Enable-JAzADRole: Unexpected exception occurred while authenticating the request
Closed this issue · 13 comments
I´m getting "Unexpected exception occurred while authenticating the request" when trying to activate a role:
Enable-JAzADRole
cmdlet Enable-JAzADRole at command pipeline position 1
Supply values for the following parameters:
RoleName: Global Administrator
InvalidArgument: /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Enable-ADRole.ps1:91:13
Line |
91 | [Guid]$roleGuid = $RoleName -replace $guidExtractRegex -a …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot convert null to type "System.Guid".
Invoke-MgGraphRequest: /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Get-ADRole.ps1:20:22
Line |
20 | $response = (Invoke-MgGraphRequest -Uri $requestUri).value
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Code: generalException Message: Unexpected exception occurred while authenticating the request.
Exception: /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Enable-ADRole.ps1:94:31
Line |
94 | … ot $Role) { throw "RoleGuid $roleGuid from $RoleName was not found as …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| RoleGuid 00000000-0000-0000-0000-000000000000 from Global Administrator was not found as an eligible role for this user
I`ve tried against two different tenants (in two separate dev-containers).
Before running the command, I ran this and consented the request:
Connect-MgGraph -Scopes 'RoleEligibilitySchedule.ReadWrite.Directory'
Any ideas on the root cause for this issue?
That's not how rolename works, you need to tab complete or pipe because it fetches a guid, please see the quickstart and the help documentation. I'll make this error more friendly, and I'll consider adding some "search" handling here for role names.
Ah, I see.
For some reason, tab-completion didn`t work for the Enable-JAzADRole command (although it worked fine for Enable-JAzRole):
I suspect the reason is related to the fact that Get-JAzADRole fails so it can`t get the information needed to tab-complete:
❯ Get-JAzADRole
Invoke-MgGraphRequest: /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Get-ADRole.ps1:20:22
Line |
20 | $response = (Invoke-MgGraphRequest -Uri $requestUri).value
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Code: generalException Message: Unexpected exception occurred while authenticating the request.
Yeah I don't handle for the error case where you haven't logged in to graph yet for the tab completion, I'll make that a separate issue.
I also tried to connect with both of the scopes mentioned in the readme-file:
Connect-MgGraph -Scopes 'RoleEligibilitySchedule.ReadWrite.Directory','RoleManagement.ReadWrite.Directory'
But the "generalException Message: Unexpected exception occurred while authenticating the request." error still occurs when running Get-JAzADRole.
I can do some more testing against other tenants as well to see if it is something related to the specific one I am testing against.
@janegilring are you doing azure lighthouse or something? I haven't tested that scenario. If you want to do a get-error on the generalException or otherwise return the content response body that would help, I never saw that personally.
The GUID part is fixed and released as v0.0.4, I'll leave this issue open for the auth issue though.
I also gave this a try in order to find required permission scopes (as suggested in the official docs):
Find-MgGraphCommand -command Get-MgRoleManagementEntitlementManagementRoleEligibilitySchedule | Select -First 1 -ExpandProperty Permissions
However, it didn`t return anything unfortunately.
@janegilring are you doing azure lighthouse or something? I haven't tested that scenario. If you want to do a get-error on the generalException or otherwise return the content response body that would help, I never saw that personally.
No Lighthouse, just a regular scenario.
Get-Error
Exception :
Type : Microsoft.Graph.Auth.AuthenticationException
Error : Code: generalException
Message: Unexpected exception occurred while authenticating the request.
TargetSite :
Name : MoveNext
DeclaringType : Microsoft.Graph.Auth.DeviceCodeProvider+<GetNewAccessTokenAsync>d__14, Microsoft.Graph.Auth, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
MemberType : Method
Module : Microsoft.Graph.Auth.dll
Message : Code: generalException
Message: Unexpected exception occurred while authenticating the request.
InnerException :
Type : System.NullReferenceException
TargetSite :
Name : WaitOurTurn
DeclaringType : Microsoft.Graph.PowerShell.Authentication.Helpers.CustomAsyncCommandRuntime, Microsoft.Graph.Authentication, Version=1.9.6.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35
MemberType : Method
Module : Microsoft.Graph.Authentication.dll
Message : Object reference not set to an instance of an object.
