Has there been recent change to Get-MgGroup Powershell command?
I have a PowerShell script that has been running fine for a year or two, but in the past few days it has stopped working. The script is executed within a PowerShell@5 task within DevOps. The script authenticates to the az using a Service Connection (Azure Resource Manager) to Azure. The Service Connection authentication to Azure is Secret based, not Federated and is granted to the Subscription level.
The associated Service Principal (App Registration) has Owner role for the Subscription. It also has a second password secret defined that is used for the actual az login command.
The Service Principal has APIs Permissions:
Application.ReadWrite.All
Directory.ReadWrite.All
Group.create
Group.ReadWrite.All
GroupMember.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ReadWrite.All
The commands are:
# Login to Azure and DevOps
az login --service-principal -u "$azureSPAppId" -p "$azureSPPwd" --tenant "$tenantId" --allow-no-subscriptions
az --version
az account set --subscription $subId
az group create --name $resourceGroup --location $location
Write-Output "exec: Update azure"
az upgrade
# The service principal for the pipeline requests the token
Write-Output "exec: Get accessToken"
# $secureToken = (Get-AzAccessToken -Resource "https://graph.microsoft.com").Token | ConvertTo-SecureString -AsPlainText
# Connect-MgGraph -AccessToken $secureToken
$allAccess = (Get-AzAccessToken -ResourceTypeName MSGraph)
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$secureToken = ConvertTo-SecureString $token -AsPlainText -Force
Connect-MgGraph -AccessToken $secureToken
Write-Output "exec: Get service principal's permissions"
Get-MgContext
Write-Output "exec: Get-MgGroup if it exists?"
$directoryReadersGroupId = (Get-MgGroup -Filter "DisplayName eq '$directoryReadersGroupName'").Id
The Get-MgContext command returns:
The Get-MgGroup creates the error:
So my question is: what has changed recently for this PowerShell to suddenly stop working? Are there known breaking changes?
NOTE: I'm a PowerShell beginner and I've searched other threads that have the same error IDX14102: Unable to decode the header '[PII of type and they offer different syntax for the Connect-MgGraph but I get the same error.
Additional info (the screen shot of the post az login:
And the output of the variables $accessAll ,$token, $secureToken (separate line each):
The following error occurred because the access token retrieved was incompatible with Microsoft Graph API, resulting in a failure to decode the token:
Get-MgGroup : IDX14102: Unable to decode the header '[PII of type Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden.
This issue is aligned with recent updates mentioned in the Azure CLI and Azure PowerShell Build 2025 Announcement, where changes in token handling behavior may affect compatibility between Azure PowerShell tokens and Microsoft Graph SDK.
Refer blog for more details: # Azure CLI and Azure PowerShell Build 2025 Announcement Azure CLI and Azure PowerShell Build 2025 Announcement | Microsoft Community Hub
You should pass the raw token string directly, not as a SecureString because Get-AzAccessToken given already compatible string for powershell@5
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
Connect-MgGraph -AccessToken $token
I got the same error when I run your code initially,
then I modified the code like below and successfully executed.
$tenantId = "<tenant_id>"
$clientId = "<client_id>"
$clientSecret = "<client_secret>"
az login --service-principal -u $clientId -p $clientSecret --tenant $tenantId --allow-no-subscriptions
az --version
az account set --subscription $subId
az group create --name $resourceGroup --location $location
Write-Output "exec: Update azure"
az upgrade
Write-Output "exec: Get accessToken"
$allAccess = (Get-AzAccessToken -ResourceTypeName MSGraph)
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$token
Connect-MgGraph -AccessToken $token
Write-Output "exec: Get service principal's permissions"
Get-MgContext
Write-Output "exec: Get-MgGroup if it exists?"
#Connect-MgGraph -Scopes "Group.Read.All"
$groupName = "Demo-Group-Test"
$directoryReadersGroupId = (Get-MgGroup -Filter "DisplayName eq '$groupName'").Id
Write-Output "$groupName id is $directoryReadersGroupId"
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules