Open ToeKneeFan opened 1 week ago
This issue is perhaps most similar to #3942 (reporting a similar failure to refresh) but, based on the timeline, is unlikely to be rooted in the same problem (given v7.0.0 was published on npm on Oct 2, 2023 and #3942 was reported well before that on Oct 27, 2022).
After further investigation, it appears this issue can be isolated to a change that occurred between v7.4.0 and v7.5.0. Refreshing access tokens (in the scenario described above with a personal account, custom app registration, etc.) works on v7.0.0–v7.4.0 and then begins to fail on v7.5.0.
Based on the release notes, I would tentatively speculate that this is related to "added support for signing in with multiple identities #3587," since other changes were generally related to more specific commands/subcommands, whereas #3587 was associated with more fundamental changes in the way logins and connections are handled.
Hi @ToeKneeFan, sorry to hear CLI is malfunctioning for you. I love to see the amount of context you are giving. This will help us a lot.
In v7.5.0 we did introduce multiple connections indeed. However, I can't really see why this would cause issues. What strikes me the most is the fact that when you run m365 cli doctor
, your scopes are completely empty. Have you checked the connection files on your user home directory?
Thank you very much for following up, @milanholemans!
Both ".cli-m365-all-connections.json" and ".cli-m365-connection.json" have the following contents after a recent login:
{"active":true,"authType":0,"certificateType":0,"cloudType":0,"accessTokens":{"https://graph.microsoft.com":{"expiresOn":"2024-06-29T00:53:50.000Z","accessToken":"<redacted>","tenant":"common","name":"","identityName":"","identityId":"","identityTenantId":""}
So, when you log in and run m365 cli doctor
, there are scopes displayed, but when you let the token expire and run it again, the scopes are gone?
Thank you again. No, the scopes never show in the result of m365 cli doctor
, but the requested scopes work properly during the initial access-token lifetime and associated commands work. They also show properly in the permissions webpage in the DeviceCode workflow.
Notably, in v7.4.0 (where the token refreshing works properly), m365 cli doctor
likewise does not show any scopes. I think m365 cli doctor
is just an "unreliable narrator" in my situation. I wonder if this is a result of using the common tenant with a custom app registration (perhaps a unique situation, hence why it has not been reported).
Just to confirm @ToeKneeFan, your custom Entra app, that you're using with CLI, is a multitenant app, correct?
@waldekmastykarz Thank you for your help! Yes, it is configured for any tenant or a personal account ("Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)").
Thank you for confirming, @ToeKneeFan. It'll help us repro and fix the issue
This is probably unnecessary, but for sake of completeness, I also reproduced this issue on Windows 11 as well (to verify reproducibility and ensure it is not isolated to just Linux). (Windows 11 Pro 10.0.22631 Build 22631, npm v10.8.1, m365 v7.9.0 and v7.10.0)
Something what you said grabbed my attention:
I may be in a somewhat rare situation, since I am using a personal account without a dedicated tenant ("common") and with a custom app registration; I suspect that most people are using the m365 CLI within a corporate tenant, which may affect reproducibility of this bug.
With personal account do you mean personal as in private/not a service account, or a personal account like Microsoft personal account aka. Live account aka. Hotmail?
I'm trying to reproduce your setup. I've just created a new multitenant app with custom permissions and m365 status
shows just fine. Also m365 cli doctor
shows the connection details as expected. Let's see if we can figure out what's wrong exactly.
With personal account do you mean personal as in private/not a service account, or a personal account like Microsoft personal account aka. Live account aka. Hotmail?
@waldekmastykarz It sounds like the latter; it is a Microsoft 365 Personal account, as described on this page. Yes, the email is associated with Outlook.com, which replaced Hotmail.
Microsoft 365 Personal is a SKU rather than an account type. I don't think we've ever tested using personal accounts with CLI. There are a lot of restrictions and not all APIs work with personal accounts. I can see if we can fix the login, but can't guarantee that the whole CLI will work as intended.
Out of curiosity, why are you using this setup rather than a work account?
I can replicate the issue that you're seeing when I use a personal account to sign it to CLI for M365:
That said, I'm not quite sure if this is a setup that we should support. Could you please help us understand why you're using a personal account to manage your M365 tenant, rather than using a work account?
Ah, thank you, I was unsure if it was necessarily an account type, though I imagine it would introduce differences in API use.
In my use case, I am primarily using it as an interface for emails from the command line. It seemed to be the most convenient way for OAuth2-based access to Outlook email.
Completely understand if it would not be feasible to continue supporting this use case. If so, it may make sense to formally deprecate it within the documentation.
Priority
(Urgent) I can't use the CLI
Description
After a recent update to v7.9.0, my instance of the m365 CLI fails to refresh access tokens. The API is accessed not through the standard PnP app but through a personal app registration in the Azure portal. This app registration requests the following scopes: email, Mail.Read, Mail.Read.Shared, Mail.ReadBasic, Mail.ReadBasic.Shared, Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, Mail.Send.Shared, offline_access, openid, profile, and User.Read.
After logging in with
m365 login
, the CLI (specifically, mail commands, likem365 outlook mail send
) works for about an hour (the lifetime of the access token) and then fails to refresh the access token (attempting to use the CLI results in a request to log in:🌶️ To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code <redacted> to authenticate
).Downgrading to v7.0.0 fixes this issue. To check for reproducibility, I upgraded and downgraded at least three times, testing whether the token refreshes, and v7.9.0 consistently fails to refresh the token, whereas v7.0.0 works well and a refreshed access token is still intact hours later.
Based on this, I speculate that the issue can be isolated to a change in the versions between v7.1.0 to v7.9.0 (inclusive), perhaps something related to the way that tokens are refreshed or the way the offline_access scope is handled.
I may be in a somewhat rare situation, since I am using a personal account without a dedicated tenant ("common") and with a custom app registration; I suspect that most people are using the m365 CLI within a corporate tenant, which may affect reproducibility of this bug.
Steps to reproduce
m365 login
with a specified app ID from an app registration (with scopes email, Mail.Read, Mail.Read.Shared, Mail.ReadBasic, Mail.ReadBasic.Shared, Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, Mail.Send.Shared, offline_access, openid, profile, and User.Read) and the default DeviceCode flow (if applicable, using a personal account without a specified tenant). Specify--debug
here or runm365 status --debug
to get the expiration time afterward.m365 outlook mail send
).Expected results
I would expect the command to work (namely,
m365 outlook mail send
should send an email)Actual results
The m365 authentication is expired and requests another login.
🌶️ To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code <redacted> to authenticate
Diagnostics
Result of
m365 login
:Result of
m365 outlook mail send -s 'test' -t <redacted email> --bodyContents 'test' --debug
CLI for Microsoft 365 version
v7.9.0
nodejs version
v20.14.0
Operating system (environment)
Linux
Shell
bash
cli doctor
Additional Info
No response