msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Authentication required twice on MacOS
Describe the bug
I'm trying to use the module on MacOS. When I run Connect-MGGraph, it pops a browser window for auth, which is successful. Then, when I run my first function, like Get-MGGroup, it pops a browser window a second time, and authenticates again. Subsequent functions don't trigger additional auth, but it seems unexpected that Connect-MGGraph would not handle auth fully.
I am assuming this is due to the initial Connect-MGGraph function not getting my full list of assigned OAuth scopes, thus triggering a re-auth on the next command, which does fetch them as expected.
Connect-MGGraph gets User.Read, and then when I run Get-MGGroup, that second auth gets all my assigned scopes (large list, includes all related and unrelated scopes to Get-MGGroup)
This is relatively recent behavior for me, either way. Company policy prevents use of beta versions in production without a bunch of approval hurdles.
Expected behavior
Connect-MGGraph authenticates fully and completely, deriving scopes assigned to the user.
How to reproduce
Connect-MGGraph- Browser window pops, authenticate normally
$groups = Get-MGGroup -Filter "startswith(displayname, 'some_prefix')"- Browser window pops, again, authenticate normally
- Subsequent function calls do not pop a browser window.
SDK Version
2.29.0
Latest version known to work for scenario above?
I haven't downgraded to a previous version to determine which one broke this auth flow.
Known Workarounds
None that I'm aware of
Debug output
Click to expand log
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ User.Read ] ParentRequestId:
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] MSAL MSAL.CoreCLR with assembly version '4.67.2.0'. CorrelationId(ceaeea9c-cc16-4227-b65c-86d8a9306d81)
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] LoginHint provided: False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] Account provided: True
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] ForceRefresh: False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - ceaeea9c-cc16-4227-b65c-86d8a9306d81
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] === Token Acquisition (SilentRequest) started:
Scopes: User.Read
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z] [Internal cache] Clearing user token cache accessor.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] [Internal cache] Total number of cache partitions found while getting access tokens: 1
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: 1a26d7e2-bb4a-4ff0-a662-5961d0e4e6b2.84c4e5b0-26a0-4dac-b686-301d76713569
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1. PartitionKey True
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] [FindRefreshTokenAsync] Discovered 0 refresh tokens in cache using key: 1a26d7e2-bb4a-4ff0-a662-5961d0e4e6b2.84c4e5b0-26a0-4dac-b686-301d76713569
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] No Refresh Token was found in the cache.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] Refreshing the RT failed. Is the exception retryable? False. Is there an AT in the cache that is usable? False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] Failed to refresh the RT and cannot use existing AT (expired or missing).
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - ceaeea9c-cc16-4227-b65c-86d8a9306d81] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: no_tokens_found
HTTP StatusCode 0
CorrelationId ceaeea9c-cc16-4227-b65c-86d8a9306d81
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] MSAL MSAL.CoreCLR with assembly version '4.67.2.0'. CorrelationId(c1df7b60-378d-46ed-a6b1-1a580f2e2cbd)
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] === Token Acquisition (InteractiveRequest) started:
Scopes: User.Read
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Fetching instance discovery from the network from host login.microsoftonline.com.
