azurepowershellmicrosoft-graph-apimicrosoft-entra-idazure-runbook

Azure Automation Runbook: 'Invalid JWT access token' error with Connect-MgGraph -Identity


I am trying to run an Azure Automation Runbook that connects to Microsoft Graph API to retrieve user information and manage group memberships. However, I keep getting the following error:

Invalid JWT access token.
Could not retrieve user 'john.carpenter@ekimetrics.com'. Error: Authentication needed. Please call Connect-MgGraph.

My Setup: Automation Account: Using System Assigned Managed Identity (enabled in Azure Portal).

PowerShell Version: Running in PowerShell 7.2 Runbook.

Microsoft Graph Modules: Installed Microsoft.Graph in the Automation Account.

Permissions: Assigned the following Microsoft Graph API permissions to my Managed Identity in Microsoft Entra ID (Azure AD):

User.Read.All

Group.ReadWrite.All

Directory.ReadWrite.All

GroupMember.ReadWrite.All

Admin Consent: Granted in Azure AD.

My Runbook Script:

Here is the script I am using:

Connect-MgGraph -Identity

# Define group mappings based on job title and location
$groupMapping = @{
    "Intern" = @{
        "GB" = @("GlobalGroup|DistributionList", "UKGroup|DistributionList")
        "HK" = @("GlobalGroup|DistributionList", "HKGroup|DistributionList")
        "US" = @("GlobalGroup|DistributionList", "USGroup|DistributionList")
        "FR" = @("GlobalGroup|DistributionList", "InternsFR|DistributionList")
        "CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
    }
    "Consultant" = @{
        "GB" = @("GlobalGroup|DistributionList", "UKGroup|DistributionList")
        "HK" = @("GlobalGroup|DistributionList", "HKGroup|DistributionList")
        "US" = @("GlobalGroup|DistributionList", "USGroup|DistributionList")
        "FR" = @("GlobalGroup|DistributionList", "ConsultantsFR|DistributionList")
        "CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
    }
    "Senior Manager" = @{
        "GB" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "Managers|DistributionList", "UKManagerGroup|AzureADGroup")
        "HK" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "Managers|DistributionList", "HKManagerGroup|AzureADGroup")
        "US" = @("GlobalGroup|DistributionList", "SeniorWW|DistributionList", "USManagerGroup|AzureADGroup")
        "FR" = @("GlobalGroup|DistributionList", "Managers|DistributionList", "SeniorManagersFR|DistributionList", "FRManagerGroup|AzureADGroup")
        "CN" = @("GlobalGroup|DistributionList", "CNContact|DistributionList")
    }
}

# Define user email (replace with dynamic input if needed)
$userUPN = "user@example.com"

try {
    # Retrieve user details from Microsoft Graph
    $user = Get-MgUser -UserId $userUPN -Property UserPrincipalName, JobTitle, UsageLocation -ErrorAction Stop
    Write-Output "User '$($user.UserPrincipalName)' retrieved successfully."
}
catch {
    Write-Error "Could not retrieve user '$userUPN'. Error: $_"
    exit
}

$jobTitle = $user.JobTitle
$location = $user.UsageLocation

if ([string]::IsNullOrEmpty($jobTitle) -or [string]::IsNullOrEmpty($location)) {
    Write-Warning "User '$($user.UserPrincipalName)' does not have a Job Title or Usage Location set."
}
elseif ($groupMapping.ContainsKey($jobTitle) -and $groupMapping[$jobTitle].ContainsKey($location)) {
    $groups = $groupMapping[$jobTitle][$location]

    foreach ($groupEntry in $groups) {
        $splitEntry = $groupEntry -split '\|'
        $groupNameOrId = $splitEntry[0]

        # Get the group from Azure AD
        $group = Get-MgGroup -Filter "displayName eq '$groupNameOrId'" -ConsistencyLevel eventual -Top 1
        if ($group) {
            try {
                New-MgGroupMemberByRef -GroupId $group.Id -BodyParameter @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)" }
                Write-Output "Successfully added $($user.UserPrincipalName) to group: $groupNameOrId"
            }
            catch {
                Write-Warning "Could not add $($user.UserPrincipalName) to group '$groupNameOrId'. Error: $_"
            }
        }
        else {
            Write-Warning "Group '$groupNameOrId' not found in Azure AD."
        }
    }
}
else {
    Write-Warning "No group mappings found for Job Title '$jobTitle' and Location '$location'."
}

# Disconnect from Microsoft Graph
Disconnect-MgGraph

Troubleshooting I Have Done: Checked Managed Identity Permissions: The Automation Account is listed under Enterprise Applications in Microsoft Entra ID (Azure AD).

Verified Graph API Permissions: Permissions are assigned and admin consent is granted.

Confirmed PowerShell Version: Using PowerShell 7.2, as required for Connect-MgGraph -Identity.

Checked Azure Automation Modules: Microsoft.Graph module is installed.

Verified Subscription Context:

Get-AzContext | Select-Object Subscription
The correct subscription is set.

Questions: Why is the JWT token invalid, even though Managed Identity is enabled?

How can I ensure my Runbook is authenticated properly using Managed Identity?

Is there a way to manually refresh or validate the authentication token in Azure Automation?

Any insights would be greatly appreciated! Thanks in advance. 🚀


Solution

  • I got the same error when I tried to connect to Microsoft Graph:

    enter image description here

    enter image description here

    The issue is with Microsoft.Graph.Authentication module with version 2.26.1 in PowerShell 7.2. Refer this GitHub blog

    Hence as a workaround either use PowerShell 5.1 or downgrade the version to 2.25.0 version:

    First delete the current 2.26.1 version module an install 2.25.0 version

    PowerShellCopy

    
    # Import Microsoft.Graph.Authentication module
    
    $moduleName = 'Microsoft.Graph.Authentication'
    
    $moduleVersion = '2.25.0'
    
    New-AzAutomationModule -AutomationAccountName 'ruk3394' -ResourceGroupName 'ruk' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
    
    # Import Microsoft.Graph module
    
    $moduleName = 'Microsoft.Graph'
    
    $moduleVersion = '2.25.0'
    
    New-AzAutomationModule -AutomationAccountName 'ruk3394' -ResourceGroupName 'ruk' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
    

    enter image description here

    It will take some time to import the modules, refresh the portal after some time:

    enter image description here

    Now I am able to connect to Microsoft Graph successfully:

    Connect-MgGraph -Identity
    

    enter image description here