Forum Discussion

Umair Naeem's avatar
Umair Naeem
Copper Contributor
Nov 15, 2016
Solved

Connect-PnPMicrosoftGraph - Azure AD OAuth 2.0 Access Token has expired

If I try to connect with Azure AD OAuth 2.0 using Connect-PnPMicrosoftGraph it gives error. Please see following:   #Connect to Azure AD and get back an OAuth 2.0 Access Token Connect-PnPMicrosoft...
PnP
  • Paolo Pialorsi's avatar
    Paolo Pialorsi
    Nov 24, 2016

    Hi,

    The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.

     

    About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.

    Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.

     

    We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...

     

    Thanks,
    Paolo

Pieter Veenstra's avatar
Pieter Veenstra
MVP
Nov 24, 2016

Hi Paolo PialorsiVesaJuvonen

I think the problem is to do with permissions. My user account isn't a global admin in Azure AD.

I will get this chnaged and then I'll report back.

 

Thanks for your help.

Paolo Pialorsi's avatar
Paolo Pialorsi
MVP
Nov 24, 2016

Hi Pieter,

In order to create a Unified Group you simply need "Group.ReadWrite.All" scope.

  • Pieter Veenstra's avatar
    Pieter Veenstra
    MVP
    Nov 24, 2016

    @Hi Paolo Pialorsi,

     

    Ok, understood. As I've been using the PowerShell commands that wouldn't be somethign that I need to do as I waass already using this scope in the command. So that is fine.

     

    Weird thing now is that since I made my corporate account a global admin things are working. Even though I've now taken the global Admin rights away again it's still working and I can't make this fail anymore.

     

    I've also tried the same procedure with my MSDN account and I can't make this work. Anyway, my problem seems  to be resolved now, however I'm quite confused as to why it's working.

     

    thanks for your help. 

     

     

  • Pieter Veenstra's avatar
    Pieter Veenstra
    MVP
    Nov 24, 2016

    Hi Paolo Pialorsi,

     

    Ok, I'm getting there now. I'm global admin in Azure AD. Please let me know what I should do to get Group.ReadWrite.All scope. I'm still quite new to Azure AD and Unified Groups. (Who isn't?)

     

     

     

     

     

    • Paolo Pialorsi's avatar
      Paolo Pialorsi
      MVP
      Nov 24, 2016

      Hi Pieter,

      The scope has to be provided as an input argument to the Connect-PnPMicrosoftGraph cmdlet. Something like:

       

      Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All"

       

      Bye,

      Paolo

Resources