Azure function (PowerShell) - IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Question

Azure function (PowerShell) - IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Khalid Hajjouji 50

I am using an Azure function with the PowerShell language. I would like to get a specific M365 group from entra Id. I am using the pnp PowerShell module. I got the error:

IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

This is my PowerShell command:

Connect-PnPOnline -Url "someSpUrl" -ManagedIdentity $site = Get-PnPTenantSite -Identity someSpUrl" $m365Group = Get-PnPMicrosoft365Group -Identity [System.Guid]$site.GroupId

Why do I get this error? How can I fix this?

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-04-01T15:04:29.6233333+00:00

@Khalid Hajjouji ,

Thanks for reaching out.
Could you let us know the managed identity is enabled and has the correct permissions (Group.Read.All for Graph, Sites.Read.All or higher for SharePoint).
Khalid Hajjouji 50 Reputation points

2025-04-01T19:54:37.4266667+00:00

@Khadeer Ali yes the managed identity is enabled. See below the API permissions from the managed identity:
RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-04-23T17:33:59.32+00:00

Hi @Khalid Hajjouji ,I wanted to follow up and see if the given answer was helpful. If this resolves your issue, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
Khalid Hajjouji 50 Reputation points

2025-04-23T18:46:11.9066667+00:00

Why do I got this error? How to resolve?
RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-04-24T01:40:32.29+00:00

The error says that invalid JWT token is being parsed, its header cannot be decoded properly because it’s not valid Base64Url format. I have provided an answer below with complete steps, did you check that. I am able to get the desired results using those steps.

1 answer

Your answer

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-04-01T15:04:29.6233333+00:00

@Khalid Hajjouji ,

Thanks for reaching out.
Could you let us know the managed identity is enabled and has the correct permissions (Group.Read.All for Graph, Sites.Read.All or higher for SharePoint).
Khalid Hajjouji 50 Reputation points

2025-04-01T19:54:37.4266667+00:00

@Khadeer Ali yes the managed identity is enabled. See below the API permissions from the managed identity:
RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-04-23T17:33:59.32+00:00

Hi @Khalid Hajjouji ,I wanted to follow up and see if the given answer was helpful. If this resolves your issue, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
Khalid Hajjouji 50 Reputation points

2025-04-23T18:46:11.9066667+00:00

Why do I got this error? How to resolve?
RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-04-24T01:40:32.29+00:00

The error says that invalid JWT token is being parsed, its header cannot be decoded properly because it’s not valid Base64Url format. I have provided an answer below with complete steps, did you check that. I am able to get the desired results using those steps.

Answer 1

Hi @Khalid Hajjouji,

Below approach worked for me to retrieve Microsoft 365 Group :

Firstly, created a function app in Azure. Later Enabled Managed identity as below:

enter image description here

Below is my function app code:

run.ps1:


using namespace System.Net

param($Request, $TriggerMetadata)

Connect-PnPOnline "m3542.sharepoint.com" -ManagedIdentity

$site = Get-PnPTenantSite -Identity "https://m3542.sharepoint.com/sites/DemoSite" 

$m365Group = Get-PnPMicrosoft365Group -Identity $site.GroupId

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

    StatusCode = [HttpStatusCode]::OK

    Body = $m365Group

})

requirements.psd1:


@{

'PnP.PowerShell' = '2.0.45-nightly'

}

The profile.ps1 should be empty:

enter image description here

Then deployed to Azure.

Now, Given Share Point Admin Role for the function app:

enter image description here

Also have below permissions:

enter image description here

Output:

enter image description here

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-04-04T04:44:09.2533333+00:00

Hi @Khalid Hajjouji ,I wanted to follow up and see if the given answer was helpful. If this resolves your issue, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Share via

Azure function (PowerShell) - IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

1 answer

Your answer