Nov 15 2016 04:25 AM
If I try to connect with Azure AD OAuth 2.0 using Connect-PnPMicrosoftGraph it gives error. Please see following:
#Connect to Azure AD and get back an OAuth 2.0 Access Token
Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All"
#Store the Access Token in a local variable
$accessToken= Get-PnPAccessToken
#Create a new office 365 Unified Group, together with the corresponding Model Site in SPO
$group = New-PnPUnifiedGroup -DisplayName "Pnp Demo 3" -Description "Pnp Demo 3" -MailNickname "pnp-demo-3" -Members "myemail@mycompany.com"
Error:
WARNING: The Azure AD OAuth 2.0 Access Token has expired. Authenticate again using the Connect-PnPMicrosoftGraph cmdlet.
New-PnPUnifiedGroup : Value cannot be null.
Parameter name: accessToken
At line:9 char:10
+ $group = New-PnPUnifiedGroup -DisplayName "Pnp Demo 3" -Description " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-PnPUnifiedGroup], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,SharePointPnP.PowerShell.Commands.Graph.NewPnPUnifiedGroup
Since access token is expiring quite often, what is the best way to increase the expiry time?
Nov 21 2016 03:57 AM
Please can you help. The only solution I can imagine is to keep re-trying to connect in order to get new access token.
Nov 23 2016 04:18 AM
Hi @Umair Naeem,
Interesteresting question. I've had a play around with this and I got the following results.
First I started debugging the Connect-PnPMicrosoftGraph Cmdlet. I used different accounts and different tenants.
First one of our prodcution tenants. I connected ith my admin accouont and I foudn that the expiry time on the authentiction request was instant.
Then I repeted my test nd I found tht the authetication expired in 1 hour from the moment of requesting the access.
Ok, so there seems to be an issue here to do with expiring tokens.
@Vesa Juvonen, where is the expiry for these access tokens retrieved from? It looks like Microsoft Graph uses different expiry times for differnt tenants. Or is this simply a matter of access denied defaulting the expiry to now?
Nov 23 2016 11:18 PM
Code uses pretty much the MSAL as such and just stores the access token after user signing in for the next operations, so there's no additional magic around the expiration. Code for the signing in is in following file in the GitHub. Most likely issue was failure of authentication or the user did not had sufficient permissions for the requested scopes.
I'll also ping Paolo around this using different channels, if he has anything to add or has seen the same behaviour.
Nov 24 2016 12:04 AM
SolutionHi,
The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.
About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.
Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.
We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...
Thanks,
Paolo
Nov 24 2016 01:32 AM
Hi @Paolo Pialorsi, @Vesa Juvonen
I think the problem is to do with permissions. My user account isn't a global admin in Azure AD.
I will get this chnaged and then I'll report back.
Thanks for your help.
Nov 24 2016 02:08 AM
Hi Pieter,
In order to create a Unified Group you simply need "Group.ReadWrite.All" scope.
Nov 24 2016 02:32 AM - edited Nov 24 2016 03:33 AM
Hi @Paolo Pialorsi,
Ok, I'm getting there now. I'm global admin in Azure AD. Please let me know what I should do to get Group.ReadWrite.All scope. I'm still quite new to Azure AD and Unified Groups. (Who isn't?)
Nov 24 2016 03:54 AM
Hi Pieter,
The scope has to be provided as an input argument to the Connect-PnPMicrosoftGraph cmdlet. Something like:
Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All"
Bye,
Paolo
Nov 24 2016 04:44 AM - edited Nov 24 2016 04:52 AM
@Hi @Paolo Pialorsi,
Ok, understood. As I've been using the PowerShell commands that wouldn't be somethign that I need to do as I waass already using this scope in the command. So that is fine.
Weird thing now is that since I made my corporate account a global admin things are working. Even though I've now taken the global Admin rights away again it's still working and I can't make this fail anymore.
I've also tried the same procedure with my MSDN account and I can't make this work. Anyway, my problem seems to be resolved now, however I'm quite confused as to why it's working.
thanks for your help.
Dec 08 2016 09:22 AM
@Paolo Pialorsi Can you be more specific with the problem using New-PnPUnifiedGroup? I was also wondering if we use this command, is the Team Site being created automagically?
Dec 08 2016 09:29 AM
Mar 23 2017 05:27 AM
@Paolo Pialorsi, Do you know when support for refresh tokens is in the planning?
Sep 18 2017 09:24 AM - edited Sep 18 2017 09:26 AM
Sep 18 2017 09:24 AM - edited Sep 18 2017 09:26 AM
We are using
Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All"
to provisioning sites with SharePoint Administrator but we receive following error.
Requestign global Admin credentials.
we can't use Global Admin. Could you give us some clue about error? @Paolo Pialorsi
Thanks
Jan 25 2018 02:34 PM
Jan 25 2018 02:53 PM
Global Admin :(
Jan 29 2018 09:02 AM
Thanks! That is what I suspected.
Nov 24 2016 12:04 AM
SolutionHi,
The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.
About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.
Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.
We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...
Thanks,
Paolo