Connect-MgGraph failing consistently with TypeInitializationException exception thrown for Azure.Identity.AuthenticationRecord #2284
Description
We are trying to start using the Microsoft.Graph PS modules for our Azure AD scripting needs, but even after installing the very latest versions of the modules (now also having tried the latest beta versions) on my system, I still get an error stating "The type initializer for 'Azure.Identity.AuthenticationRecord' threw an exception" (TypeInitializationException) when running "Connect-MgGraph".
We have opened a support call through our Unified Support Agreement (Case tracking ID: 2307070050003124), but after working with the support technician for a while (which have had us report on what are the currently installed Microsoft.Graph modules and requested us to fully remove them and then install the very latest versions including the most recent beta version in several "rounds") we are still consistently getting the same error every time we try to run Connect-MgGraph, and the support technician has thus recommended us to also register this as an issue here on GitHub.
This is the command we try to run, which obviously brings up a prompt to perform authentication: Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
I authenticate with my Azure AD admin account which has the following AD roles activated (through PIM) in advance of running the command:
- Global Reader
- Cloud Application Administrator
- User Administrator
The authentication is successful it seems, and the very first time we tried this we also had to go through an admin-consent process, but that now seems properly registered in our Azure AD tenant as that does not show up after that first attempt. Now we just go through MFA and then the authentication dialog briefly states that authentication was successful before it close. However, immediately after we get the mentioned error as you can see in the example screenshot below:
The machine where I'm encountering the issue is running Windows Server 2016 with PowerShell 5.1 (see version details below). The support technician has recommended us to try using PowerShell 7.x, but for various reasons we cannot introduce that version of PowerShell on the system in question, and the Microsoft.Graph modules are officially supported also on PowerShell 5.1 so we need to figure out why it does not work in our case. The output from $PSVersionTable on the system looks like this:
| Name | Value |
|---|---|
| PSVersion | 5.1.14393.5582 |
| PSEdition | Desktop |
| PSCompatibleVersions | {1.0, 2.0, 3.0, 4.0...} |
| BuildVersion | 10.0.14393.5582 |
| CLRVersion | 4.0.30319.42000 |
| WSManStackVersion | 3.0 |
| PSRemotingProtocolVersion | 2.3 |
| SerializationVersion | 1.1.0.1 |
Reproducing the issue
Full set of steps that reproduce the behavior:
- Log on to the system and immediately start "Windows PowerShell ISE" on it
- Once ISE is successfully fully started, I just execute
Get-Moduleto show what modules are automatically loaded:
- Shows that the 2.4.0 (latest) version of Microsoft.Graph.Authentication is loaded by default.
- Next, I also run
Get-Module -FullyQualifiedName Microsoft.Graph* -ListAvailableto verify that I only have one set of Microsoft.Graph modules installed, and as you can see from the screenshot below it is now the beta-edition of the most recent version (2.4.0) that are installed on the system:
- After successful PIM activation of the mentioned Azure AD roles for my admin-account, I run the command to connect to Azure AD through Microsoft.Graph:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"and after completing the authentication including MFA through the pop-up dialog, then the error is immediately encountered:
Expected behavior
The expected behavior is that executing Connect-MgGraph would complete successfully without returning an error.
Debug Output
I have also tried running the Connect-MgGraph cmdlet with the same parameters, but also adding -Debug, and the full output of that looks like this (requestID's/correlationId's anonymized):
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ User.Read.All, Group.ReadWrite.All ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:52Z - x1111111-xxxx-11xx-
8f64-71f2f9addfaf] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId( x1111111-xxxx-11xx-8f64-71f2f9addfaf
)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read.All Group.ReadWrite.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - x1111111-xxxx-11xx-8f64-71f2f9addfaf
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] === Token Acquisition (InteractiveRequest) started:
Scopes: User.Read.All Group.ReadWrite.All
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Fetching instance discovery from the network from host login.microsoftonline.com.
DEBUG: Request [xxx1111x-1xx1-111x-99c3-58188404c787] GET https://login.microsoftonline.com/common/discovery/instance?api-v
ersion=1.1&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:xxx1111x-1xx1-111x-99c3-58188404c787
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.9.0 (.NET Framework 4.8.4645.0; Microsoft Windows 10.0.14393 )
client assembly: Azure.Identity
DEBUG: Response [xxx1111x-1xx1-111x-99c3-58188404c787] 200 OK (00.1s)
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
client-request-id:REDACTED
x-ms-request-id:111111xx-1111-1xx1-84b9-cf2e18138a00
x-ms-ests-server:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:max-age=86400, private
Content-Type:application/json; charset=utf-8
P3P:REDACTED
Set-Cookie:REDACTED
Date:Mon, 04 Sep 2023 07:37:56 GMT
Content-Length:950
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Authority validation enabled? True.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Authority validation - is known env? True.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:37:57Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Using legacy embedded browser.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [Legacy WebView] Redirect URI was reached. Stopping WebView navigation...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] An authorization code was retrieved from the /authorize endpoint.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Exchanging the auth code for tokens.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: Request [1111x11x-1111-1111-9096-cf017e3724e1] POST https://login.microsoftonline.com/common/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:1111x11x-1111-1111-9096-cf017e3724e1
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.9.0 (.NET Framework 4.8.4645.0; Microsoft Windows 10.0.14393 )
client assembly: Azure.Identity
DEBUG: Response [1111x11x-1111-1111-9096-cf017e3724e1] 200 OK (00.3s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:11xxx1xx-1111-111x-b139-4628de696700
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Mon, 04 Sep 2023 07:38:19 GMT
Content-Length:5460
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Checking client info returned from the server..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Looking for scopes for the authority in the cache which intersect with User.Read.All Group.ReadWrite.All
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Intersecting scope entries count - 1
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [SaveTokenResponseAsync] Saving RT in cache...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] [AdalCacheOperations] Serializing token cache with 1 items.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] AT expiration time: 9/5/2023 7:38:19 AM +00:00, scopes: Application.Read.All AuditLog.Read.All CrossT
enantInformation.ReadBasic.All Group.Read.All Group.ReadWrite.All openid Policy.Read.All profile RoleAssignmentSchedule.Rea
d.Directory RoleEligibilitySchedule.Read.Directory RoleManagement.Read.Directory User.Read User.Read.All email. source: Ide
ntityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2016 Standard [2023-09-04 07:38:20Z - x1111111-xxxx-11xx-8f64-71f2f9addfaf] Fetched access token from host login.microsoftonline.com.
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ User.Read.All, Group.ReadWrite.All ] ParentRequestId:
ExpiresOn: 2023-09-05T07:38:19.8408559+00:00
Connect-MgGraph : The type initializer for 'Azure.Identity.AuthenticationRecord' threw an exception.
At line:1 char:1
- Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All" -Debug
-
+ CategoryInfo : NotSpecified: (:) [Connect-MgGraph], TypeInitializationException + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
Module Version
The modules returned by
Get-Modulewhile running it after the error has occurred are the same as those shown before running theConnect-MgGraphcmdlet that produces the error.