However, when this runs I get the error [error] Invalid JWT access token. . If I run it with -Debug added I get:
[debug] ClientCertificateCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId:
[debug] EventSourceMessage
message = ERROR: Exception during EventSource.OnEventWritten: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
[error] Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
[error] No application to sign out from.
If I run the same commands outside of PSU it all works without any issues. I’ve double-checked that PSU can access the local certificate, which it can, and I have also tried hardcoding the ClientId and TenantId in case they were not pulling through correctly, but still get the same error.
Has anyone else come across this? I have another script in PSU that uses the same certificate, clientID and tenantID to pull details from an Azure keyvault and that is working fine.
I tried what you suggested and it works fine for PowerShell 7 sessions, but the particular script I’m ultimately trying to run requires PowerShell 5.1 as it needs the AD module (and Server 2016 doesn’t have the version that plays nice with PS7).
I did think maybe’s is a TLS issue, so I added [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12, but that didn’t resolve anything, I still get the same error.
I then thought maybe I’ve got a module conflict somewhere, so I completely stripped out the Microsoft.Graph modules, as I seemed to have 2 different versions (even though I’m explicitly importing 2.4.0 of Microsoft.Graph.Authentication), but still I get the same error I listed before.
The azuread module is depreciated so you should probably try to use graph where possible. I’ve been using the graph module in PSU for a few months now with no issue, both certificate authentication and refresh tokens.
I would double check your variables to make sure they contain what they need. You also can try passing the whole cert instead of just the thumbprint which is what we do:
This is part of the v4.2 nightly builds and will be released next month as the official release. Feel free to grab the nightly build and give it a shot. Note, you will need to run this in a minimal environment if you want to use Windows PowerShell due to assembly conflicts we are still unable to resolve with the Graph module on that platform.
Is there any other way we can work around this issue? with minimal environment we are missing too much PU features. and we are not ready to convert to PS 7.
Minimal environment didn’t work for me. My workaround was to have the script that uses the Graph SDK configured for the PowerShell 7 environment, then have the Windows PowerShell 5.1 script call it with Invoke-PSUScript.