Merge pull request #9152 from AmandaAZ/Branch-CI6262

Simonx Xu · web-flow · commit ab419668d28f · 2025-07-01T09:13:58.000+08:00
AB#6262: Microsoft Graph PowerShell throws error 'IDX14102: Unable to…
diff --git a/support/entra/entra-id/toc.yml b/support/entra/entra-id/toc.yml
@@ -337,6 +337,8 @@
         href: users-groups-entra-apis/b2c-or-tenant-premium-license-sign-in-activities.md
    - name: Problem with using the Graph SDK - libraries
      items:
+      - name: IDX14102 error - Unable to decode the header
+        href: users-groups-entra-apis/unable-to-decode-header-error.md
       - name: Python scripts making requests are detected as web crawlers
         href: users-groups-entra-apis/python-scripts-microsoft-graph-requests-detected-as-web-crawler.md
 - name: Microsoft Entra User Provisioning and Synchronization
diff --git a/support/entra/entra-id/users-groups-entra-apis/unable-to-decode-header-error.md b/support/entra/entra-id/users-groups-entra-apis/unable-to-decode-header-error.md
@@ -0,0 +1,43 @@
+---
+title: IDX14102 Error When Using Microsoft Graph PowerShell
+description: Resolves an error that occurs when you run the Microsoft Graph PowerShell cmdlet Connect-MgGraph.
+ms.date: 07/01/2025
+ms.service: entra-id
+ms.custom: sap:Problem with using the Graph SDK - libraries
+ms.reviewer: adoyle, willfid, nualex, v-weizhu
+---
+
+# Microsoft Graph PowerShell throws error "IDX14102: Unable to decode the header"
+
+This article provides solutions to the error "IDX14102: Unable to decode the header" that occurs when you use Microsoft Graph PowerShell.
+
+## Symptoms
+
+When running the Microsoft Graph PowerShell command `Connect-MgGraph -AccessToken $token`, you receive the following error:
+
+> IDX14102: Unable to decode the header
+
+## Cause
+
+This error occurs because an invalid access token is passed to the `AccessToken` parameter of the `Connect-MgGraph` cmdlet. This problem often occurs when the token is obtained via Azure PowerShell's `Get-AzAccessToken` cmdlet and passed as a `SecureString`. This behavior is observed starting with version 5.0.0 of the `Az.Accounts` module. Starting from Microsoft Graph PowerShell version 2.28.0, the `Connect-MgGraph` command accepts only a plain string as the `AccessToken` parameter.
+
+## Solution
+
+Here are two solutions for resolving this issue:
+
+- Make sure the access token passed to the `AccessToken` parameter of the `Connect-MgGraph` cmdlet is valid.
+
+    For more information about access tokens, see [Access tokens in the Microsoft identity platform](/entra/identity-platform/access-tokens).
+
+- If you use the `Get-AzAccessToken` cmdlet to obtain the access token, use one of the following methods:
+
+  - Downgrade `Az.Accounts` to version 4.2.0 to avoid the token being returned as a `SecureString`.
+  - Convert the token from `SecureString` to `String`:
+
+    ```azurepowershell
+    $microsoftGraphToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com"
+    
+    Connect-MgGraph -AccessToken (ConvertFrom-SecureString -SecureString $microsoftGraphToken.Token -AsPlainText)
+    ```
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
