msgraph-sdk-powershell Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Open dominicbuehrer opened this issue 6 months ago • 0 comments

Describe the bug

Since module version 2.26.0, I have been experiencing an issue with Continuous Access Evaluation in MgGraph. I authenticate using app registration and a certificate. This works without any problems, but after some time, my script returns the following error message.

Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Since I have scripts that run for a longer time, I keep encountering this problem repeatedly. Additionally, we use the Microsoft365DSC module, and I receive the error when reading the AAD settings right from the start.

Expected behavior

The script should not need to re-authenticate, and when reading the M365DSC configuration, the error should not occur from the beginning and should be able to authenticate.

How to reproduce

Connect-MgGraph -ClientID $ClientID -TenantId $Tenant_ID -CertificateThumbprint $CertificateThumbprint Get-MgUser Wait some time and rerun the Get-MgUser command.

SDK Version

2.26.0 and 2.27.0

Latest version known to work for scenario above?

2.25.0

Known Workarounds

No response

Debug output

Click to expand log

```

Get-MgUser -Debug [CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'List'. [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '*****'. [Authentication]: - Scopes: [DeviceManagementManagedDevices.Read.All, ChannelSettings.Read.All, RoleManagement.Read.Directory, Channel.ReadBasic.All, Group.Read.All, DeviceManagementServiceConfig.Read.All, Directory.Read.All, User.Read.All, Tasks.Read.All, GroupMember.Read.All, DeviceManagementConfiguration.Read.All, Organization.Read.All, Policy.Read.All, Application.Read.All, DeviceManagementApps.Read.All, OrgSettings-Todo.Read.All, Policy.Read.ConditionalAccess, AppCatalog.Read.All, RoleEligibilitySchedule.Read.Directory, CustomSecAttributeDefinition.Read.All, Policy.Read.DeviceConfiguration, ExternalConnection.Read.All, Policy.ReadWrite.AuthenticationMethod, Sites.Selected, UserAuthenticationMethod.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, SharePointTenantSettings.ReadWrite.All, Channel.Delete.All, SharePointTenantSettings.Read.All, AdministrativeUnit.Read.All, OrgSettings-Forms.Read.All, LifecycleWorkflows.Read.All, Sites.Read.All, EntitlementManagement.Read.All, IdentityUserFlow.Read.All, RoleManagement.Read.All, Domain.Read.All, Agreement.Read.All, ChannelMember.Read.All, RoleManagementPolicy.Read.Directory, DeviceManagementRBAC.Read.All, EntitlementManagement.ReadWrite.All, APIConnectors.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-Microsoft365Install.Read.All, IdentityProvider.Read.All, TeamSettings.Read.All, NetworkAccessPolicy.Read.All, AccessReview.Read.All, Mail.Send, PrivilegedEligibilitySchedule.Read.AzureADGroup, OrgSettings-DynamicsVoice.Read.All, ProgramControl.Read.All, NetworkAccess.Read.All, Sites.FullControl.All, RoleAssignmentSchedule.Read.Directory, Policy.Read.IdentityProtection]. ============================ HTTP REQUEST ============================

HTTP Method: GET

Absolute Uri: https://graph.microsoft.com/v1.0/users

Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; de-CH),PowerShell/5.1.20348.2849 Accept-Encoding : gzip SdkVersion : graph-powershell/2.25.0 client-request-id : 71ae034a-b311-4128-99f9-bf5f8b60fec2

Body:

============================ HTTP RESPONSE ============================

Status Code: Unauthorized

Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 7c1ded63-8eae-4083-9d9e-ebad27ef76dd client-request-id : 25e4806a-d2bc-43a9-8ec6-5c98275fa7d5 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ZR1PEPF00000667"}} WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzQ2NzI1ODIwIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiI4MC4yNTUuOTcuMzYifX19",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJCOTY0ODgwQkQxNDJBNjJCRjQ5NzI4MEI3NkFGREM1QjUxNjlENUMifQ.eyJ0cyI6MTc0NjcyNTgyMH0.elc4_PChd4yb5GBLU1YMIgaGkFWb0Wr8wf7GJAi0-uQknGVfi6ixhJk1CSdKq1BVLsdYc VEHCodj0TolZg0IB-vxjCvlfVAN51tTD9Gbi0GAejjofO4poM2OpRRzLjy3HD2MP4y5EhxMGXyvsaKKfg6AkNlxjavMp6Et9NXC2q9a1J7cr5doO5_krwSZTUiGsQwF4-5q4tM1J1t81n-xCGkMGuq_rYga_cSlK1wAFVi5RtCibqF6dEzHqqJ9JygaQ2-0e315O-esTXhZx7l_icSt7woWGeEHU1MEgu7Vf-09QkdBI8UrVo5IA24S1ZgVQU EVM1RyT2WkK1agPyCwrg" Date : Thu, 08 May 2025 17:37:00 GMT

Body: { "error": { "code": "InvalidAuthenticationToken", "message": "Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied", "innerError": { "date": "2025-05-08T17:37:00", "request-id": "7c1ded63-8eae-4083-9d9e-ebad27ef76dd", "client-request-id": "25e4806a-d2bc-43a9-8ec6-5c98275fa7d5" } } }

Get-MgUser_List : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Status: 401 (Unauthorized) ErrorCode: InvalidAuthenticationToken Date: 2025-05-08T17:37:00

At C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Users\2.25.0\exports\ProxyCmdletDefinitions.ps1:22009 char:23

    $scriptCmd = {& $wrappedCmd @PSBoundParameters}

```
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidOperation: ({ ConsistencyLe... , Headers = }:<>f__AnonymousType41`9) [Get-MgUser_List], Exception
- FullyQualifiedErrorId : InvalidAuthenticationToken,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List [CmdletEndProcessing]: - Get-MgUser end processing.

Configuration

Name Value

PSVersion 5.1.14393.7870
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.7870
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

OS: Windows Server 2016 Datacenter (14393.7876) x64

Other information

No response

May 14 '25 06:05 dominicbuehrer

msgraph-sdk-powershell msgraph-sdk-powershell copied to clipboard

Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Describe the bug

Expected behavior

How to reproduce

SDK Version

Latest version known to work for scenario above?

Known Workarounds

Debug output

Configuration

Other information

msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard