasic.All, UserAuthenticationMethod.Read.All].

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: GET

Absolute Uri: https://graph.microsoft.com/v1.0/users/user@domain

Headers: FeatureFlag : 00000003 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19045; en-US),PowerShell/5.1.19041.5486

Body:

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): DEBUG: [CmdletException]: Received exception with message 'AuthenticationFailedException - DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. : at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) at Azure.Identity.DeviceCodeCredential.<GetTokenImplAsync>d__44.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Azure.Identity.DeviceCodeCredential.<GetTokenAsync>d__41.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Kiota.Authentication.Azure.AzureIdentityAccessTokenProvider.<GetAuthorizationTokenAsync>d__14.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.<AuthenticateRequestAsync>d__13.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.<SendAsync>d__12.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Users.<UserGetUser_Call>d__237.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.Graph.PowerShell.Users.<UserGetUser_Call>d__237.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Users.<UserGetUser>d__231.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get.<ProcessRecordAsync>d__66.MoveNext()'

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):

Confirm DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Get-MgUser : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. At line:1 char:1

• Get-MgUser -UserId $UPN -Debug

•   + CategoryInfo          : NotSpecified: (:) [Get-MgUser_Get], AuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get
  
  

DEBUG: [CmdletEndProcessing]: - Get-MgUser end processing.

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):

Configuration

OS: Windows 10

Name Value

---

PSVersion 5.1.19041.5486 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.19041.5486 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Other information

No response