Invalid JWT access token

Question

Invalid JWT access token

Lewis Venables 0

Hi,

Im trying to setup azure automation to disable and enable a conditional access policy via a runbook, ive installed the two specific modules from powershell gallery, Microsoft.Graph.Authentication & Microsoft.Graph.Identity.SignIns both version 2.30.0, ive read online that I will get the access token error with this version so downgrade to 2.25.0 by manually uploading the modules. I have done this and then i get the error that Update-MgIdentityConditionalAccessPolicy cmdlet isnt a recognised cmdlet, is there a correct way of uploading the modules from a zip.

Please see below script i am trying

#Load required modules

Import-Module Microsoft.Graph.Authentication

Import-Module Microsoft.Graph.Identity.SignIns

Connect to Graph with Managed Identity

Connect-MgGraph -Identity -NoWelcome

Use the policy ID (replace with yours from Get-MgConditionalAccessPolicy)

$policyId = "my policy id number is in there just removed it"

Enable the policy

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policyId -BodyParameter @{ state = "disabled" }

Write-Output "Policy has been DISABLED."

I dont think its loading the modules correctly from the zip

Any help would be amazing

Thanks

Lewis

Lewis Venables 0 Reputation points

2025-09-11T15:47:50.8833333+00:00
I've done everything set out and even using the command it outlines to connect in https://thesysadminchannel.com/graph-api-using-a-managed-identity-in-an-automation-runbook/#Get the token using a managed identity and connect to graph using that token

    Connect-AzAccount -Identity -ErrorAction Stop | Out-Null

    $AccessToken = Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop | select -ExpandProperty Token

    Connect-MgGraph -AccessToken $AccessToken -ErrorAction Stop | Out-Null

I just get the following error, I've also tried Connect-Graph but get the same error, I've just tried running the above command on its own and i get the error, I've tried running the whole cript together and it mentions the modules arent loaded again which simply isnt true

System.Management.Automation.CommandNotFoundException: The term 'Connect-MgGraph' is not recognized as a name of a cmdlet, function, script file, or executable program.
Lewis Venables 0 Reputation points

2025-09-11T15:49:37.9166667+00:00

I did this Install Microsoft Graph Module for Azure Automation using PowerShell & this with no issues https://thesysadminchannel.com/graph-api-using-a-managed-identity-in-an-automation-runbook/
Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator

2025-09-12T11:43:54.04+00:00
Hello Lewis Venables,

Can you confirm which PowerShell runtime your runbook is using: PowerShell 5.1 or PowerShell 7.2?

Did you install the Microsoft.Graph modules specifically for the same runtime version that your runbook is configured to use?

When you go to the Modules section in your Automation Account, do you see "Microsoft.Graph.Authentication"listed under the correct runtime version?

Did you install the modules using PowerShell Gallery or manually upload them as ZIP files? If manually, did you extract and structure them correctly before uploading?

Are you explicitly importing the modules in your runbook using "Import-Module Microsoft.Graph.Authentication -Global"?

Have you tried running a test script with "Get-Command Connect-MgGraph" to check if the cmdlet is available in the runbook session?

Has your Automation Account’s Managed Identity been granted the necessary Microsoft Graph application permissions with admin consent?

Is the error occurring during module import, during the "Connect-MgGraph" call, or later in the script execution?

Thanks,

Suchitra.

1 answer

Your answer

Lewis Venables 0 Reputation points

2025-09-11T15:47:50.8833333+00:00

I've done everything set out and even using the command it outlines to connect in https://thesysadminchannel.com/graph-api-using-a-managed-identity-in-an-automation-runbook/#Get the token using a managed identity and connect to graph using that token

Connect-AzAccount -Identity -ErrorAction Stop | Out-Null

$AccessToken = Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop | select -ExpandProperty Token

Connect-MgGraph -AccessToken $AccessToken -ErrorAction Stop | Out-Null

I just get the following error, I've also tried Connect-Graph but get the same error, I've just tried running the above command on its own and i get the error, I've tried running the whole cript together and it mentions the modules arent loaded again which simply isnt true

System.Management.Automation.CommandNotFoundException: The term 'Connect-MgGraph' is not recognized as a name of a cmdlet, function, script file, or executable program.
Lewis Venables 0 Reputation points

2025-09-11T15:49:37.9166667+00:00

I did this Install Microsoft Graph Module for Azure Automation using PowerShell & this with no issues https://thesysadminchannel.com/graph-api-using-a-managed-identity-in-an-automation-runbook/
Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator

2025-09-12T11:43:54.04+00:00

Hello Lewis Venables,

Can you confirm which PowerShell runtime your runbook is using: PowerShell 5.1 or PowerShell 7.2?

Did you install the Microsoft.Graph modules specifically for the same runtime version that your runbook is configured to use?

When you go to the Modules section in your Automation Account, do you see "Microsoft.Graph.Authentication"listed under the correct runtime version?

Did you install the modules using PowerShell Gallery or manually upload them as ZIP files? If manually, did you extract and structure them correctly before uploading?

Are you explicitly importing the modules in your runbook using "Import-Module Microsoft.Graph.Authentication -Global"?

Have you tried running a test script with "Get-Command Connect-MgGraph" to check if the cmdlet is available in the runbook session?

Has your Automation Account’s Managed Identity been granted the necessary Microsoft Graph application permissions with admin consent?

Is the error occurring during module import, during the "Connect-MgGraph" call, or later in the script execution?

Thanks,

Suchitra.

Answer 1

Hello Lewis Venables

Thank you for posting your query on Microsoft Q&A platform.

You are trying to automate enabling or disabling a Conditional Access Policy in Azure using a PowerShell runbook and Microsoft Graph SDK, but you are facing two common issues that is

Invalid JWT Access Token might be due to using managed identity without assigning the correct Microsoft Graph API application permissions.

The Graph SDK version you are using expects delegated permissions, which are not supported in Azure Automation with managed identity.

Cmdlet Not Recognized (Update-MgIdentityConditionalAccessPolicy): This happens when the required module (Microsoft.Graph.Identity.SignIns) is either not installed properly or missing dependencies. You manually uploaded a ZIP file that did not include all required submodules.

To avoid these, Instead of uploading ZIP modules manually try to use PowerShell to install modules directly from the PowerShell Gallery so that all dependencies are handled in a proper way. Reference: Install Microsoft Graph Module for Azure Automation using PowerShell
Assign Graph API Permissions to Managed Identity: You must assign application level permissions (not delegated) to your Automation Account’s managed identity
Reference: https://thesysadminchannel.com/graph-api-using-a-managed-identity-in-an-automation-runbook/
Once you have installed the Microsoft Graph modules correctly and assigned the necessary permissions to your Azure Automation account's Managed Identity, you can use the Update-MgIdentityConditionalAccessPolicy cmdlet in your runbook script. 1.Imports the required modules. 2.Authenticates using the managed identity. 3.Calls the correct Microsoft Graph cmdlet to update the Conditional Access Policy. Reference: https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0 Hope it helps.

Thanks,

Suchitra.

Share via

Invalid JWT access token

Connect to Graph with Managed Identity

Use the policy ID (replace with yours from Get-MgConditionalAccessPolicy)

Enable the policy

1 answer

Your answer