Closed mabster closed 2 years ago
@mabster , it is by design. Azure PowerShell relies on MSAL to do authentication. It has cache mechanism and returns new access token only when it close to expiration. Please Disconnect-AzAccount
and Connect-AzAccount
again.
I've tried disconnecting and reconnecting many times. The token remains the same every time. Even restarting the app service doesn't work. That's why I logged this issue. Sorry if that wasn't clear.
As an example: I just called Disconnect-AzAccount
(and then Clear-AzContext -Force
just in case) and then reconnected with Connect-AzAccount -Id -Scope CurrentUser
, then fetched a Graph token. Here's what the token looks like:
It's currently 8:35am on the 18th of May here, and that token was issued at 8:44am on the 17th.
It does not contain the Graph permissions I added late yesterday morning (after the iat time).
I just need a "fresh" token with the newly-added permissions, but I have no idea how to get one!
... and now, having done exactly the same thing at 8:46am, I got a token with the permissions I added yesterday.
So it seems that once the token expires, as long as you don't do anything within a few minutes of it expiring (which would presumably refresh it and extend its lifetime) you get a new token with updated permissions. But I can't go 24 hours without requesting an access token every time I need to modify permissions. :(
Gah and now I realise I need another permission added, so I have to wait another 24 hours before I can test with it because the token I get from Get-AzAccessToken now is still the one that I was issued at 8:42 this morning and won't expire until tomorrow. Even after Disconnect-AzAccount.
@mabster , Disconnect-AzAccount
doesn't delete token cache. Hope your issue was resolved. Closing this issue now. Let us know if you need further help.
Reopening this to see if I can get an actual answer or resolution.
How do I clear the underlying MSAL token cache so that Get-AzAccessToken
is guaranteed to get me a fresh token with the scopes I've just added to my Graph identity? Can we get a -Force
parameter or something?
Oh, does leaving a comment not reopen the issue? Can we reopen it? Pretty please?
Get-AzAccessToken
employs MSAL to do AuthN and manage token. The token cache is obligatory. MSAL doesn't expose API to allow client to get a totally fresh token.
Description
We are running PowerShell Universal in an Azure App Service, and that app service has its own system managed identity. When the app launches, it calls
Connect-AzAccount -Id -Scope CurrentUser
to connect to Azure as itself with a persistent connection.I have added several Graph permission to the identity, and when I call
Get-AzAccessToken -ResourceTypeName MSGraph
from a PSU script, the token contains those permissions. Great!Now I discover a new permission that I need. So I add it to the system managed identity.
When I call
Get-AzAccessToken -ResourceTypeName MSGraph
again, the original access token, with the same "iat" (issued at) attribute and the same "roles" (Graph permissions) is returned.It seems that Get-AzAccessToken is caching the last-generated token. Restarting the app service doesn't even fix it. The only way I was able to make it get a new token was to shut everything down over a whole weekend, so none of the scheduled scripts had a chance to request a token (which I think is keeping the existing token current with a refresh token).
How do I clear the token cache so that Get-AzAccessToken returns a new Graph access token with my newly-added permission(s)? I don't want to have to forcibly shut down the app for several days every time I modify its permissions.
Script or Debug output
No response
Environment data
Module versions
Error output
No response