I have a PowerShell script that has been running fine for a year or two, but in the past few days it has stopped working. The script is executed within a PowerShell@5 task within DevOps. The script authenticates to the az
using a Service Connection (Azure Resource Manager) to Azure. The Service Connection authentication to Azure is Secret based, not Federated and is granted to the Subscription level.
The associated Service Principal (App Registration) has Owner role for the Subscription. It also has a second password secret defined that is used for the actual az
login command.
The Service Principal has APIs Permissions:
Application.ReadWrite.All
Directory.ReadWrite.All
Group.create
Group.ReadWrite.All
GroupMember.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ReadWrite.All
The commands are:
# Login to Azure and DevOps
az login --service-principal -u "$azureSPAppId" -p "$azureSPPwd" --tenant "$tenantId" --allow-no-subscriptions
az --version
az account set --subscription $subId
az group create --name $resourceGroup --location $location
Write-Output "exec: Update azure"
az upgrade
# The service principal for the pipeline requests the token
Write-Output "exec: Get accessToken"
# $secureToken = (Get-AzAccessToken -Resource "https://graph.microsoft.com").Token | ConvertTo-SecureString -AsPlainText
# Connect-MgGraph -AccessToken $secureToken
$allAccess = (Get-AzAccessToken -ResourceTypeName MSGraph)
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$secureToken = ConvertTo-SecureString $token -AsPlainText -Force
Connect-MgGraph -AccessToken $secureToken
Write-Output "exec: Get service principal's permissions"
Get-MgContext
Write-Output "exec: Get-MgGroup if it exists?"
$directoryReadersGroupId = (Get-MgGroup -Filter "DisplayName eq '$directoryReadersGroupName'").Id
The Get-MgContext
command returns:
The Get-MgGroup
creates the error:
So my question is: what has changed recently for this PowerShell to suddenly stop working? Are there known breaking changes?
NOTE: I'm a PowerShell beginner and I've searched other threads that have the same error IDX14102: Unable to decode the header '[PII of type
and they offer different syntax for the Connect-MgGraph
but I get the same error.
Additional info (the screen shot of the post az login
:
And the output of the variables $accessAll ,$token, $secureToken (separate line each):
The following error occurred because the access token retrieved was incompatible with Microsoft Graph API, resulting in a failure to decode the token:
Get-MgGroup : IDX14102: Unable to decode the header '[PII of type Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden.
This issue is aligned with recent updates mentioned in the Azure CLI and Azure PowerShell Build 2025 Announcement, where changes in token handling behavior may affect compatibility between Azure PowerShell tokens and Microsoft Graph SDK.
Refer blog for more details: # Azure CLI and Azure PowerShell Build 2025 Announcement Azure CLI and Azure PowerShell Build 2025 Announcement | Microsoft Community Hub
You should pass the raw token string directly, not as a SecureString
because Get-AzAccessToken given already compatible string for powershell@5
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
Connect-MgGraph -AccessToken $token
I got the same error when I run your code initially,
then I modified the code like below and successfully executed.
$tenantId = "<tenant_id>"
$clientId = "<client_id>"
$clientSecret = "<client_secret>"
az login --service-principal -u $clientId -p $clientSecret --tenant $tenantId --allow-no-subscriptions
az --version
az account set --subscription $subId
az group create --name $resourceGroup --location $location
Write-Output "exec: Update azure"
az upgrade
Write-Output "exec: Get accessToken"
$allAccess = (Get-AzAccessToken -ResourceTypeName MSGraph)
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$token
Connect-MgGraph -AccessToken $token
Write-Output "exec: Get service principal's permissions"
Get-MgContext
Write-Output "exec: Get-MgGroup if it exists?"
#Connect-MgGraph -Scopes "Group.Read.All"
$groupName = "Demo-Group-Test"
$directoryReadersGroupId = (Get-MgGroup -Filter "DisplayName eq '$groupName'").Id
Write-Output "$groupName id is $directoryReadersGroupId"