Describe the bug
Bug Report: Microsoft Graph PowerShell SDK Authentication Issue
Describe the bug
The Get-MgDirectoryAdministrativeUnitMemberAsGroup cmdlet fails with an authentication token decoding error when using tokens obtained from Azure PowerShell (Get-AzAccessToken)
Error Message
##[error][InvalidAuthenticationToken] : IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.
Status: 401 (Unauthorized)
ErrorCode: InvalidAuthenticationToken
Expected behavior
The cmdlet should successfully authenticate using the Azure PowerShell token and return the group members of the specified Administrative Unit.
How to reproduce
Connect-AzAccount
$token = (Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop).token
if ((Get-Help Connect-MgGraph -Parameter accesstoken).type.name -eq "securestring") {
$token = ConvertTo-SecureString $token -AsPlainText -Force
}
$null = Connect-MgGraph -AccessToken $token -ErrorAction Stop
$AU_ID = "1677a2db-4e88-4254-b1ec-7fde77471925"
$AdminUnitGroups = Get-MgDirectoryAdministrativeUnitMemberAsGroup -AdministrativeUnitId $AU_ID SDK Version
2.28.0
Latest version known to work for scenario above?
2.27.0
Known Workarounds
Use rest API
Debug output
Click to expand log
```powershell
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/directory/administrativeUnits/24a4eff3-0799-43b5-b368-ab15596e14d5/members/microsoft.graph.group
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-US),PowerShell/7.4.10
Accept-Encoding : gzip,deflate,br
SdkVersion : graph-powershell/2.28.0,
client-request-id : 067a885e-c8a1-4843-aac1-1ff1d5575eeb
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Unauthorized
Headers:
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 2ecb1658-d751-4d10-b052-1ec3eb70e612
client-request-id : 067a885e-c8a1-4843-aac1-1ff1d5575eeb
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF00053774"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="***
Date : Mon, 09 Jun 2025 09:03:32 GMT
Body:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.",
"innerError": {
"date": "2025-06-09T09:03:32",
"request-id": "2ecb1658-d751-4d10-b052-1ec3eb70e612",
"client-request-id": "067a885e-c8a1-4843-aac1-1ff1d5575eeb"
}
}
}
</details>
### Configuration
We are using latest ubuntu and windows-2025 pools for Azure DevOps
```powershell
Key : PSVersion
Value : 7.4.10
Name : PSVersion
Key : PSEdition
Value : Core
Name : PSEdition
Key : GitCommitId
Value : 7.4.10
Name : GitCommitId
Key : OS
Value : Microsoft Windows 10.0.26100
Name : OS
Key : Platform
Value : Win32NT
Other information
No response
Describe the bug
Bug Report: Microsoft Graph PowerShell SDK Authentication Issue
Describe the bug
The
Get-MgDirectoryAdministrativeUnitMemberAsGroupcmdlet fails with an authentication token decoding error when using tokens obtained from Azure PowerShell (Get-AzAccessToken)Error Message
Expected behavior
The cmdlet should successfully authenticate using the Azure PowerShell token and return the group members of the specified Administrative Unit.
How to reproduce
SDK Version
2.28.0
Latest version known to work for scenario above?
2.27.0
Known Workarounds
Use rest API
Debug output
Click to expand log
```powershell DEBUG: ============================ HTTP REQUEST ============================HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/directory/administrativeUnits/24a4eff3-0799-43b5-b368-ab15596e14d5/members/microsoft.graph.group
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-US),PowerShell/7.4.10
Accept-Encoding : gzip,deflate,br
SdkVersion : graph-powershell/2.28.0,
client-request-id : 067a885e-c8a1-4843-aac1-1ff1d5575eeb
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Unauthorized
Headers:
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 2ecb1658-d751-4d10-b052-1ec3eb70e612
client-request-id : 067a885e-c8a1-4843-aac1-1ff1d5575eeb
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF00053774"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="***
Date : Mon, 09 Jun 2025 09:03:32 GMT
Body:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.",
"innerError": {
"date": "2025-06-09T09:03:32",
"request-id": "2ecb1658-d751-4d10-b052-1ec3eb70e612",
"client-request-id": "067a885e-c8a1-4843-aac1-1ff1d5575eeb"
}
}
}
Other information
No response