DEBUG: Request [c6716967-4910-4dae-b83e-f6c15e89bb38] GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-ms-client-request-id:c6716967-4910-4dae-b83e-f6c15e89bb38
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.13.2 (.NET 9.0.6; Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:25 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6020)
client assembly: Azure.Identity
DEBUG: Response [c6716967-4910-4dae-b83e-f6c15e89bb38] 200 OK (00.3s)
Cache-Control:max-age=86400, private
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:45f12068-f2ba-4cd1-98b2-a34dc88e3d00
x-ms-ests-server:REDACTED
x-ms-srs:REDACTED
Content-Security-Policy-Report-Only:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Thu, 17 Jul 2025 14:04:51 GMT
Content-Type:application/json; charset=utf-8
Content-Length:950
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Using system browser.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:51Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Listening for authorization code on http://localhost:55455/
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Processing a response message to the browser. HttpStatus:OK
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] An authorization code was retrieved from the /authorize endpoint.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Exchanging the auth code for tokens.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: Request [e843f81d-eab2-4d28-b5ad-b1383bc7f2a2] POST https://login.microsoftonline.com/common/oauth2/v2.0/token?haschrome=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:e843f81d-eab2-4d28-b5ad-b1383bc7f2a2
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.13.2 (.NET 9.0.6; Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:25 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6020)
client assembly: Azure.Identity
DEBUG: Response [e843f81d-eab2-4d28-b5ad-b1383bc7f2a2] 200 OK (00.2s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:15013ac6-1a3c-4025-b80d-8e0314331e00
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
x-ms-srs:REDACTED
Content-Security-Policy-Report-Only:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Thu, 17 Jul 2025 14:04:54 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:6527
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Checking client info returned from the server..
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Saving token response to cache..
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z] [Internal cache] Clearing user token cache accessor.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Looking for scopes for the authority in the cache which intersect with User.Read
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z] [Internal cache] Total number of cache partitions found while getting access tokens: 1
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Intersecting scope entries count - 1
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [SaveTokenResponseAsync] Saving RT in cache...
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] [AdalCacheOperations] Serializing token cache with 1 items.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1. PartitionKey False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z] [Internal cache] Total number of cache partitions found while getting access tokens: 1
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1. PartitionKey False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z] [Internal cache] Total number of cache partitions found while getting accounts: 1. PartitionKey False
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] AT expiration time: 7/17/2025 3:08:24 PM +00:00, scopes: Application.Read.All Application.ReadWrite.All AppRoleAssignment.ReadWrite.All AuditLog.Read.All Calendars.ReadWrite.Shared DelegatedPermissionGrant.ReadWrite.All Device.Read.All Device.ReadWrite.All DeviceLocalCredential.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Directory.Read.All Domain.Read.All email Group.Read.All Group.ReadWrite.All GroupMember.ReadWrite.All Mail.Send Mail.Send.Shared openid Organization.Read.All Policy.Read.All Policy.ReadWrite.ApplicationConfiguration profile ProfilePhoto.ReadWrite.All Reports.Read.All User.Read User.Read.All User.ReadBasic.All UserAuthenticationMethod.Read.All UserAuthenticationMethod.ReadWrite.All. source: IdentityProvider
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd]
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 5
[LogMetricsFromAuthResult] DurationTotalInMs: 3091
[LogMetricsFromAuthResult] DurationInHttpInMs: 491
DEBUG: False MSAL 4.67.2.0 MSAL.CoreCLR .NET 9.0.6 MacOS [2025-07-17 14:04:54Z - c1df7b60-378d-46ed-a6b1-1a580f2e2cbd] TokenEndpoint: ****
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ User.Read ] ParentRequestId: ExpiresOn: 2025-07-17T15:08:24.6033250+00:00
DEBUG: [CmdletBeginProcessing]: - Get-MgGroup begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, Calendars.ReadWrite.Shared, DelegatedPermissionGrant.ReadWrite.All, Device.Read.All, Device.ReadWrite.All, DeviceLocalCredential.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.Read.All, Domain.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, Mail.Send, Mail.Send.Shared, openid, Organization.Read.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration, profile, ProfilePhoto.ReadWrite.All, Reports.Read.All, User.Read, User.Read.All, User.ReadBasic.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All, email].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/groups?$filter=startswith%28displayname%2C%27REDACTED%27%29
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Macintosh; Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:25 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6020; en-US),PowerShell/2025.2.0
SdkVersion : graph-powershell/2.29.0
client-request-id : d576aac3-c622-463f-8c2a-53e6e98a982f
Accept-Encoding : gzip,deflate,b
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 8c3833ba-622a-4fec-a24e-0cf7f56083a5
client-request-id : d576aac3-c622-463f-8c2a-53e6e98a982f
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"009","RoleInstance":"BL6PEPF00035CE7"}}
x-ms-resource-unit : 1
odata-version : 4.0
Date : Thu, 17 Jul 2025 14:05:14 GM
Body:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": []
}
DEBUG: [CmdletEndProcessing]: - Get-MgGroup end processing.
