`Connect-MgGraph -AccessToken` fails with `ClientAssertionCredential` on Linux when token is a `SecureString` (regression in 2.35.1)

[trentsteenholdt-synergyau]

Describe the bug

I am trying to authenticate to Microsoft Graph using an access token obtained from Get-AzAccessToken (Az.Accounts 5.x), but Connect-MgGraph -AccessToken silently ignores the token and falls back to ClientAssertionCredential which then fails.

ClientAssertionCredential authentication failed: 

This worked correctly in 2.35.0. Pinning back to 2.35.0 immediately resolves the issue, confirming a regression was introduced in 2.35.1.

Expected behavior

Connect-MgGraph -AccessToken should authenticate using the supplied access token without falling back to any credential discovery mechanism.

How to reproduce

How to reproduce

1. On a Linux GitHub Actions runner (ubuntu-latest), authenticate via azure/login@v2 using OIDC workload identity federation
2. Run the following via azure/powershell@v2:

Import-Module Az.Accounts
$azToken = Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop
# In Az.Accounts 5.x (Az 14+), $azToken.Token is a SecureString
Connect-MgGraph -AccessToken $azToken.Token -NoWelcome -ErrorAction Stop

3. See error: ClientAssertionCredential authentication failed:

SDK Version

2.35.1

Latest version known to work for scenario above?

2.35.0

Known Workarounds

Option 1: Explicitly convert the SecureString to plain text before passing (PowerShell 7.0+ required):

$azToken = Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop
$plainToken = ConvertFrom-SecureString -SecureString $azToken.Token -AsPlainText
Connect-MgGraph -AccessToken $plainToken -NoWelcome -ErrorAction Stop

Option 2: Pin the module to 2.35.0:

Install-Module Microsoft.Graph -Scope CurrentUser -Force -RequiredVersion '2.35.0'

Debug output

Click to expand log

⚠️ Managed Identity authentication failed, trying with current Azure context...
❌ Failed to authenticate with Microsoft Graph: ClientAssertionCredential authentication failed: 
Exception: /home/runner/work/ot-pki/ot-pki/scripts/Set-EJBCAEntraConfiguration.ps1:187
Line |
 187 |    throw "Microsoft Graph authentication failed"
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     |    Microsoft Graph authentication failed
##[error]Error: The process '/usr/bin/pwsh' failed with exit code 1

Configuration

• OS: Ubuntu 24.04 (ubuntu-latest GitHub Actions runner)
• Architecture: x64
• PowerShell: 7.x (GitHub Actions hosted runner default)
• Az module: 14.6.0
• Az.Accounts: 5.3.2
• Auth method: OIDC workload identity federation via azure/login@v2
• Issue is specific to Linux — WAM is unavailable on this platform

$PSVersionTable output (approximate - GitHub Actions runner):
Name                           Value
----                           -----
PSVersion                      7.4.x
PSEdition                      Core
OS                             Linux 6.x Ubuntu 24.04
Platform                       Unix

Other information

The suspected cause is PR #3521 ("Fix Bug for Disable WAM Auth Flow") which consolidated two code paths in AuthenticationHelpers.cs — one calling Authenticate() and one calling AuthenticateAsync() depending on WAM state. On Linux, WAM is always disabled (ShouldUseWam() returns false), so the consolidation may have changed the code path taken when -AccessToken is passed, causing the module to discard the provided token and attempt its own credential discovery via ClientAssertionCredential, which fails in a GitHub Actions OIDC environment.

The connection to Az.Accounts 5.x: Get-AzAccessToken now returns Token as a SecureString (breaking change in Az 14.0). If the -AccessToken parameter type expectation changed in 2.35.1, PowerShell silently coerces the SecureString to the string literal "System.Security.SecureString" — an invalid JWT — explaining why the SDK falls back to credential discovery.