azurepowershellazure-devopsmicrosoft-graph-api

Has there been recent change to Get-MgGroup Powershell command?


I have a PowerShell script that has been running fine for a year or two, but in the past few days it has stopped working. The script is executed within a PowerShell@5 task within DevOps. The script authenticates to the az using a Service Connection (Azure Resource Manager) to Azure. The Service Connection authentication to Azure is Secret based, not Federated and is granted to the Subscription level.

The associated Service Principal (App Registration) has Owner role for the Subscription. It also has a second password secret defined that is used for the actual az login command.

The Service Principal has APIs Permissions:

Application.ReadWrite.All
Directory.ReadWrite.All
Group.create
Group.ReadWrite.All
GroupMember.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ReadWrite.All

The commands are:

# Login to Azure and DevOps
az login --service-principal -u "$azureSPAppId" -p "$azureSPPwd" --tenant "$tenantId" --allow-no-subscriptions
az --version
az account set --subscription $subId
az group create --name $resourceGroup --location $location

Write-Output "exec: Update azure"
az upgrade

# The service principal for the pipeline requests the token
Write-Output "exec: Get accessToken"
# $secureToken = (Get-AzAccessToken -Resource "https://graph.microsoft.com").Token | ConvertTo-SecureString -AsPlainText
# Connect-MgGraph -AccessToken $secureToken


$allAccess = (Get-AzAccessToken -ResourceTypeName MSGraph)
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$secureToken = ConvertTo-SecureString $token -AsPlainText -Force
Connect-MgGraph -AccessToken $secureToken


Write-Output "exec: Get service principal's permissions"
Get-MgContext

Write-Output "exec: Get-MgGroup if it exists?"
$directoryReadersGroupId = (Get-MgGroup -Filter "DisplayName eq '$directoryReadersGroupName'").Id

The Get-MgContext command returns:

enter image description here

The Get-MgGroup creates the error:

enter image description here

So my question is: what has changed recently for this PowerShell to suddenly stop working? Are there known breaking changes?

NOTE: I'm a PowerShell beginner and I've searched other threads that have the same error IDX14102: Unable to decode the header '[PII of type and they offer different syntax for the Connect-MgGraph but I get the same error.

Additional info (the screen shot of the post az login:

enter image description here

And the output of the variables $accessAll ,$token, $secureToken (separate line each):

enter image description here


Solution

  • The following error occurred because the access token retrieved was incompatible with Microsoft Graph API, resulting in a failure to decode the token:

    Get-MgGroup : IDX14102: Unable to decode the header '[PII of type Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden.

    This issue is aligned with recent updates mentioned in the Azure CLI and Azure PowerShell Build 2025 Announcement, where changes in token handling behavior may affect compatibility between Azure PowerShell tokens and Microsoft Graph SDK.

    Refer blog for more details: # Azure CLI and Azure PowerShell Build 2025 Announcement Azure CLI and Azure PowerShell Build 2025 Announcement | Microsoft Community Hub

    You should pass the raw token string directly, not as a SecureString because Get-AzAccessToken given already compatible string for powershell@5

    $token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token Connect-MgGraph -AccessToken $token

    I got the same error when I run your code initially,

    enter image description here

    then I modified the code like below and successfully executed.

    $tenantId = "<tenant_id>"
    $clientId = "<client_id>"
    $clientSecret = "<client_secret>"
    
    az login --service-principal -u $clientId -p $clientSecret --tenant $tenantId  --allow-no-subscriptions
    az --version
    az account set --subscription $subId
    az group create --name $resourceGroup --location $location
    Write-Output "exec: Update azure"
    az upgrade
    
    Write-Output "exec: Get accessToken"
    $allAccess = (Get-AzAccessToken -ResourceTypeName MSGraph)
    $token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
    $token
    Connect-MgGraph -AccessToken $token
    Write-Output "exec: Get service principal's permissions"
    Get-MgContext
    Write-Output "exec: Get-MgGroup if it exists?"
    #Connect-MgGraph -Scopes "Group.Read.All"
    $groupName = "Demo-Group-Test"
    $directoryReadersGroupId = (Get-MgGroup -Filter "DisplayName eq '$groupName'").Id
    
    Write-Output "$groupName id is $directoryReadersGroupId"
    

    enter image description here