Configuration
Name Value
---- -----
PSVersion 7.5.2
PSEdition Core
GitCommitId 7.5.2
OS Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:25 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6020
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Other information
No response
I'm experiencing this same issue in Windows 11, version 24H2 as well using PowerShell v5.
Also occurring here #3319
@timayabi2020 @MIchaelMainer @ramsessanchez Please take a look at this, this has been going on for a while.
Sorry folks for not getting back to you... fewer hands, the same work.
@plmcgrn @nkasco @uta-sheppardpj @md7648 - I'm able to repro with 2.29. When I turn on Fiddler, the 1st prompt looks like it is associated with MFA. No access token is returned, a flowtoken (new to me) is returned. That second prompt is when your scopes are sent.
Does the experience that requires two login pop-ups trigger after every hour? What is the time between when you first have the second auth pop-up to when you see the subsequent pop-up?
I don't see any auth related changes in the source. I am going to lookup whether there was a MFA policy change on the app.
Has anyone tried using their own clientId with 2.29+ to see if this behavior occurs there?
I have repro'd that using 2.23 works as expected (no MFA).
@MIchaelMainer I think you've mentioned this was working as expected on the same machine where you had the repro before. Is this correct? @plmcgrn @nkasco are you still facing this issue?
@MIchaelMainer I think you've mentioned this was working as expected on the same machine where you had the repro before. Is this correct? @plmcgrn @nkasco are you still facing this issue?
Had double auth earlier today lol happens every time I use delegated auth.
To add - this is still happening. Windows 11, PowerShell 7.5.4, and using SDK either 2.25.0 or 2.32.0.
This happens across multiple user accounts in multiple tenants form multiple devices.
To quickly reproduce - can even reproduce in Windows Sandbox:
Install-Module Microsoft.Graph.Authentication
Install-Module Microsoft.Graph.Users
Connect-MgGraph -Scope 'User.Read.All' -NoWelcome
Get-MgUser -UserId '***'
Observe being prompted for authentication twice. Connect-MgGraph will include in the URL, only:
https://login.microsoftonline.com/***/oauth2/v2.0/authorize?
?scope=User.Read.All+openid+profile+offline_access
However, executing Get-MgUser then prompts again, with the URL including "all the scopes":
?scope=AdministrativeUnit.Read.All+Application.Read.All+Application.ReadWrite.All+AppRoleAssignment.ReadWrite.All+AuditLog.Read.All+Device.ReadWrite.All+DeviceManagementApps.Read.All+DeviceManagementConfiguration.Read.All+DeviceManagementManagedDevices.ReadWrite.All+DeviceManagementServiceConfig.ReadWrite.All+Directory.AccessAsUser.All+Directory.Read.All+Directory.ReadWrite.All+Domain.Read.All+Files.Read.All+Group.Read.All+Group.ReadWrite.All+GroupMember.Read.All+GroupMember.ReadWrite.All+Mail.ReadWrite+OnPremDirectorySynchronization.ReadWrite.All+openid+Organization.Read.All+Policy.Read.All+PrivilegedAccess.Read.AzureADGroup+PrivilegedEligibilitySchedule.Read.AzureADGroup+profile+RoleAssignmentSchedule.Read.Directory+RoleEligibilitySchedule.Read.Directory+RoleManagement.Read.Directory+RoleManagement.ReadWrite.Directory+RoleManagementPolicy.Read.AzureADGroup+Sites.Read.All+Sites.ReadWrite.All+Team.ReadBasic.All+User.Read+User.Read.All+User.ReadWrite.All+UserAuthenticationMethod.ReadWrite.All+email+offline_access
(#3319 certainly looks to be the same issue.)
