Connect-MgGraph 'InteractiveBrowserCredential authentication failed' Elevated PowerShell Window

[Subzero5401]

Describe the bug

So, I'm trying to run the command Connect-Mggraph under a different user for example my admin account. My company security policy requires that we run our PowerShell script under our admin, and we can't be log into our admin account under a desktop session directly. The powershell 7 instance just freezes requiring me to force close the application.

Expected behavior

When your run under the logged in account there a prompt that pops up to have you sign in. Never receive the prompt

How to reproduce

1. Run pwsh 7 as a "Run as different user" or Run as Adminstrator"
2. Run Connect-MGGraph then the pwsh session just freezes forcing you to force close the application.

SDK Version

2.35.1 Microsoft.Graph PSGallery Microsoft Graph PowerShell module

Latest version known to work for scenario above?

2.33

Known Workarounds

Running PWSH under the context of the signed in user. We aren't supposed to do this as it conflicts with our Security policies.

Debug output

Click to expand log

<PS C:\Windows\System32> connect-mggraph -debug
WARNING: Note: Sign in by Web Account Manager (WAM) is enabled by default on Windows. If using an embedded terminal, the interactive browser window may be hidden behind other windows.
Confirm
Continue with this operation?
&Yes Yes to &All &Halt Command &Suspend
A
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ User.Read ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] MSAL MSAL.CoreCLR with assembly version '4.78.0.0'. CorrelationId(4aa37d43-cd5d-441e-b507-90a5202d7127)
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 4aa37d43-cd5d-441e-b507-90a5202d7127
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
FMI Path:
Credential FMI Path:
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] === Token Acquisition (InteractiveRequest) started:
Scopes: User.Read
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] Fetching instance discovery from the network from host login.microsoftonline.com.
DEBUG: Request [eca31f3a-2df7-4452-af45-e7837c9d0d65] GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-ms-client-request-id:eca31f3a-2df7-4452-af45-e7837c9d0d65
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity.Broker/1.3.1 (.NET 9.0.10; Microsoft Windows 10.0.26200)
client assembly: Azure.Identity.Broker
DEBUG: Response [eca31f3a-2df7-4452-af45-e7837c9d0d65] 200 OK (00.1s)
Cache-Control:max-age=86400, private
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:6164bc85-0088-4bd1-a5f4-7c1524a42400
x-ms-ests-server:REDACTED
x-ms-srs:REDACTED
Content-Security-Policy-Report-Only:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Fri, 20 Feb 2026 17:04:39 GMT
Content-Type:application/json; charset=utf-8
Content-Length:950
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] Broker is configured. Starting broker flow without knowing the broker installation app link.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [Runtime] Broker supported OS.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [RuntimeBroker] Calling SignInInteractivelyAsync this will show the account picker.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0001] INFO SetAuthorityUri:78 Initializing authority from URI 'https://login.microsoftonline.com/common/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] INFO SetCorrelationId:259 Set correlation ID: 4aa37d43-cd5d-441e-b507-90a5202d7127
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] INFO ExecuteInteractiveRequest:1191 The original authority is 'https://login.microsoftonline.com/common'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] WARNING TryNormalizeRealm:2471 No HomeAccountId provided to normalize the realm
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] INFO ExecuteInteractiveRequest:1202 The normalized realm is ''
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] INFO ModifyAndValidateAuthParameters:200 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] INFO ModifyAndValidateAuthParameters:200 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] INFO ModifyAndValidateAuthParameters:223 Authority Realm: common
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0002] WARNING TryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1084 MsaDeviceOperationProvider is not available. Not attempting to register the device.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:716 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:742 Missing Required parameters, but found no account to return.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0003] WARNING ReadAccountById:273 Account id is empty - account not found
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0003] INFO GetCurrentWindowHandleForUIFlow:495 Specified brokerWindowHandle is valid.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] ERROR ErrorInternalImpl:134 Created an error: 55xnl, StatusInternal::Unexpected, InternalEvent::None, Error Code -2147023584, Context 'Unexpected exception while waiting for accounts control to finish: '(pii)''
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:456 Printing Telemetry for Correlation ID: 4aa37d43-cd5d-441e-b507-90a5202d7127
