High number of consented permissions prevents successful authentication to MS Graph PowerShell

[willfiddes]

Describe the bug

Starting with v2.26.0 MS Graph PowerShell is unable to authenticate successfully with high number of API permissions consented to on the second authentication prompt.

First authentication using Connect-MgGraph works Second authentication prompt when calling another command is what is failing. (Why are we prompting a second time?)

It appears there is now a "mg.msal.cache.cae" in addition to "mg.msal.cache.nocae" cache file generated in %LOCALAPPDATA%\.IdentityService\ when calling any ms graph command other than connect-mggraph. This "mg.msal.cache.cae" cache file may have something to do with the issue. Why isnt just one cache being used?

If we are going to make using CAE claims required, might as well send this in the first authentication prompt when using Connect-MgGraph. (I may have to submit another feature request but we should have a way to disable CAE for MS Graph PowerShell)

This problem did not occur for v.2.25.0

Why is MS Graph PowerShell sending a login request with all of the consented permissions? It should just use ".default" to get the consented permissions from Entra.

Also keep in mind browsers do have a URL length limit and Edge/IE is around 2080. So the more permissions there are in the login request, the higher chance the URL will start to get cut off. Different errors will occur depending on where it gets cut off at.

Expected behavior

Authenticate successfully no matter how permissions were previously consented

How to reproduce

#############################################################
# Pre-requisite to setup scenario

Install-Module Microsoft.Graph.Authentication -RequiredVersion 2.28.0 -Force -AllowClobber
Install-Module Microsoft.Graph.Authentication -RequiredVersion 2.25.0 -Force -AllowClobber
Install-Module Microsoft.Graph.Users -RequiredVersion 2.28.0 -Force -AllowClobber
Install-Module Microsoft.Graph.Users -RequiredVersion 2.25.0 -Force -AllowClobber

# We have to break up scopes due to URL size limitation
Connect-MgGraph -TenantId cloud.williamfiddes.com -Scopes "AccessReview.ReadWrite.All AppCatalog.Read.All Application.Read.All Application.ReadWrite.All AppRoleAssignment.ReadWrite.All AuditLog.Read.All BitlockerKey.Read.All Calendars.Read Calendars.ReadBasic Calendars.ReadWrite.Shared Chat.Read Chat.ReadBasic Chat.ReadWrite ChatMessage.Send ConsentRequest.ReadWrite.All DelegatedPermissionGrant.ReadWrite.All Device.Read.All Device.ReadWrite.All DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Directory.AccessAsUser.All"

Connect-MgGraph -TenantId cloud.williamfiddes.com -Scopes "Directory.Read.All Directory.ReadWrite.All EntitlementManagement.ReadWrite.All Files.Read.All Group.Read.All Group.ReadWrite.All GroupMember.Read.All GroupMember.ReadWrite.All IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All Mail.Read Mail.Send Organization.Read.All Policy.Read.All Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.CrossTenantAccess Presence.Read.All Reports.Read.All RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.ReadWrite.Directory Sites.Manage.All Sites.ReadWrite.All Tasks.Read Team.ReadBasic.All TeamsAppInstallation.ReadForTeam TeamworkDevice.Read.All User.Read User.Read.All User.ReadWrite.All UserAuthenticationMethod.Read.All UserAuthenticationMethod.ReadWrite.All WindowsUpdates.ReadWrite.All"

# Step: Import 2.28.0 module
Import-Module Microsoft.Graph.Authentication -RequiredVersion 2.28.0

# Step: Disconnect to ensure memory token cache is cleared
Disconnect-MgGraph

# Step: Clear the cache files
Get-Item "$env:LOCALAPPDATA\.IdentityService\mg*" | Remove-Item -Force

# Step: Connect 
Connect-MgGraph 

# Step: Call Invoke-MgGraphRequest
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/me"
#############################################################

If you import the 2.25.0 module instead of 2.26+ this issue does not occur.

SDK Version

2.28.0

Latest version known to work for scenario above?

2.25.0

Known Workarounds

Reduce consented permissions to MS Graph powershell (or just delete the enterprise app) and reconsent to the API permissions needed. Keep it low. You can also create your own app registration for MS Graph PowerShell to use for your specific scenario and consent to the permissions needed for your scenario.

You can specify your own Client ID... Connect-MgGraph -ClientId "your-client-id"

Debug output

Different errors will occur depending on how many permissions are consented. This is because the URL will be cut at at different points

Configuration

No response

Other information

No response

[SaschaSeipp]

Just wanted to confirm that I see this behaviour as well, and this also is the first real explanation and "fix" - removing all the consented permissions I had accumulated over time promptly let the problem vanish.

As it took me some time to find this, I would also like to add the error message I received before (so that others might find this easier). As stated above, it seems there can be different error messages because basically the URL is cut at some point due to some length limit.

In my case, it was consistently like this: Connect-MgGraph prompted a regular browser pop-up windows asking for the user sign-in. Then for instance Get-MgUser prompted a second browser pop-up window asking for sign-in, this time with our company branding. And after logging in there, the pop-up window showed some weird white screen before closing, and I got: Get-MgUser : InteractiveBrowserCredential authentication failed: The browser based authentication dialog failed to complete. Reason: The server or proxy was not found.

Which apparently has nothing at all to do with the actual problem.

For now, I can work and also know how to fix it once more if it should happen again, but it would be great if this could get an actual fix, as it is not that easy to get rid of PS 5.1 any time soon.

[dejanforo]

Make sure that your PowerShell version is up to date.

In my experience Microsoft.Graph 2.6+ does not seem to work well if you have an old version of PowerShell

Specifically I had authentication issues with Microsoft.Graph.Applications module 2.30.0 running on top of PowerShell 7.2.24

Issue solved by simply upgrading PowerShell 7.2.24 to the latest version 7.5.3

[hoehnl]

Thank you very much @willfiddes Downgrade to PowerShell Module version 2.25.0 fixed the issue for me. Since I work in a customer environment, reducing consented permissions to MS Graph powershell was not an option for my case.