Description
Describe the bug
Since module version 2.26.0, I have been experiencing an issue with Continuous Access Evaluation in MgGraph. I authenticate using app registration and a certificate. This works without any problems, but after some time, my script returns the following error message.
Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
Since I have scripts that run for a longer time, I keep encountering this problem repeatedly. Additionally, we use the Microsoft365DSC module, and I receive the error when reading the AAD settings right from the start.
Expected behavior
The script should not need to re-authenticate, and when reading the M365DSC configuration, the error should not occur from the beginning and should be able to authenticate.
How to reproduce
Connect-MgGraph -ClientID $ClientID -TenantId $Tenant_ID -CertificateThumbprint $CertificateThumbprint
Get-MgUser
Wait some time and rerun the Get-MgUser command.
SDK Version
2.26.0 and 2.27.0
Latest version known to work for scenario above?
2.25.0
Known Workarounds
No response
Debug output
Click to expand log
```Get-MgUser -Debug
[CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'List'.
[Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '*****'.
[Authentication]: - Scopes: [DeviceManagementManagedDevices.Read.All, ChannelSettings.Read.All, RoleManagement.Read.Directory, Channel.ReadBasic.All, Group.Read.All, DeviceManagementServiceConfig.Read.All, Directory.Read.All, User.Read.All,
Tasks.Read.All, GroupMember.Read.All, DeviceManagementConfiguration.Read.All, Organization.Read.All, Policy.Read.All, Application.Read.All, DeviceManagementApps.Read.All, OrgSettings-Todo.Read.All, Policy.Read.ConditionalAccess, AppCatalog.Read.All,
RoleEligibilitySchedule.Read.Directory, CustomSecAttributeDefinition.Read.All, Policy.Read.DeviceConfiguration, ExternalConnection.Read.All, Policy.ReadWrite.AuthenticationMethod, Sites.Selected, UserAuthenticationMethod.Read.All,
RoleEligibilitySchedule.ReadWrite.Directory, SharePointTenantSettings.ReadWrite.All, Channel.Delete.All, SharePointTenantSettings.Read.All, AdministrativeUnit.Read.All, OrgSettings-Forms.Read.All, LifecycleWorkflows.Read.All, Sites.Read.All,
EntitlementManagement.Read.All, IdentityUserFlow.Read.All, RoleManagement.Read.All, Domain.Read.All, Agreement.Read.All, ChannelMember.Read.All, RoleManagementPolicy.Read.Directory, DeviceManagementRBAC.Read.All, EntitlementManagement.ReadWrite.All,
APIConnectors.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-Microsoft365Install.Read.All, IdentityProvider.Read.All, TeamSettings.Read.All, NetworkAccessPolicy.Read.All, AccessReview.Read.All, Mail.Send,
PrivilegedEligibilitySchedule.Read.AzureADGroup, OrgSettings-DynamicsVoice.Read.All, ProgramControl.Read.All, NetworkAccess.Read.All, Sites.FullControl.All, RoleAssignmentSchedule.Read.Directory, Policy.Read.IdentityProtection].
============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/users
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; de-CH),PowerShell/5.1.20348.2849
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : 71ae034a-b311-4128-99f9-bf5f8b60fec2
Body:
============================ HTTP RESPONSE ============================
Status Code:
Unauthorized
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 7c1ded63-8eae-4083-9d9e-ebad27ef76dd
client-request-id : 25e4806a-d2bc-43a9-8ec6-5c98275fa7d5
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ZR1PEPF00000667"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with
result: InteractionRequired and code: LocationConditionEvaluationSatisfied", error="insufficient_claims",
claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzQ2NzI1ODIwIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiI4MC4yNTUuOTcuMzYifX19",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJCOTY0ODgwQkQxNDJBNjJCRjQ5NzI4MEI3NkFGREM1QjUxNjlENUMifQ.eyJ0cyI6MTc0NjcyNTgyMH0.elc4_PChd4yb5GBLU1YMIgaGkFWb0Wr8wf7GJAi0-uQknGVfi6ixhJk1CSdKq1BVLsdYc
VEHCodj0TolZg0IB-vxjCvlfVAN51tTD9Gbi0GAejjofO4poM2OpRRzLjy3HD2MP4y5EhxMGXyvsaKKfg6AkNlxjavMp6Et9NXC2q9a1J7cr5doO5_krwSZTUiGsQwF4-5q4tM1J1t81n-xCGkMGuq_rYga_cSlK1wAFVi5RtCibqF6dEzHqqJ9JygaQ2-0e315O-esTXhZx7l_icSt7woWGeEHU1MEgu7Vf-09QkdBI8UrVo5IA24S1ZgVQU
EVM1RyT2WkK1agPyCwrg"
Date : Thu, 08 May 2025 17:37:00 GMT
Body:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied",
"innerError": {
"date": "2025-05-08T17:37:00",
"request-id": "7c1ded63-8eae-4083-9d9e-ebad27ef76dd",
"client-request-id": "25e4806a-d2bc-43a9-8ec6-5c98275fa7d5"
}
}
}
Get-MgUser_List : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
Status: 401 (Unauthorized)
ErrorCode: InvalidAuthenticationToken
Date: 2025-05-08T17:37:00
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 7c1ded63-8eae-4083-9d9e-ebad27ef76dd
client-request-id : 25e4806a-d2bc-43a9-8ec6-5c98275fa7d5
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ZR1PEPF00000667"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with
result: InteractionRequired and code: LocationConditionEvaluationSatisfied", error="insufficient_claims",
claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzQ2NzI1ODIwIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiI4MC4yNTUuOTcuMzYifX19",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJCOTY0ODgwQkQxNDJBNjJCRjQ5NzI4MEI3NkFGREM1QjUxNjlENUMifQ.eyJ0cyI6MTc0NjcyNTgyMH0.elc4_PChd4yb5GBLU1YMIgaGkFWb0Wr8wf7GJAi0-uQknGVfi6ixhJk1CSdKq1BVLsdYc
VEHCodj0TolZg0IB-vxjCvlfVAN51tTD9Gbi0GAejjofO4poM2OpRRzLjy3HD2MP4y5EhxMGXyvsaKKfg6AkNlxjavMp6Et9NXC2q9a1J7cr5doO5_krwSZTUiGsQwF4-5q4tM1J1t81n-xCGkMGuq_rYga_cSlK1wAFVi5RtCibqF6dEzHqqJ9JygaQ2-0e315O-esTXhZx7l_icSt7woWGeEHU1MEgu7Vf-09QkdBI8UrVo5IA24S1ZgVQU
EVM1RyT2WkK1agPyCwrg"
Date : Thu, 08 May 2025 17:37:00 GMT
At C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Users\2.25.0\exports\ProxyCmdletDefinitions.ps1:22009 char:23
-
$scriptCmd = {& $wrappedCmd @PSBoundParameters} -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : InvalidOperation: ({ ConsistencyLe... , Headers = }:<>f__AnonymousType41`9) [Get-MgUser_List], Exception
- FullyQualifiedErrorId : InvalidAuthenticationToken,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List
[CmdletEndProcessing]: - Get-MgUser end processing.
Configuration
Name Value
PSVersion 5.1.14393.7870
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.7870
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
OS: Windows Server 2016 Datacenter (14393.7876) x64
Other information
No response