Forum Discussion

Umair Naeem's avatar
Umair Naeem
Copper Contributor
Nov 15, 2016
Solved

Connect-PnPMicrosoftGraph - Azure AD OAuth 2.0 Access Token has expired

If I try to connect with Azure AD OAuth 2.0 using Connect-PnPMicrosoftGraph it gives error. Please see following:   #Connect to Azure AD and get back an OAuth 2.0 Access Token Connect-PnPMicrosoft...
PnP
  • Paolo Pialorsi's avatar
    Paolo Pialorsi
    Nov 24, 2016

    Hi,

    The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.

     

    About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.

    Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.

     

    We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...

     

    Thanks,
    Paolo

Pieter Veenstra's avatar
Pieter Veenstra
MVP
Nov 23, 2016

Hi Umair Naeem,

 

Interesteresting question. I've had a play around with this and I got the following results.

 

First I started debugging the Connect-PnPMicrosoftGraph Cmdlet. I used different accounts and different tenants.

 

First one of our prodcution tenants. I connected ith my admin accouont and I foudn that the expiry time on the authentiction request was instant.

 

 

 

Then I repeted my test nd I found tht the authetication expired in 1 hour from the moment of requesting the access.

 

 

 

Ok, so there seems to be an issue here to do with expiring tokens.

 

VesaJuvonen, where is the expiry for these access tokens retrieved from? It looks like Microsoft Graph uses different expiry times for differnt tenants. Or is this simply a matter of access denied defaulting the expiry to now?

 

 

 

 

VesaJuvonen's avatar
VesaJuvonen
Icon for Microsoft rankMicrosoft
Nov 24, 2016

Code uses pretty much the MSAL as such and just stores the access token after user signing in for the next operations, so there's no additional magic around the expiration. Code for the signing in is in following file in the GitHub. Most likely issue was failure of authentication or the user did not had sufficient permissions for the requested scopes.

 

 

I'll also ping Paolo around this using different channels, if he has anything to add or has seen the same behaviour.

 

Resources