Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No Authentication Prompt for connect-mggraph #3034

Open
pedrr opened this issue Nov 20, 2024 · 3 comments
Open

No Authentication Prompt for connect-mggraph #3034

pedrr opened this issue Nov 20, 2024 · 3 comments
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience

Comments

@pedrr
Copy link

pedrr commented Nov 20, 2024

Describe the bug

I try to use the normal authentication with connect-mggraph but the Authentication Prompt does not show, (the browser, nor the webview2)

$PSVersionTable
Name Value

PSVersion 7.4.6
PSEdition Core
GitCommitId 7.4.6
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Expected behavior

I shall show some authentication prompt

How to reproduce

run connect-mggraph

SDK Version

No response

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

oduleType Version PreRelease Name ExportedCommands

Script 2.24.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}
Manifest 7.0.0.0 Microsoft.PowerShell.Management {Add-Content, Clear-Content, Clear-Item, Clear-ItemProperty…}
Manifest 7.0.0.0 Microsoft.PowerShell.Security {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature…}
Manifest 7.0.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object…}
Script 0.2.0 PowerShellEditorServices.Commands {Clear-Host, ConvertFrom-ScriptExtent, ConvertTo-ScriptExtent, Find-Ast…}
Script 2.4.0 beta0 PSReadLine {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler…}

Configuration

No response

Other information

DEBUG: DeviceCodeCredential.Authenticate invoked. Scopes: [ User.Read ] ParentRequestId:
DEBUG: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.10 Microsoft Windows 10.0.26100 [2024-11-20 13:03:10Z - 3d912935-43cd-4787-874f-07e3b48317ca] MSAL MSAL.NetCore with assembly version '4.61.3.0'. CorrelationId(3d912935-43cd-4787-874f-07e3b48317ca)
DEBUG: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.10 Microsoft Windows 10.0.26100 [2024-11-20 13:03:10Z - 3d912935-43cd-4787-874f-07e3b48317ca]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenByDeviceCode
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 3d912935-43cd-4787-874f-07e3b48317ca
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.10 Microsoft Windows 10.0.26100 [2024-11-20 13:03:10Z - 3d912935-43cd-4787-874f-07e3b48317ca] === Token Acquisition (DeviceCodeRequest) started:
Scopes: User.Read
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.10 Microsoft Windows 10.0.26100 [2024-11-20 13:03:10Z - 3d912935-43cd-4787-874f-07e3b48317ca] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.10 Microsoft Windows 10.0.26100 [2024-11-20 13:03:10Z - 3d912935-43cd-4787-874f-07e3b48317ca] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.10 Microsoft Windows 10.0.26100 [2024-11-20 13:03:10Z - 3d912935-43cd-4787-874f-07e3b48317ca] Fetching instance discovery from the network from host login.microsoftonline.com.
DEBUG: Request [5db5c174-55dd-42cd-a92a-706f012b2083] GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:5db5c174-55dd-42cd-a92a-706f012b2083
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.11.4 (.NET 8.0.10; Microsoft Windows 10.0.26100)
client assembly: Azure.Identity
@pedrr pedrr added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Nov 20, 2024
@pedrr pedrr changed the title On Authentication Prompot No Authentication Prompt for connect-mggraph Nov 20, 2024
@zaaj
Copy link

zaaj commented Nov 20, 2024

From my experience using the Microsoft.Graph.* modules, I've seen that If you perform Connect-MgGraph, then close the powershell window it was run from, or reboot, or even hibernate a laptop that window is in, or perhaps other actions that can interrupt the current "session", subsequent calls to Connect-MgGraph will use some type of cached credentials from the last credential-prompted invocation of Connect-MgGraph.

Calls to Get-MgContext will NOT show this cached credential state either, it only seems to return data on an established session.
Disconnect-MgGraph will not work to clear this cached credential unless you first perform a Connect-MgGraph to use the cached credential, THEN call Disconnect-MgGraph.

This cache persists across reboots as well, and seems to me to be a security risk.

I'd love to see some additional functionality added to these commands:

  1. Add an option to Connect-MgGraph so it does NOT cache credentials in this way. Default would unfortunately probably need to keep the current behavior so this change would be non-breaking.
  2. Add an option to Get-MgContext to display information about any cached credentials
  3. Add an option to Disconnect-MgGraph to clear any cached credentials

A current partial work-around I use is to pre-define $DevTenantId and $ProdTenantId in my $PROFILE so I can at least deterministicaly connect to the correct TENANT regardless the state of any cached credentials Connect-MgGraph might use, but even that's not a complete solution, since it's possible to connect with accounts of different levels of privilege (read-only, limited admin, global admin) and specifying the tenant ID won't help if the previous connection cached an account with higher privileges than I want to use this time.

@pedrr
Copy link
Author

pedrr commented Nov 21, 2024

Did you found a way to solve that or at least a workaround?

@zaaj
Copy link

zaaj commented Nov 21, 2024

The closest I have to a work-around is to do a Connect-MgGraph - if not prompted, then Disconnect-MgGraph followed by a Connect-MgGraph which WILL prompt.
It's not great for scripts - not sure how a script could detect if the Connect-MgGraph opened a login prompt or not (maybe Measure-Command and check get-mgcontext AND how long the connect took? ick, but maybe?)

I've heard about the new EntraID powershell module - purported to be closer in functionality to the depreciated AzureAD module - I thought it was still in preview and/or based on Beta Graph API endpoints, so I haven't tried it yet, but I plan to at some point soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pedrr @zaaj