Forum Discussion
Connect-PnPMicrosoftGraph - Azure AD OAuth 2.0 Access Token has expired
If I try to connect with Azure AD OAuth 2.0 using Connect-PnPMicrosoftGraph it gives error. Please see following:
#Connect to Azure AD and get back an OAuth 2.0 Access Token
Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All"
#Store the Access Token in a local variable
$accessToken= Get-PnPAccessToken
#Create a new office 365 Unified Group, together with the corresponding Model Site in SPO
$group = New-PnPUnifiedGroup -DisplayName "Pnp Demo 3" -Description "Pnp Demo 3" -MailNickname "pnp-demo-3" -Members "myemail@mycompany.com"
Error:
WARNING: The Azure AD OAuth 2.0 Access Token has expired. Authenticate again using the Connect-PnPMicrosoftGraph cmdlet.
New-PnPUnifiedGroup : Value cannot be null.
Parameter name: accessToken
At line:9 char:10
+ $group = New-PnPUnifiedGroup -DisplayName "Pnp Demo 3" -Description " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-PnPUnifiedGroup], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,SharePointPnP.PowerShell.Commands.Graph.NewPnPUnifiedGroup
Since access token is expiring quite often, what is the best way to increase the expiry time?
Hi,
The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.
About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.
Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.
We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...
Thanks,
Paolo
16 Replies
Hi,
The Warning message is managed by the implementation in Core, and could be that we have a bug related to timezones (I will double-check it, just in case). However, most likely the exception you see is not necessarily related to the token lifetime, but to a lack of proper permissions for the user or to a known bug of the New-PnPUnifiedGroup cmdlet. We are already aware of that bug and it has already been fixed in the DEV branch of Core. The fix will be included in the next monthly release of Core.
About the tokens lifetime, by default an access token released by Azure AD lasts in 1 hour and a refresh token lasts in 14 days. However, you can use the refresh token to create a new access token (and a new refresh token, too) for up to 90 days. Then you will have to re-authenticate.
Nevertheless, an access/refresh token can expire suddenly, for example if the user changes her/his password, and because of some other happenings. Thus, we cannot rely on them and sometime we could have to re-authenticate.
We're thinking about refactoring a little bit the Connect-PnPMicrosoftGraph cmdlet, eventually merging it with Connect-PnPOnline, in order to support refresh tokens (which are not supported right now) and providing re-authentication capabilities, but we are still "working on it". Stay tuned ...
Thanks,
PaoloPaolo Pialorsi, Do you know when support for refresh tokens is in the planning?
Ada Galilea GranadosMicrosoft
We are using
Connect-PnPMicrosoftGraph -Scopes "Group.ReadWrite.All","User.Read.All"
to provisioning sites with SharePoint Administrator but we receive following error.
Requestign global Admin credentials.
we can't use Global Admin. Could you give us some clue about error? Paolo Pialorsi
Thanks
Paolo Pialorsi Can you be more specific with the problem using New-PnPUnifiedGroup? I was also wondering if we use this command, is the Team Site being created automagically?
Hi Paolo Pialorsi, VesaJuvonen
I think the problem is to do with permissions. My user account isn't a global admin in Azure AD.
I will get this chnaged and then I'll report back.
Thanks for your help.
Hi Pieter,
In order to create a Unified Group you simply need "Group.ReadWrite.All" scope.
Please can you help. The only solution I can imagine is to keep re-trying to connect in order to get new access token.
Hi Umair Naeem,
Interesteresting question. I've had a play around with this and I got the following results.
First I started debugging the Connect-PnPMicrosoftGraph Cmdlet. I used different accounts and different tenants.
First one of our prodcution tenants. I connected ith my admin accouont and I foudn that the expiry time on the authentiction request was instant.
Then I repeted my test nd I found tht the authetication expired in 1 hour from the moment of requesting the access.
Ok, so there seems to be an issue here to do with expiring tokens.
VesaJuvonen, where is the expiry for these access tokens retrieved from? It looks like Microsoft Graph uses different expiry times for differnt tenants. Or is this simply a matter of access denied defaulting the expiry to now?
- VesaJuvonen
Code uses pretty much the MSAL as such and just stores the access token after user signing in for the next operations, so there's no additional magic around the expiration. Code for the signing in is in following file in the GitHub. Most likely issue was failure of authentication or the user did not had sufficient permissions for the requested scopes.
I'll also ping Paolo around this using different channels, if he has anything to add or has seen the same behaviour.
