Skip to content

Non-interactive authentication does not work when used from a PowerShell script #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AnatoliB opened this issue Feb 18, 2020 · 3 comments · Fixed by #164
Closed

Non-interactive authentication does not work when used from a PowerShell script #113

AnatoliB opened this issue Feb 18, 2020 · 3 comments · Fixed by #164
Assignees
@peombwa
Labels
Auth

Comments

@AnatoliB
Copy link

AnatoliB commented Feb 18, 2020
edited
Loading

The following script fails:

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users.User

Connect-Graph -TenantId [REDACTED] -ClientId [REDACTED] -CertificateName [REDACTED] -CertificateThumbprint [REDACTED]

Get-MgUser

Connect-Graph succeeds, but Get-MgUser reports the following error: Authentication needed, call Connect-Graph.

Exactly the same commands executed interactively on a PowerShell console run successfully, so this does not look like a configuration/environment issue. In order to repro:

  1. Save this code into a test.ps1 file.
  2. IMPORTANT: In a brand new PowerShell session, invoke test.ps1 like this: .\test.ps1 or this: & .\test.ps1. (If you run the Connect-Graph and Get-MgUser commands by invoking these commands one by one in a PowerShell console, or dot-sourcing the same script (. .\test.ps1), these commands succeed and the issue does not repro.)

As a workaround, inserting the following line immediately after Connect-Graph invocation fixes the problem:

$global:GraphAuthConfigId = $GraphAuthConfigId

While debugging this, we noticed that Get-MgUser cannot find the GraphAuthConfigId variable, even though it is definitely initialized by Connect-Graph. We can even print it out from the script scope, and the content looks correct. I suspect the variable is created in a way that makes it invisible in the Get-MgUser function scope, and this is why copying it into the global scope helps. Perhaps this should be fixed in the code that creates the variable.
@ghost ghost added the ToTriage label Feb 18, 2020
@AnatoliB
Copy link
Author

The variable is initialized at:

msgraph-sdk-powershell/src/Authentication/Authentication/Cmdlets/ConnectGraph.cs

Line 76 in e64d120

SessionState.PSVariable.Set(Constants.GraphAuthConfigId, authConfig);

Perhaps a PSVariable object should be created with a constructor that takes ScopedItemOptions, passing something like ScopedItemOptions.AllScope. I haven't tried this fix, just an idea.

@ghost ghost removed the ToTriage label Feb 19, 2020
@darrelmiller
Copy link
Contributor

Hey @peombwa could you take a look at this, it is block usage in Azure Functions. Thanks.

@AnatoliB
Copy link
Author

Please let us know if you have any ETA on this.

@darrelmiller darrelmiller mentioned this issue Mar 26, 2020
Closed
@AnatoliB AnatoliB mentioned this issue Apr 5, 2020
Closed
@peombwa peombwa mentioned this issue Apr 8, 2020
Merged
@peombwa peombwa linked a pull request Apr 8, 2020 that will close this issue
Expose AuthContext To Function Scope #164
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peombwa peombwa

Labels
Auth
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Expose AuthContext To Function Scope microsoftgraph/msgraph-sdk-powershell
3 participants
@darrelmiller @peombwa @AnatoliB