New-MgBetaSecurityAuditLogQuery seems to drop authentication

[12Knocksinna]

Describe the bug

I am running an audit job to retrieve audit events. I create the hash table containing the audit query and attempt to submit it with the New-MgBetaSecurityAuditLogQuery cmdlet, but the cmdlet fails.

$AuditJob = New-MgBetaSecurityAuditLogQuery -BodyParameter $AuditQueryParameters
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Invalid URI: The format of the URI could not be determined.

If the session is disconnected and reconnected with Disconnect-MgGraph and Connect-MgGraph, the cmdlet runs as expected. This makes me think that the automatic access token refresh is being ignored by the cmdlet, which then thinks that it is not authorized to submit the job and therefore fails. The error message is very misleading...

Expected behavior

I expect to be able to submit audit jobs...

How to reproduce

Here's the code I used:

$AuditQueryName = ("Copilot Interactions audit job created at {0}" -f (Get-Date -format 'dd-MMM-yyyy HH:mm'))
$StartDate = (Get-Date).AddDays(-30)
$EndDate = (Get-Date).AddDays(1)
$AuditQueryStart = (Get-Date $StartDate -format s)
$AuditQueryEnd = (Get-Date $EndDate -format s)
[array]$AuditQueryOperations = "CopilotInteraction"
$AuditQueryParameters = @{}
#$AuditQueryParameters.Add("@odata.type","#microsoft.graph.security.auditLogQuery")
$AuditQueryParameters.Add("displayName", $AuditQueryName)
$AuditQueryParameters.Add("OperationFilters", $AuditQueryOperations)
$AuditQueryParameters.Add("filterStartDateTime", $AuditQueryStart)
$AuditQueryParameters.Add("filterEndDateTime", $AuditQueryEnd)

Submit the audit query

$AuditJob = New-MgBetaSecurityAuditLogQuery -BodyParameter $AuditQueryParameters

To reproduce, submit a job and let it run. Wait an hour to make sure that the existing access token has expired. Try and submit an audit job again. It fails...

I suspect that the same problem exists with the other cmdlets that interact with the AuditLogQuery API like Get-MgBetaSecurityAuditLogQueryRecord and Get-MgBetaSecurityAuditLogQuery

SDK Version

V2.26.1

Latest version known to work for scenario above?

I noticed this in previous versions but didn't report it

Known Workarounds

run Disconnect-MgGraph, then Connect-MgGraph, and the cmdlet will work.

Debug output

Are you sure you want to perform this action?
Performing the operation "New-MgBetaSecurityAuditLogQuery_Create" on target "Call remote 'POST /security/auditLog/queries' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: [CmdletException]: Received exception with message 'UriFormatException - Invalid URI: The format of the URI could not be determined. : at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
at System.Uri..ctor(String uriString)
at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.GetInteractiveBrowserCredentialAsync(IAuthContext authContext, CancellationToken cancellationToken)
at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.GetTokenCredentialAsync(IAuthContext authContext, CancellationToken cancellationToken)
at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.GetAuthenticationProviderAsync(IAuthContext authContext)
at Microsoft.Graph.PowerShell.Authentication.Helpers.HttpHelpers.GetGraphHttpClient()
at Microsoft.Graph.Beta.PowerShell.Module.BeforeCreatePipeline(InvocationInfo invocationInfo, HttpPipeline& pipeline)
at Microsoft.Graph.Beta.PowerShell.Module.CreatePipeline(InvocationInfo invocationInfo, String parameterSetName)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaSecurityAuditLogQuery_Create.ProcessRecordAsync()'
New-MgBetaSecurityAuditLogQuery_Create: Invalid URI: The format of the URI could not be determined.
DEBUG: [CmdletEndProcessing]: - New-MgBetaSecurityAuditLogQuery end processing.

Configuration

Name Value

---

PSVersion 7.5.0
PSEdition Core
GitCommitId 7.5.0
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Other information

No response

[12Knocksinna]

To be specific, Connect-MgGraph must go through the authentication process (sign in) before the cmdlet is happy. If Disconnect-MgGraph/Connect-MgGraph run without authenticating, the cmdlet fails.

[timayabi2020]

@12Knocksinna sorry for the experience, this issue has already been reported here #3197. I will therefore close this as a duplicate, kindly let us track it from there.

[12Knocksinna]

It's a different bug that is specific to the cmdlets for the AuditQueryLog API that existed prior to V2.26 (I just didn't get around to reporting it). Other cmdlets work fine. Please don't close this bug. From: Tim ***@***.***> Sent: Monday, March 3, 2025 10:08 AM To: microsoftgraph/msgraph-sdk-powershell ***@***.***> Cc: 12 Knocksinna (Gmail) ***@***.***>; Mention ***@***.***> Subject: Re: [microsoftgraph/msgraph-sdk-powershell] New-MgBetaSecurityAuditLogQuery seems to drop authentication (Issue #3199) @12Knocksinna<https://github.com/12Knocksinna> sorry for the experience, this issue has already been reported here #3197<#3197>. I will therefore close this as a duplicate, kindly let us track it from there. - Reply to this email directly, view it on GitHub<#3199 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AK45CIXJFCLOU5V3XZ3IW2T2SQSWLAVCNFSM6AAAAABYC2Q4CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJTHA2TSMZSGI>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> [timayabi2020]timayabi2020 left a comment (microsoftgraph/msgraph-sdk-powershell#3199)<#3199 (comment)> @12Knocksinna<https://github.com/12Knocksinna> sorry for the experience, this issue has already been reported here #3197<#3197>. I will therefore close this as a duplicate, kindly let us track it from there. - Reply to this email directly, view it on GitHub<#3199 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AK45CIXJFCLOU5V3XZ3IW2T2SQSWLAVCNFSM6AAAAABYC2Q4CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJTHA2TSMZSGI>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[12Knocksinna]

I've confirmed that the problem is with the underying Graph APIs as well. Using Invoke-MgGraphRequest doesn't work if the access token needs to be renewed. For instance, this will fail:

$Uri = $Uri = "https://graph.microsoft.com/beta/security/auditLog/queries"
$AuditJob = Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $AuditQueryParameters

Errors like Invalid URI: The format of the URI could not be determined. or The pipeline has been stopped. aren't very helpful.

The problem is a horrible one because everything seems to be working as normal and then it suddenly fails.

[myfope]

@timayabi2020 any update here?