I am trying to run an Azure Automation Runbook that connects to Microsoft Graph API to retrieve user information and manage group memberships. However, I keep getting the following error:
Invalid JWT access token.
Could not retrieve user 'john.carpenter@ekimetrics.com'. Error: Authentication needed. Please call Connect-MgGraph.
My Setup: Automation Account: Using System Assigned Managed Identity (enabled in Azure Portal).
PowerShell Version: Running in PowerShell 7.2 Runbook.
Microsoft Graph Modules: Installed Microsoft.Graph in the Automation Account.
Permissions: Assigned the following Microsoft Graph API permissions to my Managed Identity in Microsoft Entra ID (Azure AD):
User.Read.All
Group.ReadWrite.All
Directory.ReadWrite.All
GroupMember.ReadWrite.All
Admin Consent: Granted in Azure AD.
My Runbook Script:
Here is the script I am using:
Connect-MgGraph -Identity
# Define group mappings based on job title and location
$groupMapping = @{
"Intern" = @{
"GB" = @("GlobalGroup|DistributionList", "UKGroup|DistributionList")
"HK" = @("GlobalGroup|DistributionList", "HKGroup|DistributionList")
"US" = @("GlobalGroup|DistributionList", "USGroup|DistributionList")
"FR" = @("GlobalGroup|DistributionList", "InternsFR|DistributionList")
"CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
}
"Consultant" = @{
"GB" = @("GlobalGroup|DistributionList", "UKGroup|DistributionList")
"HK" = @("GlobalGroup|DistributionList", "HKGroup|DistributionList")
"US" = @("GlobalGroup|DistributionList", "USGroup|DistributionList")
"FR" = @("GlobalGroup|DistributionList", "ConsultantsFR|DistributionList")
"CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
}
"Senior Manager" = @{
"GB" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "Managers|DistributionList", "UKManagerGroup|AzureADGroup")
"HK" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "Managers|DistributionList", "HKManagerGroup|AzureADGroup")
"US" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "USManagerGroup|AzureADGroup")
"FR" = @("GlobalGroup|DistributionList", "Managers|DistributionList", "SeniorManagersFR|DistributionList", "FRManagerGroup|AzureADGroup")
"CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
}
}
# Define user email (replace with dynamic input if needed)
$userUPN = "user@example.com"
try {
# Retrieve user details from Microsoft Graph
$user = Get-MgUser -UserId $userUPN -Property UserPrincipalName, JobTitle, UsageLocation -ErrorAction Stop
Write-Output "User '$($user.UserPrincipalName)' retrieved successfully."
}
catch {
Write-Error "Could not retrieve user '$userUPN'. Error: $_"
exit
}
$jobTitle = $user.JobTitle
$location = $user.UsageLocation
if ([string]::IsNullOrEmpty($jobTitle) -or [string]::IsNullOrEmpty($location)) {
Write-Warning "User '$($user.UserPrincipalName)' does not have a Job Title or Usage Location set."
}
elseif ($groupMapping.ContainsKey($jobTitle) -and $groupMapping[$jobTitle].ContainsKey($location)) {
$groups = $groupMapping[$jobTitle][$location]
foreach ($groupEntry in $groups) {
$splitEntry = $groupEntry -split '\|'
$groupNameOrId = $splitEntry[0]
# Get the group from Azure AD
$group = Get-MgGroup -Filter "displayName eq '$groupNameOrId'" -ConsistencyLevel eventual -Top 1
if ($group) {
try {
New-MgGroupMemberByRef -GroupId $group.Id -BodyParameter @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)" }
Write-Output "Successfully added $($user.UserPrincipalName) to group: $groupNameOrId"
}
catch {
Write-Warning "Could not add $($user.UserPrincipalName) to group '$groupNameOrId'. Error: $_"
}
}
else {
Write-Warning "Group '$groupNameOrId' not found in Azure AD."
}
}
}
else {
Write-Warning "No group mappings found for Job Title '$jobTitle' and Location '$location'."
}
# Disconnect from Microsoft Graph
Disconnect-MgGraph
Troubleshooting I Have Done: Checked Managed Identity Permissions: The Automation Account is listed under Enterprise Applications in Microsoft Entra ID (Azure AD).
Verified Graph API Permissions: Permissions are assigned and admin consent is granted.
Confirmed PowerShell Version: Using PowerShell 7.2, as required for Connect-MgGraph -Identity.
Checked Azure Automation Modules: Microsoft.Graph module is installed.
Verified Subscription Context:
Get-AzContext | Select-Object Subscription
The correct subscription is set.
Questions: Why is the JWT token invalid, even though Managed Identity is enabled?
How can I ensure my Runbook is authenticated properly using Managed Identity?
Is there a way to manually refresh or validate the authentication token in Azure Automation?
Any insights would be greatly appreciated! Thanks in advance. 🚀
I got the same error when I tried to connect to Microsoft Graph:
The issue is with Microsoft.Graph.Authentication
module with version 2.26.1 in PowerShell 7.2. Refer this GitHub blog
Hence as a workaround either use PowerShell 5.1 or downgrade the version to 2.25.0 version:
First delete the current 2.26.1 version module an install 2.25.0 version
PowerShellCopy
# Import Microsoft.Graph.Authentication module
$moduleName = 'Microsoft.Graph.Authentication'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'ruk3394' -ResourceGroupName 'ruk' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
# Import Microsoft.Graph module
$moduleName = 'Microsoft.Graph'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'ruk3394' -ResourceGroupName 'ruk' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
It will take some time to import the modules, refresh the portal after some time:
Now I am able to connect to Microsoft Graph successfully:
Connect-MgGraph -Identity