Issue running Connect-MgGraph

Product: PowerShell Universal
Version: 3.9.17

I’m trying to run a script that connects to MS Graph using the Connect-MgGraph cmdlet

Example:

$Thumbprint = (Get-ChildItem cert:\CurrentUser\My\ | Where-Object {$_.Subject -eq "CN=MyTestCert" }).Thumbprint

if($Thumbprint -eq "MYCERTIFICATETHUMBPRINT"){
    Connect-MgGraph -ClientId $Secret:WDClient -CertificateThumbprint $Thumbprint -TenantId $Secret:AzTenant -Verbose
    Disconnect-MgGraph
}
else {
    throw
}

However, when this runs I get the error [error] Invalid JWT access token. . If I run it with -Debug added I get:

[debug] ClientCertificateCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId: 
[debug] EventSourceMessage
message = ERROR: Exception during EventSource.OnEventWritten: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index 
[error] Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index 
[error] No application to sign out from. 

If I run the same commands outside of PSU it all works without any issues. I’ve double-checked that PSU can access the local certificate, which it can, and I have also tried hardcoding the ClientId and TenantId in case they were not pulling through correctly, but still get the same error.

Has anyone else come across this? I have another script in PSU that uses the same certificate, clientID and tenantID to pull details from an Azure keyvault and that is working fine.

This is what I’m doing…

Connect-MgGraph -ClientId $Secret:IntuneGraphAPIClientID -TenantId $Secret:AzureTenant -Certificate (Get-Item $Secret:mgGraphCert)  | Out-Null

Where $Secret:mgGraphCert is the path to the certificate.

I tried what you suggested and it works fine for PowerShell 7 sessions, but the particular script I’m ultimately trying to run requires PowerShell 5.1 as it needs the AD module (and Server 2016 doesn’t have the version that plays nice with PS7).

I did think maybe’s is a TLS issue, so I added [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12, but that didn’t resolve anything, I still get the same error.

I then thought maybe I’ve got a module conflict somewhere, so I completely stripped out the Microsoft.Graph modules, as I seemed to have 2 different versions (even though I’m explicitly importing 2.4.0 of Microsoft.Graph.Authentication), but still I get the same error I listed before.

I’m having the identical issue!

Same version PSU, modules fully updated, using PS 5.1 environment, command runs properly within a PS 5.1 terminal session directly on the host.

Thank you,

The azuread module is depreciated so you should probably try to use graph where possible. I’ve been using the graph module in PSU for a few months now with no issue, both certificate authentication and refresh tokens.

I would double check your variables to make sure they contain what they need. You also can try passing the whole cert instead of just the thumbprint which is what we do:

Import-Module Microsoft.Graph.Authentication -ErrorAction Stop
$cert = get-item "Cert:\LocalMachine\My\$($Secret:ProductionCert)"
Connect-MgGraph -ClientId $<Enterprise App with Certificate> -tenantId ${Azure tenant ID> -Certificate $cert | Out-Null

Same problem here, works in PS 7 but not 5.1, version of graph module is 2.5.0 in both environment.
Anyone found a workaround for this?

Having the same issue connecting to graph with cert via powershell 5.1

1 Like