Closed
Closed
"The access token is invalid" error when trying to use Azure REST APIs using version 13.3.0 and 14.0.0#27882
@theheatDK

Description

Description

Hi,

When I try to access Azure resources via the REST API it works fine in 13.1.0. When I try using 13.3.0 and 14.0.0 it fails. I have verified this on two devices.

A simple example:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resources-rest?tabs=azure-powershell#list-resources

$Token          = (Get-AzAccessToken -AsSecureString).Token
$SubscriptionId = 'XXXXXXXXXXXXXX
$Headers        = @{Authorization="Bearer $Token"}
Invoke-WebRequest -Method GET -Headers $Headers -Uri "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/rg-pelo-test/resources?api-version=2021-04-01"

Error:

Invoke-WebRequest:
{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "The access token is invalid."
  }
}

Issue script & Debug output

PS C:\Users\pelo> $DebugPreference='Continue'
PS C:\Users\pelo> $Token          = (Get-AzAccessToken -AsSecureString).Token
DEBUG: Initializing ConditionalAssemblyContext. PSEdition is [Core]. PSVersion is [7.5.1].
DEBUG: Initializing ConditionalAssemblyProvider. AssemblyRootPath is [C:\Users\pelo\OneDrive - DHI\Documents\PowerShell\Modules\Az.Accounts\5.0.1\StartupScripts\..\lib].
DEBUG: Registering Az shared AssemblyLoadContext.
DEBUG: AssemblyLoadContext registered.
DEBUG: Initializing PSStyle.
DEBUG: Got version 0 of Az
DEBUG: Got version 0 of Az.Accounts
DEBUG: 21:34:28 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:34:28 - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'KnownResourceTypeName'.
DEBUG: 21:34:28 - using account id '[email protected]'...
DEBUG: 21:34:28 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [Az.Accounts], Cmdlet = [Get-AzAccessToken].
DEBUG: 21:34:28 - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 21:34:28 - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 21:34:28 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'XXXXXXXXX', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z] [Internal cache] Clearing user token cache accessor.
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - b946d4af-1c4d-42a7-b8b3-9956f928d249] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - b946d4af-1c4d-42a7-b8b3-9956f928d249] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - b946d4af-1c4d-42a7-b8b3-9956f928d249] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - b946d4af-1c4d-42a7-b8b3-9956f928d249] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - b946d4af-1c4d-42a7-b8b3-9956f928d249] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z] Returning 1 accounts
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] MSAL MSAL.CoreCLR with assembly version '4.65.0.0'. CorrelationId(23c1d29f-794a-40bd-9ce9-35e14ab2b372)
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] LoginHint provided: False
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] Account provided: True
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] ForceRefresh: False
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 23c1d29f-794a-40bd-9ce9-35e14ab2b372
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z] [Internal cache] Clearing user token cache accessor.
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] [Internal cache] Total number of cache partitions found while getting access tokens: 1
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] [FindAccessTokenAsync] Discovered 9 access tokens in cache using partition key: 226d6897-e20e-44a4-84b5-9f5bcc04caed.XXXXXXXXX
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] Access token is not expired. Returning the found cache entry. [Current time (06/02/2025 19:34:28) - Expiration Time (06/02/2025 19:59:55 +00:00) - Extended Expiration Time (06/02/2025 19:59:55 +00:00)]
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372]  AT expiration time: 02-06-2025 19:59:55 +00:00, scopes: https://management.core.windows.net//.default https://management.core.windows.net//user_impersonation. source: Cache
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372]
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 0
[LogMetricsFromAuthResult] DurationTotalInMs: 41
[LogMetricsFromAuthResult] DurationInHttpInMs: 0
DEBUG: False MSAL 4.65.0.0 MSAL.CoreCLR .NET 9.0.4 Microsoft Windows 10.0.22631 [2025-06-02 19:34:28Z - 23c1d29f-794a-40bd-9ce9-35e14ab2b372] TokenEndpoint: ****
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2025-06-02T19:59:55.0000000+00:00
DEBUG: 21:34:28 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:34:28 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:34:28 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:5.0.1; CommandName: Get-AzAccessToken; PSVersion: 7.5.1; IsSuccess: True; Duration: 00:00:00.5863833; SanitizeDuration: 00:00:00.0015690
DEBUG: 21:34:28 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:34:28 - GetAzureRmAccessTokenCommand end processing.
PS C:\Users\pelo> $SubscriptionId = 'XXXXXXXXX'
PS C:\Users\pelo> $Headers        = @{Authorization="Bearer $Token"}
PS C:\Users\pelo> Invoke-WebRequest -Method GET -Headers $Headers -Uri "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/rg-pelo-test/resources?api-version=2021-04-01"
Invoke-WebRequest:
{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "The access token is invalid."
  }
}

Environment data

PS C:\Users\pelo> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.5.1
PSEdition                      Core
GitCommitId                    7.5.1
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS C:\Users\pelo> Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.0.1                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}

Error output

PS C:\Users\pelo> Resolve-AzError
DEBUG: 21:36:51 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:36:51 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 21:36:51 - using account id '[email protected]'...
DEBUG: 21:36:51 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [Az.Accounts], Cmdlet = [Resolve-AzError].
DEBUG: 21:36:51 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].

   HistoryId: 11

Message        : Response status code does not indicate success: 401 (Unauthorized).
StackTrace     :    at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
Exception      : Microsoft.PowerShell.Commands.HttpResponseException
InvocationInfo : {Invoke-WebRequest}
Line           : Invoke-WebRequest -Method GET -Headers $Headers -Uri "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/rg-pelo-test/resources?api-version=2021-04-01"
Position       : At line:1 char:1
                 + Invoke-WebRequest -Method GET -Headers $Headers -Uri "https://managem …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 11

DEBUG: 21:36:52 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].

   HistoryId: 5

Message        : Response status code does not indicate success: 401 (Unauthorized).
StackTrace     :    at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
Exception      : Microsoft.PowerShell.Commands.HttpResponseException
InvocationInfo : {Invoke-WebRequest}
Line           : Invoke-WebRequest -Method GET -Headers $Headers -Uri "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/rg-pelo-test/resources?api-version=2021-04-01"
Position       : At line:1 char:1
                 + Invoke-WebRequest -Method GET -Headers $Headers -Uri "https://managem …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 5



DEBUG: 21:36:52 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:36:52 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:36:52 - No authentication telemetry is found for the current cmdlet with Id fca95629-f02c-490d-b075-9c02a447d2da.
DEBUG: AzureQoSEvent:  Module: Az.Accounts:5.0.1; CommandName: Resolve-AzError; PSVersion: 7.5.1; IsSuccess: True; Duration: 00:00:00.1681679; SanitizeDuration: 00:00:00.0004959
DEBUG: 21:36:52 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 21:36:52 - ResolveError end processing.