SOLVED

Connect-PnPMicrosoftGraph - Azure AD OAuth 2.0 Access Token has expired

Copper Contributor

If I try to connect with Azure AD OAuth 2.0 using Connect-PnPMicrosoftGraph it gives error. Please see following:

 

#Connect to Azure AD and get back an OAuth 2.0 Access Token

Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All"

 

#Store the Access Token in a local variable

$accessToken= Get-PnPAccessToken

 

#Create a new office 365 Unified Group, together with the corresponding Model Site in SPO

$group = New-PnPUnifiedGroup -DisplayName "Pnp Demo 3" -Description "Pnp Demo 3" -MailNickname "pnp-demo-3" -Members "myemail@mycompany.com"

 

Error:

WARNING: The Azure AD OAuth 2.0 Access Token has expired. Authenticate again using the Connect-PnPMicrosoftGraph cmdlet.

New-PnPUnifiedGroup : Value cannot be null.

Parameter name: accessToken

At line:9 char:10

+ $group = New-PnPUnifiedGroup -DisplayName "Pnp Demo 3" -Description " ...

+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 + CategoryInfo         : NotSpecified: (:) [New-PnPUnifiedGroup], ArgumentNullException

   + FullyQualifiedErrorId : System.ArgumentNullException,SharePointPnP.PowerShell.Commands.Graph.NewPnPUnifiedGroup

 

Since access token is expiring quite often, what is the best way to increase the expiry time?

16 Replies

@Vesa Juvonen,

 

Please can you help. The only solution I can imagine is to keep re-trying  to connect in order to get new access token.

Hi @Umair Naeem,

 

Interesteresting question. I've had a play around with this and I got the following results.

 

First I started debugging the Connect-PnPMicrosoftGraph Cmdlet. I used different accounts and different tenants.

 

First one of our prodcution tenants. I connected ith my admin accouont and I foudn that the expiry time on the authentiction request was instant.

 

 

AuthenticationExpiry.PNG

 

Then I repeted my test nd I found tht the authetication expired in 1 hour from the moment of requesting the access.

 

AuthenticationExpiry2.PNG

 

 

Ok, so there seems to be an issue here to do with expiring tokens.

 

@Vesa Juvonen, where is the expiry for these access tokens retrieved from? It looks like Microsoft Graph uses different expiry times for differnt tenants. Or is this simply a matter of access denied defaulting the expiry to now?

 

 

 

 

Code uses pretty much the MSAL as such and just stores the access token after user signing in for the next operations, so there's no additional magic around the expiration. Code for the signing in is in following file in the GitHub. Most likely issue was failure of authentication or the user did not had sufficient permissions for the requested scopes.

 

 

I'll also ping Paolo around this using different channels, if he has anything to add or has seen the same behaviour.

 

best response confirmed by Umair Naeem (Copper Contributor)
Solution

Hi,

The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.

 

About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.

Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.

 

We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...

 

Thanks,
Paolo

Hi @Paolo Pialorsi@Vesa Juvonen

I think the problem is to do with permissions. My user account isn't a global admin in Azure AD.

I will get this chnaged and then I'll report back.

 

Thanks for your help.

Hi Pieter,

In order to create a Unified Group you simply need "Group.ReadWrite.All" scope.

Hi @Paolo Pialorsi,

 

Ok, I'm getting there now. I'm global admin in Azure AD. Please let me know what I should do to get Group.ReadWrite.All scope. I'm still quite new to Azure AD and Unified Groups. (Who isn't?)

 

 

 

 

 

Hi Pieter,

The scope has to be provided as an input argument to the Connect-PnPMicrosoftGraph cmdlet. Something like:

 

Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All"

 

Bye,

Paolo

@Hi @Paolo Pialorsi,

 

Ok, understood. As I've been using the PowerShell commands that wouldn't be somethign that I need to do as I waass already using this scope in the command. So that is fine.

 

Weird thing now is that since I made my corporate account a global admin things are working. Even though I've now taken the global Admin rights away again it's still working and I can't make this fail anymore.

 

I've also tried the same procedure with my MSDN account and I can't make this work. Anyway, my problem seems  to be resolved now, however I'm quite confused as to why it's working.

 

thanks for your help. 

 

 

@Paolo Pialorsi Can you be more specific with the problem using New-PnPUnifiedGroup? I was also wondering if we use this command, is the Team Site being created automagically?

@Paolo Pialorsi, Do you know when support for refresh tokens is in the planning?

We are using

Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All"

to provisioning sites with SharePoint Administrator but we receive following error.

Untitled.png

Requestign global Admin credentials.

we can't use Global Admin. Could you give us some clue about error? @Paolo Pialorsi

Thanks

Did you find out what permissions are needed?

Thanks! That is what I suspected.

1 best response

Accepted Solutions
best response confirmed by Umair Naeem (Copper Contributor)
Solution

Hi,

The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.

 

About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.

Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.

 

We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...

 

Thanks,
Paolo

View solution in original post