Hoping someone with some Azure prowess can help me with this PSU issue.
I’m hosting PSU in Azure, and have granted the managed identity of the app service the Graph scopes I need:
However, the token returned by Get-AzAccessToken does not contain all of the scopes. It’s missing the two I added this morning (the DeviceManagement ones in the screenshot above):
I’ve restarted the app service a couple of times just in case, but it’s still not working.
Is there some sort of long-term caching at play here? Or is there something I need to do in PSU to force Get-AzAccessToken to include all of my app scopes in the token?
I know this is a long shot but I’m hoping someone can help. Heck, if you’re hosting in Azure as well, maybe you can try adding DeviceManagementManagedDevices.Read.All and DeviceManagementServiceConfig.ReadWrite.All to your own app scopes and see if they appear in your access token!
Product: PowerShell Universal
Hmm this might be a hint. The “iat” attribute of my token is timestamped 9:55am, but I called Get-AzAccessToken at 1:30pm.
So it’s like the Az module is caching a token that was generated this morning, before I added those scopes. It’s persisting across restarts of the app service which is quite baffling! Any ideas gang?
Well, it’s the next day and the scopes still aren’t in the access token. I’m at a loss.
I disabled the scheduled job I had which was also requesting an access token, just in case there was some sort of “refresh token” in play, and then left PSU untouched over the weekend.
When I came in this morning it had crashed (again) with “cannot access the file ‘D:\home\data\PowershellUniversal\database-log.db’ because it is being used by another process.”
However, on restarting this morning, my access token contains the new scopes!
I’d restarted the app service several times last week, so it wasn’t that. Get-AzAccessToken must be doing some aggressive caching under the hood, possibly with refresh tokens, which means I wasn’t getting my new scopes until I stopped everything from requesting tokens for a while.
Have logged a question on the Az GitHub repo about this:
Get-AzAccessToken -ResourceTypeName MSGraph caching · Issue #18191 · Azure/azure-powershell (github.com)
It’s gonna be really frustrating if I have to wait 24 hours for the token to expire (and ensure nothing calls Get-AzAccessToken during that time to refresh it!) every time I modify permissions.