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: start_time, Value: 2026-02-20T17:04:39.000Z
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: api_name, Value: SignInInteractively
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: api_status_code, Value: StatusInternal::Unexpected
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: client_id, Value: 14d82eec-204b-4c2f-b7e8-296a70dab67e
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: correlation_id, Value: 4aa37d43-cd5d-441e-b507-90a5202d7127
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: broker_app_used, Value: true
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: stop_time, Value: 2026-02-20T17:04:39.000Z
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: all_error_tags, Value: 55xnl
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: msalruntime_version, Value: 0.19.4
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: original_authority, Value: https://login.microsoftonline.com/common
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: additional_query_parameters_count, Value: 2
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: read_token_last_error, Value: missing required parameter
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: request_eligible_for_broker, Value: true
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: auth_flow, Value: Broker
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: ui_event_count, Value: 1
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: authorization_type, Value: Interactive
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: api_error_code, Value: -2147023584
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: api_error_tag, Value: 55xnl
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: api_error_context, Value: Unexpected exception while waiting for accounts control to finish: '(pii)'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: is_successful, Value: false
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:464 Key: request_duration, Value: 78
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:469 Printing Execution Flow:
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [MSAL:0004] INFO LogTelemetryData:477 {"t":"646u1","tid":2,"ts":0,"l":2},{"t":"4s7ub","tid":2,"ts":1,"l":2},{"t":"4sufd","tid":2,"ts":1,"s":2,"l":2},{"t":"4swgg","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgf","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":1,"s":1,"l":2},{"t":"8dqim","tid":3,"ts":1,"l":2},{"t":"8dqkl","tid":3,"ts":2,"l":2,"a":9,"ie":0},{"t":"4ly8o","tid":3,"ts":2,"l":2},{"t":"54uxd","tid":2,"ts":2,"l":2},{"t":"8dqkn","tid":4,"ts":70,"l":2,"a":5,"ie":1},{"t":"8dqko","tid":4,"ts":70,"l":2,"a":9,"ie":1},{"t":"646u1","tid":4,"ts":70,"l":2}
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [RuntimeBroker] Could not sign in interactively. Status: Unexpected
Error: 0xffffffff80070520
Context: Unexpected exception while waiting for accounts control to finish: '(pii)'
Tag: 0x1f7d734b
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z] [RuntimeBroker] Processing WAM exception
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.26200 [2026-02-20 17:04:39Z - 4aa37d43-cd5d-441e-b507-90a5202d7127] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: unknown_broker_error
HTTP StatusCode 0
CorrelationId 4aa37d43-cd5d-441e-b507-90a5202d7127
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.WamAdapters.HandleResponse(AuthResult authResult, AuthenticationRequestParameters authenticationRequestParameters, ILoggerAdapter logger, String errorMessage)
at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.SignInInteractivelyAsync(AuthenticationRequestParameters authenticationRequestParameters)
at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.AcquireTokenInteractiveAsync(AuthenticationRequestParameters authenticationRequestParameters, AcquireTokenInteractiveParameters acquireTokenInteractiveParameters)
at Microsoft.Identity.Client.Internal.Broker.BrokerInteractiveRequestComponent.FetchTokensAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.FetchTokensFromBrokerAsync(String brokerInstallUrl, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.GetTokenResponseAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ User.Read ] ParentRequestId: Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed:
---> Microsoft.Identity.Client.MsalServiceException (0x80131500): Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: Unexpected exception while waiting for accounts control to finish: '(pii)'
Tag: 0x1f7d734b (error code -2147023584) (internal error code 528315211)
Connect-MgGraph: InteractiveBrowserCredential authentication failed:
Connect-MgGraph: InteractiveBrowserCredential authentication failed:

Configuration

OS : Version Windows 1110.0.26100.7840
Architecture : X64
PSVersionTable:
PSVersion 7.5.4
PSEdition Core
GitCommitId 7.5.4
OS Microsoft Windows 10.0.26200
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Other information

No response

[ramsessanchez]

Hi @Subzero5401, we do not support this specific scenario any longer as WAM is now necessary on Windows devices to prevent security vulnerabilities. In order to disable WAM you must use the Set-MgGraphOption -DisableLoginByWAM $true and use a custom Client-Id.