Source : Microsoft.Graph.Authentication
HResult : -2147467261
StackTrace :
at Microsoft.Graph.PowerShell.Authentication.Helpers.CustomAsyncCommandRuntime.WaitOurTurn()
at Microsoft.Graph.PowerShell.Authentication.Helpers.CustomAsyncCommandRuntime.WriteObject(Object sendToPipeline)
at Microsoft.Graph.PowerShell.Authentication.Helpers.AuthenticationHelpers.<>c.<GetAuthProvider>b__2_1(DeviceCodeResult result)
at Microsoft.Identity.Client.Internal.Requests.DeviceCodeRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenWithDeviceCodeParameters
deviceCodeParameters, CancellationToken cancellationToken)
at Microsoft.Graph.Auth.DeviceCodeProvider.GetNewAccessTokenAsync(CancellationToken cancellationToken, AuthenticationProviderOption msalAuthProviderOption)
Source : Microsoft.Graph.Auth
HResult : -2146233088
StackTrace :
at Microsoft.Graph.Auth.DeviceCodeProvider.GetNewAccessTokenAsync(CancellationToken cancellationToken, AuthenticationProviderOption msalAuthProviderOption)
at Microsoft.Graph.Auth.DeviceCodeProvider.AuthenticateRequestAsync(HttpRequestMessage httpRequestMessage)
at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts,
CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest.GetResponseAsync(HttpClient client, HttpRequestMessage request)
at Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest.ProcessRecordAsync()
CategoryInfo : InvalidOperation: (:) [Invoke-MgGraphRequest], AuthenticationException
FullyQualifiedErrorId : NotSpecified,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
InvocationInfo :
MyCommand : Invoke-MgGraphRequest
ScriptLineNumber : 20
OffsetInLine : 22
HistoryId : 48
ScriptName : /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Get-ADRole.ps1
Line : $response = (Invoke-MgGraphRequest -Uri $requestUri).value
PositionMessage : At /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Get-ADRole.ps1:20 char:22
+ $response = (Invoke-MgGraphRequest -Uri $requestUri).value
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PSScriptRoot : /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public
PSCommandPath : /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Get-ADRole.ps1
InvocationName : Invoke-MgGraphRequest
CommandOrigin : Internal
ScriptStackTrace : at Get-ADRole<Process>, /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.3/Public/Get-ADRole.ps1: line 20
at <ScriptBlock>, <No file>: line 1
Try just running this naked, it's probably something in your graph token:
invoke-mggraphrequest -uri "beta/roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')?expand=principal,roledefinition,directoryscope"
Or any of the mg cmdlets for that matter.
invoke-mggraphrequest -uri "beta/roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')?expand=principal,roledefinition,directoryscope"
Invoke-MgGraphRequest: Code: generalException
Message: Unexpected exception occurred while authenticating the request.
Get-MgUser
Get-MgUser_List1: Code: generalException
Message: Unexpected exception occurred while authenticating the request.
Hmmm...I`ll rebuild the whole container and try again in a purely clean environment.
Very interesting, the same thing happens after rebuilding the container and re-authenticating.
Now I tried in a separate environment (different AD-tenant, different dev-container) using the commands in the Quick Start:
Install-Module JAz.Pim
Import-Module JAz.Pim
Connect-AzAccount
Enable-JAzRole <tab or shift-enter>
Disable-JAzRole <tab or shift-enter>
Connect-MgGraph -Scopes 'RoleEligibilitySchedule.ReadWrite.Directory'
Select-MgProfile 'beta'
Enable-JAzADRole <tab or shift-enter>
Disable-JAzADRole <tab or shift-enter>
Still, same error - also when invoking manually:
invoke-mggraphrequest -uri "beta/roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')?expand=principal,roledefinition,directoryscope"
Invoke-MgGraphRequest: Code: generalException
Message: Unexpected exception occurred while authenticating the request.
I`ll look into some general usage of the Graph commands, as this is likely something related to my setup rather than the 3 different AD tenants I have tested against.
It seems like I was hitting kind of an edge case:
microsoftgraph/msgraph-sdk-powershell#1065
After using the suggested workaround of adding -ContextScope Process to Connect-MgGraph:
Connect-MgGraph -Scopes 'RoleEligibilitySchedule.ReadWrite.Directory' -ContextScope Process
It worked like a charm:
❯ Get-JAzADRole
PrincipalDisplayName RoleName Scope MemberType EndDateTime
-------------------- -------- ----- ---------- -----------
Admin - Jan Egil Ring Global Administrator Directory Direct