App authentication expires after 60 minutes in Az Automation, further calls fail

[RTTrickster]

When connecting to msgraph via app registration in Azure Automation, the authentication seems to expire after 60 minutes and all further calls fall. Suspect there is potentially an issue relating to token refresh or something along those lines.

Connection is successfully established via:

Write-Output 'Connecting to MS Graph for Intune'
$MyAppCredential = Get-AutomationPSCredential -Name 'RegisteredAppSecret'
$authority = “https://login.windows.net/$tenant”
$clientId = $runAsConnection.ApplicationId
$clientSecret = $MyAppCredential.GetNetworkCredential().Password
Update-MSGraphEnvironment -AppId $clientId -Quiet
Update-MSGraphEnvironment -AuthUrl $authority -Quiet
Connect-MSGraph -ClientSecret $ClientSecret -Quiet

This works perfectly as expected, but when running from Azure Automation fails after 60 minutes. The error details are:
Error: Failed to acquire token silently as no token was found in the cache. Call method AcquireToken
Error exception type: Microsoft.Intune.PowerShellGraphSDK.AdalAuthException

If I execute the process again immediately from scratch, including a new instance of connect-msgraph, it works again straight away till the next 60 minute timeout. In my particular use case, I am executing on a Hybrid Runbook Worker.

I can execute this same process interactively from my local PC (using standard user auth obviously: Connect-MSGraph -PSCredential $creds) and the process successfully runs to full completion with no 60 minute timeout.

[RTTrickster]

For anyone interested - I had to raise a support case with MS to investigate this. End result, this is by design. When you use App Authentication, there is no concept of a Refresh Token like there is with normal user authentication. The max lifetime of an app auth token is 60 minutes, then you must re-authenticate again.

You can extend the auth token lifetime beyond 60 minutes, but that change is tenant wide and can't be isolated to a single principle. I opted against this is it theoretically increases attacker dwell time in your network if an account is compromised.

The workaround was to build a retry process into the Powershell to catch the timeout error and re-initiate the authentication process again from scratch.

`$Date = get-date
Write-Output "Connecting to MS Graph for Intune at $Date"
$MyAppCredential = Get-AutomationPSCredential -Name 'RegisteredAppSecret'
$authority = “https://login.windows.net/$tenant”
$clientId = $runAsConnection.ApplicationId
$clientSecret = $MyAppCredential.GetNetworkCredential().Password
Update-MSGraphEnvironment -AppId $clientId -Quiet
Update-MSGraphEnvironment -AuthUrl $authority -Quiet
Connect-MSGraph -ClientSecret $ClientSecret -Quiet

Function Upload-AADComputerInfo {

		$Completed = $false
		$count = 0
		do {
			try {
        
				'Do things here'

				$Completed = $true
				} 
				
				catch {
					## an exception was thrown before we got to $true
					write-output 'An error of some kind was thrown. If it was an OAUTH token timeout, we will reconnect and retry now.'
                    # When using App Authentication, the maximum token lifetime is 60 minutes, and does not renew. We must catch the timeout and manually reconnect. 
					write-output $Error[0].Exception.GetType().FullName
                    #write-output $Error[0] #Enable this line if you need the full error for further troubleshooting. 

                    $errorFullName = $Error[0].Exception.GetType().FullName
                    if($errorFullName -eq "Microsoft.Intune.PowerShellGraphSDK.AdalAuthException"){

                        write-output 'Reconnecting to MS Graph so we can retry'
						$Date = get-date
						Write-Output "Connecting to MS Graph for Intune at $Date"
						$MyAppCredential = Get-AutomationPSCredential -Name 'RegisteredAppSecret' 
						$authority = “https://login.windows.net/$tenant”
						$clientId = $runAsConnection.ApplicationId
						$clientSecret = $MyAppCredential.GetNetworkCredential().Password
						Update-MSGraphEnvironment -AppId $clientId -Quiet
						Update-MSGraphEnvironment -AuthUrl $authority -Quiet
						Connect-MSGraph -ClientSecret $ClientSecret -Quiet
                    }
				}

				$Count++
				Start-Sleep -Seconds 1
			} Until ($Completed -eq $true -or $Count -eq 3)
		} 
`