Skip to content

High number of consented permissions prevents successful authentication to MS Graph PowerShell #3350

New issue
New issue
Open
Open
High number of consented permissions prevents successful authentication to MS Graph PowerShell#3350
Labels
status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience
@willfiddes

Description

@willfiddes
willfiddes
opened on Jun 27, 2025

Describe the bug

Starting with v2.26.0 MS Graph PowerShell is unable to authenticate successfully with high number of API permissions consented to on the second authentication prompt.

First authentication using Connect-MgGraph works
Second authentication prompt when calling another command is what is failing. (Why are we prompting a second time?)

It appears there is now a "mg.msal.cache.cae" in addition to "mg.msal.cache.nocae" cache file generated in %LOCALAPPDATA%\.IdentityService\ when calling any ms graph command other than connect-mggraph. This "mg.msal.cache.cae" cache file may have something to do with the issue. Why isnt just one cache being used?

If we are going to make using CAE claims required, might as well send this in the first authentication prompt when using Connect-MgGraph. (I may have to submit another feature request but we should have a way to disable CAE for MS Graph PowerShell)

This problem did not occur for v.2.25.0

Why is MS Graph PowerShell sending a login request with all of the consented permissions? It should just use ".default" to get the consented permissions from Entra.

Also keep in mind browsers do have a URL length limit and Edge/IE is around 2080. So the more permissions there are in the login request, the higher chance the URL will start to get cut off. Different errors will occur depending on where it gets cut off at.

Expected behavior

Authenticate successfully no matter how permissions were previously consented

How to reproduce

#############################################################
# Pre-requisite to setup scenario

Install-Module Microsoft.Graph.Authentication -RequiredVersion 2.28.0 -Force -AllowClobber
Install-Module Microsoft.Graph.Authentication -RequiredVersion 2.25.0 -Force -AllowClobber
Install-Module Microsoft.Graph.Users -RequiredVersion 2.28.0 -Force -AllowClobber
Install-Module Microsoft.Graph.Users -RequiredVersion 2.25.0 -Force -AllowClobber

# We have to break up scopes due to URL size limitation
Connect-MgGraph -TenantId cloud.williamfiddes.com -Scopes "AccessReview.ReadWrite.All AppCatalog.Read.All Application.Read.All Application.ReadWrite.All AppRoleAssignment.ReadWrite.All AuditLog.Read.All BitlockerKey.Read.All Calendars.Read Calendars.ReadBasic Calendars.ReadWrite.Shared Chat.Read Chat.ReadBasic Chat.ReadWrite ChatMessage.Send ConsentRequest.ReadWrite.All DelegatedPermissionGrant.ReadWrite.All Device.Read.All Device.ReadWrite.All DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Directory.AccessAsUser.All"

Connect-MgGraph -TenantId cloud.williamfiddes.com -Scopes "Directory.Read.All Directory.ReadWrite.All EntitlementManagement.ReadWrite.All Files.Read.All Group.Read.All Group.ReadWrite.All GroupMember.Read.All GroupMember.ReadWrite.All IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All Mail.Read Mail.Send Organization.Read.All Policy.Read.All Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.CrossTenantAccess Presence.Read.All Reports.Read.All RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.ReadWrite.Directory Sites.Manage.All Sites.ReadWrite.All Tasks.Read Team.ReadBasic.All TeamsAppInstallation.ReadForTeam TeamworkDevice.Read.All User.Read User.Read.All User.ReadWrite.All UserAuthenticationMethod.Read.All UserAuthenticationMethod.ReadWrite.All WindowsUpdates.ReadWrite.All"

# Step: Import 2.28.0 module
Import-Module Microsoft.Graph.Authentication -RequiredVersion 2.28.0

# Step: Disconnect to ensure memory token cache is cleared
Disconnect-MgGraph

# Step: Clear the cache files
Get-Item "$env:LOCALAPPDATA\.IdentityService\mg*" | Remove-Item -Force

# Step: Connect 
Connect-MgGraph 

# Step: Call Invoke-MgGraphRequest
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/me"
#############################################################

If you import the 2.25.0 module instead of 2.26+ this issue does not occur.

SDK Version

2.28.0

Latest version known to work for scenario above?

2.25.0

Known Workarounds

Reduce consented permissions to MS Graph powershell (or just delete the enterprise app) and reconsent to the API permissions needed. Keep it low. You can also create your own app registration for MS Graph PowerShell to use for your specific scenario and consent to the permissions needed for your scenario.

You can specify your own Client ID...
Connect-MgGraph -ClientId "your-client-id"

Debug output

Different errors will occur depending on how many permissions are consented. This is because the URL will be cut at at different points

Configuration

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions