Azure Automation Runbook: 'Invalid JWT access token' error with Connect-MgGraph -Identity
I am trying to run an Azure Automation Runbook that connects to Microsoft Graph API to retrieve user information and manage group memberships. However, I keep getting the following error:
Invalid JWT access token.
Could not retrieve user 'john.carpenter@ekimetrics.com'. Error: Authentication needed. Please call Connect-MgGraph.
My Setup: Automation Account: Using System Assigned Managed Identity (enabled in Azure Portal).
PowerShell Version: Running in PowerShell 7.2 Runbook.
Microsoft Graph Modules: Installed Microsoft.Graph in the Automation Account.
Permissions: Assigned the following Microsoft Graph API permissions to my Managed Identity in Microsoft Entra ID (Azure AD):
User.Read.All
Group.ReadWrite.All
Directory.ReadWrite.All
GroupMember.ReadWrite.All
Admin Consent: Granted in Azure AD.
My Runbook Script:
Here is the script I am using:
Connect-MgGraph -Identity
# Define group mappings based on job title and location
$groupMapping = @{
"Intern" = @{
"GB" = @("GlobalGroup|DistributionList", "UKGroup|DistributionList")
"HK" = @("GlobalGroup|DistributionList", "HKGroup|DistributionList")
"US" = @("GlobalGroup|DistributionList", "USGroup|DistributionList")
"FR" = @("GlobalGroup|DistributionList", "InternsFR|DistributionList")
"CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
}
"Consultant" = @{
"GB" = @("GlobalGroup|DistributionList", "UKGroup|DistributionList")
"HK" = @("GlobalGroup|DistributionList", "HKGroup|DistributionList")
"US" = @("GlobalGroup|DistributionList", "USGroup|DistributionList")
"FR" = @("GlobalGroup|DistributionList", "ConsultantsFR|DistributionList")
"CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
}
"Senior Manager" = @{
"GB" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "Managers|DistributionList", "UKManagerGroup|AzureADGroup")
"HK" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "Managers|DistributionList", "HKManagerGroup|AzureADGroup")
"US" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "USManagerGroup|AzureADGroup")
"FR" = @("GlobalGroup|DistributionList", "Managers|DistributionList", "SeniorManagersFR|DistributionList", "FRManagerGroup|AzureADGroup")
"CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
}
}
# Define user email (replace with dynamic input if needed)
$userUPN = "user@example.com"
try {
# Retrieve user details from Microsoft Graph
$user = Get-MgUser -UserId $userUPN -Property UserPrincipalName, JobTitle, UsageLocation -ErrorAction Stop
Write-Output "User '$($user.UserPrincipalName)' retrieved successfully."
}
catch {
Write-Error "Could not retrieve user '$userUPN'. Error: $_"
exit
}
$jobTitle = $user.JobTitle
$location = $user.UsageLocation
if ([string]::IsNullOrEmpty($jobTitle) -or [string]::IsNullOrEmpty($location)) {
Write-Warning "User '$($user.UserPrincipalName)' does not have a Job Title or Usage Location set."
}
elseif ($groupMapping.ContainsKey($jobTitle) -and $groupMapping[$jobTitle].ContainsKey($location)) {
$groups = $groupMapping[$jobTitle][$location]
foreach ($groupEntry in $groups) {
$splitEntry = $groupEntry -split '\|'
$groupNameOrId = $splitEntry[0]
# Get the group from Azure AD
$group = Get-MgGroup -Filter "displayName eq '$groupNameOrId'" -ConsistencyLevel eventual -Top 1
if ($group) {
try {
New-MgGroupMemberByRef -GroupId $group.Id -BodyParameter @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)" }
Write-Output "Successfully added $($user.UserPrincipalName) to group: $groupNameOrId"
}
catch {
Write-Warning "Could not add $($user.UserPrincipalName) to group '$groupNameOrId'. Error: $_"
}
}
else {
Write-Warning "Group '$groupNameOrId' not found in Azure AD."
}
}
}
else {
Write-Warning "No group mappings found for Job Title '$jobTitle' and Location '$location'."
}
# Disconnect from Microsoft Graph
Disconnect-MgGraph
Troubleshooting I Have Done: Checked Managed Identity Permissions: The Automation Account is listed under Enterprise Applications in Microsoft Entra ID (Azure AD).
Verified Graph API Permissions: Permissions are assigned and admin consent is granted.
Confirmed PowerShell Version: Using PowerShell 7.2, as required for Connect-MgGraph -Identity.
Checked Azure Automation Modules: Microsoft.Graph module is installed.
Verified Subscription Context:
Get-AzContext | Select-Object Subscription
The correct subscription is set.
Questions: Why is the JWT token invalid, even though Managed Identity is enabled?
How can I ensure my Runbook is authenticated properly using Managed Identity?
Is there a way to manually refresh or validate the authentication token in Azure Automation?
Any insights would be greatly appreciated! Thanks in advance. 🚀
I got the same error when I tried to connect to Microsoft Graph:
The issue is with Microsoft.Graph.Authentication module with version 2.26.1 in PowerShell 7.2. Refer this GitHub blog
Hence as a workaround either use PowerShell 5.1 or downgrade the version to 2.25.0 version:
First delete the current 2.26.1 version module an install 2.25.0 version
PowerShellCopy
# Import Microsoft.Graph.Authentication module
$moduleName = 'Microsoft.Graph.Authentication'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'ruk3394' -ResourceGroupName 'ruk' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
# Import Microsoft.Graph module
$moduleName = 'Microsoft.Graph'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'ruk3394' -ResourceGroupName 'ruk' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
It will take some time to import the modules, refresh the portal after some time:
Now I am able to connect to Microsoft Graph successfully:
Connect-MgGraph -Identity
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions