Skip to content

Connect-AzAccount does not get fresh token correctly, and misses PIM elevated group memberships #28306

New issue
New issue
Open
Open
Connect-AzAccount does not get fresh token correctly, and misses PIM elevated group memberships#28306
Labels
AuthenticationAzure PS TeambugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedneeds-author-feedbackMore information is needed from author to address the issue.
@RichardJBlack

Description

@RichardJBlack
RichardJBlack
opened on Jul 30, 2025

Description

Sequence:

  1. Connect-AzAccount
  2. Get a permission denied on a resource in a subscription, where the resource is protected by a PIM group (this is correct).
  3. Activate/Elevate the account for the PIM group using the Azure Portal web site.
  4. Disconnect-AzAccount
  5. Clear-AzContext
  6. Wait 5 minutes
  7. Connect-AzAccount
  8. The token obtained is still stale and does not have the group permission in it.
  9. Need to wait over one hour, almost two hours in fact.
  10. Repeat the Disconnect-AzAccount, Clear-AzContext, Connect-AzAccount
  11. Works this time.

Expect: should not need to wait nearly two hours to get a correct / fresh token. the Clear-AzContext should clear the context, so the next Connect-AzAccount should get a fresh and correct token.
Actual: Disconnect-AzAccount and Clear-AzContext do not clear the state correctly and leave some kind of state somewhere and pick it up again instead of getting a fresh token.

Note: the AZ CLI does not have the same bug. This bug is only in the PowerShell Az.Accounts module.

Issue script & Debug output

Exception calling "SendMessage" with "1" argument(s): "This request is not authorized to perform this operation using this
permission.
RequestId:14f7e2c3-2003-0079-3a3d-017bdb000000
Time:2025-07-30T10:30:42.1626648Z
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not
authorized to perform this operation using this permission.
RequestId:14f7e2c3-2003-0079-3a3d-017bdb000000
Time:2025-07-30T10:30:42.1626648Z</Message></Error>
Headers:
x-ms-request-id: 14f7e2c3-2003-0079-3a3d-017bdb000000
x-ms-client-request-id: a3cebfdb-aada-49f3-b7d5-6fa3762ae63e
x-ms-version: 2025-05-05
x-ms-error-code: AuthorizationPermissionMismatch
Date: Wed, 30 Jul 2025 10:30:42 GMT
Server: Windows-Azure-Queue/1.0,Microsoft-HTTPAPI/2.0
Content-Length: 279
Content-Type: application/xml
"

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.26100.5722
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.5722
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     5.1.1      Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDef...
Script     9.1.0      Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManageme...

Error output

Metadata
Metadata
Assignees
No one assigned
    Labels
    AuthenticationAzure PS TeambugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedneeds-author-feedbackMore information is needed from author to address the issue.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions