IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. | Get-MgDirectoryAdministrativeUnitMemberAsGroup #3336
Description
Describe the bug
Bug Report: Microsoft Graph PowerShell SDK Authentication Issue
Describe the bug
The Get-MgDirectoryAdministrativeUnitMemberAsGroup cmdlet fails with an authentication token decoding error when using tokens obtained from Azure PowerShell (Get-AzAccessToken)
Error Message
##[error][InvalidAuthenticationToken] : IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.
Status: 401 (Unauthorized)
ErrorCode: InvalidAuthenticationToken
Expected behavior
The cmdlet should successfully authenticate using the Azure PowerShell token and return the group members of the specified Administrative Unit.
How to reproduce
Connect-AzAccount
$token = (Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop).token
if ((Get-Help Connect-MgGraph -Parameter accesstoken).type.name -eq "securestring") {
$token = ConvertTo-SecureString $token -AsPlainText -Force
}
$null = Connect-MgGraph -AccessToken $token -ErrorAction Stop
$AU_ID = "1677a2db-4e88-4254-b1ec-7fde77471925"
$AdminUnitGroups = Get-MgDirectoryAdministrativeUnitMemberAsGroup -AdministrativeUnitId $AU_ID SDK Version
2.28.0
Latest version known to work for scenario above?
2.27.0
Known Workarounds
Use rest API
Debug output
Click to expand log
```powershell DEBUG: ============================ HTTP REQUEST ============================HTTP Method:
GET
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-US),PowerShell/7.4.10
Accept-Encoding : gzip,deflate,br
SdkVersion : graph-powershell/2.28.0,
client-request-id : 067a885e-c8a1-4843-aac1-1ff1d5575eeb
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Unauthorized
Headers:
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 2ecb1658-d751-4d10-b052-1ec3eb70e612
client-request-id : 067a885e-c8a1-4843-aac1-1ff1d5575eeb
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF00053774"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="***
Date : Mon, 09 Jun 2025 09:03:32 GMT
Body:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.",
"innerError": {
"date": "2025-06-09T09:03:32",
"request-id": "2ecb1658-d751-4d10-b052-1ec3eb70e612",
"client-request-id": "067a885e-c8a1-4843-aac1-1ff1d5575eeb"
}
}
}
</details>
### Configuration
We are using latest ubuntu and windows-2025 pools for Azure DevOps
```powershell
Key : PSVersion
Value : 7.4.10
Name : PSVersion
Key : PSEdition
Value : Core
Name : PSEdition
Key : GitCommitId
Value : 7.4.10
Name : GitCommitId
Key : OS
Value : Microsoft Windows 10.0.26100
Name : OS
Key : Platform
Value : Win32NT
Other information
No response