Skip to content

Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied #3322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dominicbuehrer opened this issue May 14, 2025 · 0 comments
Open

Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied #3322

dominicbuehrer opened this issue May 14, 2025 · 0 comments
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience

Comments

@dominicbuehrer
Copy link

Describe the bug

Since module version 2.26.0, I have been experiencing an issue with Continuous Access Evaluation in MgGraph. I authenticate using app registration and a certificate. This works without any problems, but after some time, my script returns the following error message.

Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Since I have scripts that run for a longer time, I keep encountering this problem repeatedly. Additionally, we use the Microsoft365DSC module, and I receive the error when reading the AAD settings right from the start.

Expected behavior

The script should not need to re-authenticate, and when reading the M365DSC configuration, the error should not occur from the beginning and should be able to authenticate.

How to reproduce

Connect-MgGraph -ClientID $ClientID -TenantId $Tenant_ID -CertificateThumbprint $CertificateThumbprint
Get-MgUser
Wait some time and rerun the Get-MgUser command.

SDK Version

2.26.0 and 2.27.0

Latest version known to work for scenario above?

2.25.0

Known Workarounds

No response

Debug output

Click to expand log ```

Get-MgUser -Debug
[CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'List'.
[Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '*****'.
[Authentication]: - Scopes: [DeviceManagementManagedDevices.Read.All, ChannelSettings.Read.All, RoleManagement.Read.Directory, Channel.ReadBasic.All, Group.Read.All, DeviceManagementServiceConfig.Read.All, Directory.Read.All, User.Read.All,
Tasks.Read.All, GroupMember.Read.All, DeviceManagementConfiguration.Read.All, Organization.Read.All, Policy.Read.All, Application.Read.All, DeviceManagementApps.Read.All, OrgSettings-Todo.Read.All, Policy.Read.ConditionalAccess, AppCatalog.Read.All,
RoleEligibilitySchedule.Read.Directory, CustomSecAttributeDefinition.Read.All, Policy.Read.DeviceConfiguration, ExternalConnection.Read.All, Policy.ReadWrite.AuthenticationMethod, Sites.Selected, UserAuthenticationMethod.Read.All,
RoleEligibilitySchedule.ReadWrite.Directory, SharePointTenantSettings.ReadWrite.All, Channel.Delete.All, SharePointTenantSettings.Read.All, AdministrativeUnit.Read.All, OrgSettings-Forms.Read.All, LifecycleWorkflows.Read.All, Sites.Read.All,
EntitlementManagement.Read.All, IdentityUserFlow.Read.All, RoleManagement.Read.All, Domain.Read.All, Agreement.Read.All, ChannelMember.Read.All, RoleManagementPolicy.Read.Directory, DeviceManagementRBAC.Read.All, EntitlementManagement.ReadWrite.All,
APIConnectors.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-Microsoft365Install.Read.All, IdentityProvider.Read.All, TeamSettings.Read.All, NetworkAccessPolicy.Read.All, AccessReview.Read.All, Mail.Send,
PrivilegedEligibilitySchedule.Read.AzureADGroup, OrgSettings-DynamicsVoice.Read.All, ProgramControl.Read.All, NetworkAccess.Read.All, Sites.FullControl.All, RoleAssignmentSchedule.Read.Directory, Policy.Read.IdentityProtection].
============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/users

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; de-CH),PowerShell/5.1.20348.2849
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : 71ae034a-b311-4128-99f9-bf5f8b60fec2

Body:

============================ HTTP RESPONSE ============================

Status Code:
Unauthorized

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 7c1ded63-8eae-4083-9d9e-ebad27ef76dd
client-request-id : 25e4806a-d2bc-43a9-8ec6-5c98275fa7d5
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ZR1PEPF00000667"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with
result: InteractionRequired and code: LocationConditionEvaluationSatisfied", error="insufficient_claims",
claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzQ2NzI1ODIwIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiI4MC4yNTUuOTcuMzYifX19",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJCOTY0ODgwQkQxNDJBNjJCRjQ5NzI4MEI3NkFGREM1QjUxNjlENUMifQ.eyJ0cyI6MTc0NjcyNTgyMH0.elc4_PChd4yb5GBLU1YMIgaGkFWb0Wr8wf7GJAi0-uQknGVfi6ixhJk1CSdKq1BVLsdYc
VEHCodj0TolZg0IB-vxjCvlfVAN51tTD9Gbi0GAejjofO4poM2OpRRzLjy3HD2MP4y5EhxMGXyvsaKKfg6AkNlxjavMp6Et9NXC2q9a1J7cr5doO5_krwSZTUiGsQwF4-5q4tM1J1t81n-xCGkMGuq_rYga_cSlK1wAFVi5RtCibqF6dEzHqqJ9JygaQ2-0e315O-esTXhZx7l_icSt7woWGeEHU1MEgu7Vf-09QkdBI8UrVo5IA24S1ZgVQU
EVM1RyT2WkK1agPyCwrg"
Date : Thu, 08 May 2025 17:37:00 GMT

Body:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied",
"innerError": {
"date": "2025-05-08T17:37:00",
"request-id": "7c1ded63-8eae-4083-9d9e-ebad27ef76dd",
"client-request-id": "25e4806a-d2bc-43a9-8ec6-5c98275fa7d5"
}
}
}

Get-MgUser_List : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied

Status: 401 (Unauthorized)
ErrorCode: InvalidAuthenticationToken
Date: 2025-05-08T17:37:00

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 7c1ded63-8eae-4083-9d9e-ebad27ef76dd
client-request-id : 25e4806a-d2bc-43a9-8ec6-5c98275fa7d5
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ZR1PEPF00000667"}}
WWW-Authenticate : Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with
result: InteractionRequired and code: LocationConditionEvaluationSatisfied", error="insufficient_claims",
claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzQ2NzI1ODIwIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiI4MC4yNTUuOTcuMzYifX19",PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJCOTY0ODgwQkQxNDJBNjJCRjQ5NzI4MEI3NkFGREM1QjUxNjlENUMifQ.eyJ0cyI6MTc0NjcyNTgyMH0.elc4_PChd4yb5GBLU1YMIgaGkFWb0Wr8wf7GJAi0-uQknGVfi6ixhJk1CSdKq1BVLsdYc
VEHCodj0TolZg0IB-vxjCvlfVAN51tTD9Gbi0GAejjofO4poM2OpRRzLjy3HD2MP4y5EhxMGXyvsaKKfg6AkNlxjavMp6Et9NXC2q9a1J7cr5doO5_krwSZTUiGsQwF4-5q4tM1J1t81n-xCGkMGuq_rYga_cSlK1wAFVi5RtCibqF6dEzHqqJ9JygaQ2-0e315O-esTXhZx7l_icSt7woWGeEHU1MEgu7Vf-09QkdBI8UrVo5IA24S1ZgVQU
EVM1RyT2WkK1agPyCwrg"
Date : Thu, 08 May 2025 17:37:00 GMT

At C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Users\2.25.0\exports\ProxyCmdletDefinitions.ps1:22009 char:23

  •     $scriptCmd = {& $wrappedCmd @PSBoundParameters}

  •                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: ({ ConsistencyLe... , Headers = }:<>f__AnonymousType41`9) [Get-MgUser_List], Exception
    • FullyQualifiedErrorId : InvalidAuthenticationToken,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List
      [CmdletEndProcessing]: - Get-MgUser end processing.

Configuration

Name Value

PSVersion 5.1.14393.7870
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.7870
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

OS: Windows Server 2016 Datacenter (14393.7876) x64

Other information

No response
@dominicbuehrer dominicbuehrer added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dominicbuehrer