Issue running Connect-MgGraph

Product: PowerShell Universal
Version: 3.9.17

I’m trying to run a script that connects to MS Graph using the Connect-MgGraph cmdlet

Example:

$Thumbprint = (Get-ChildItem cert:\CurrentUser\My\ | Where-Object {$_.Subject -eq "CN=MyTestCert" }).Thumbprint

if($Thumbprint -eq "MYCERTIFICATETHUMBPRINT"){
    Connect-MgGraph -ClientId $Secret:WDClient -CertificateThumbprint $Thumbprint -TenantId $Secret:AzTenant -Verbose
    Disconnect-MgGraph
}
else {
    throw
}

However, when this runs I get the error [error] Invalid JWT access token. . If I run it with -Debug added I get:

[debug] ClientCertificateCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId: 
[debug] EventSourceMessage
message = ERROR: Exception during EventSource.OnEventWritten: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index 
[error] Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index 
[error] No application to sign out from. 

If I run the same commands outside of PSU it all works without any issues. I’ve double-checked that PSU can access the local certificate, which it can, and I have also tried hardcoding the ClientId and TenantId in case they were not pulling through correctly, but still get the same error.

Has anyone else come across this? I have another script in PSU that uses the same certificate, clientID and tenantID to pull details from an Azure keyvault and that is working fine.

This is what I’m doing…

Connect-MgGraph -ClientId $Secret:IntuneGraphAPIClientID -TenantId $Secret:AzureTenant -Certificate (Get-Item $Secret:mgGraphCert)  | Out-Null

Where $Secret:mgGraphCert is the path to the certificate.

I tried what you suggested and it works fine for PowerShell 7 sessions, but the particular script I’m ultimately trying to run requires PowerShell 5.1 as it needs the AD module (and Server 2016 doesn’t have the version that plays nice with PS7).

I did think maybe’s is a TLS issue, so I added [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12, but that didn’t resolve anything, I still get the same error.

I then thought maybe I’ve got a module conflict somewhere, so I completely stripped out the Microsoft.Graph modules, as I seemed to have 2 different versions (even though I’m explicitly importing 2.4.0 of Microsoft.Graph.Authentication), but still I get the same error I listed before.

I’m having the identical issue!

Same version PSU, modules fully updated, using PS 5.1 environment, command runs properly within a PS 5.1 terminal session directly on the host.

Thank you,

The azuread module is depreciated so you should probably try to use graph where possible. I’ve been using the graph module in PSU for a few months now with no issue, both certificate authentication and refresh tokens.

I would double check your variables to make sure they contain what they need. You also can try passing the whole cert instead of just the thumbprint which is what we do:

Import-Module Microsoft.Graph.Authentication -ErrorAction Stop
$cert = get-item "Cert:\LocalMachine\My\$($Secret:ProductionCert)"
Connect-MgGraph -ClientId $<Enterprise App with Certificate> -tenantId ${Azure tenant ID> -Certificate $cert | Out-Null

Same problem here, works in PS 7 but not 5.1, version of graph module is 2.5.0 in both environment.
Anyone found a workaround for this?

Having the same issue connecting to graph with cert via powershell 5.1

Same here, fails with

[error] Invalid JWT access token. 

on PowerShell 5.1, works fine in ISE or in the Console.

I opened an issue for this to investigate. Likely an assembly conflict.

@adam I see the issue is completed, do we need to update to v 4.2 to fix this? thanks

This is part of the v4.2 nightly builds and will be released next month as the official release. Feel free to grab the nightly build and give it a shot. Note, you will need to run this in a minimal environment if you want to use Windows PowerShell due to assembly conflicts we are still unable to resolve with the Graph module on that platform.

Some info about the upcoming minimal environment feature: Running Python in PowerShell Universal

Is there any other way we can work around this issue? with minimal environment we are missing too much PU features. and we are not ready to convert to PS 7.

Minimal environment didn’t work for me. My workaround was to have the script that uses the Graph SDK configured for the PowerShell 7 environment, then have the Windows PowerShell 5.1 script call it with Invoke-PSUScript.