Skip to content

Unable to Connect to USGov #3498

New issue
New issue
Open
Open
Unable to Connect to USGov#3498
Labels
type:bugA broken experience
@SOM-Scott

Description

@SOM-Scott
SOM-Scott
opened on Jan 9, 2026

Describe the bug

When using Connect-MgGraph -Environment USGov you recive the following error upon authentication.

Request Id: 4aa32935-41e4-477e-9fee-520f21830300
Correlation Id: 63fb12fa-e41b-49bd-b573-f381a5d3f172
Timestamp: 2026-01-09T17:31:13Z
Message: AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/14d82eec-204b-4c2f-b7e8-296a70dab67e' specified in the request does not match the redirect URIs configured for the application '14d82eec-204b-4c2f-b7e8-296a70dab67e'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

Expected behavior

Expected behavior is to be able to authenticate.

How to reproduce

1, Connect-MgGraph -Environment USGov
2, Authenticate

SDK Version

2.34.0

Latest version known to work for scenario above?

2.33.0

Known Workarounds

I have read that -UseDeviceCode or -UseDeviceAuthentication but those are also broken #3495 in this version with the error

Get-MgUser_List: DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.

Debug output

Click to expand log 
PS C:\> Connect-MgGraph -Environment USGov -Debug
WARNING: Note: Sign in by Web Account Manager (WAM) is enabled by default on Windows. If using an embedded terminal, the interactive browser window may be hidden behind other windows.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ User.Read ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] MSAL MSAL.CoreCLR with assembly version '4.78.0.0'. CorrelationId(63fb12fa-e41b-49bd-b573-f381a5d3f172)
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 63fb12fa-e41b-49bd-b573-f381a5d3f172
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
FMI Path:
Credential FMI Path:

DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] === Token Acquisition (InteractiveRequest) started:
         Scopes: User.Read
        Authority Host: login.microsoftonline.us
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] Broker is configured. Starting broker flow without knowing the broker installation app link.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [Runtime] Broker supported OS.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [RuntimeBroker] Calling SignInInteractivelyAsync this will show the account picker.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0013]    INFO     SetAuthorityUri:78      Initializing authority from URI 'https://login.microsoftonline.us/common/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    INFO     SetCorrelationId:259    Set correlation ID: 63fb12fa-e41b-49bd-b573-f381a5d3f172
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    INFO     ExecuteInteractiveRequest:1191  The original authority is 'https://login.microsoftonline.us/common'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    WARNING  TryNormalizeRealm:2471  No HomeAccountId provided to normalize the realm
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    INFO     ExecuteInteractiveRequest:1202  The normalized realm is ''
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    INFO     ModifyAndValidateAuthParameters:200     Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    INFO     ModifyAndValidateAuthParameters:200     Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    INFO     ModifyAndValidateAuthParameters:223     Authority Realm: common
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0014]    WARNING  TryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1084        MsaDeviceOperationProvider is not available. Not attempting to register the device.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0003]    WARNING  ReturnResponseDueToMissingParameter:716 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0003]    WARNING  ReturnResponseDueToMissingParameter:742 Missing Required parameters, but found no account to return.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0003]    WARNING  ReadAccountById:273     Account id is empty - account not found
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:37Z] [MSAL:0003]    INFO     GetCurrentWindowHandleForUIFlow:495     Specified brokerWindowHandle is valid.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:44Z] [MSAL:0015]    INFO     CreateRequestForProviderWithProperties:862      Client-xtra-sku: MSAL.CoreCLR|4.78.0.0,|0.19.4,|,|,|1.1.0+local
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:30:44Z] [MSAL:0015]    INFO     AddClientSystemInfoToRequest:1248       Client-xtra-sku: MSAL.CoreCLR|4.78.0.0,|0.19.4,|,|,|1.1.0+local
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     ErrorInternalImpl:116   Created an error: 9zeuv, StatusInternal::UserCanceled, InternalEvent::None, Context 'User canceled the flow'
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:456    Printing Telemetry for Correlation ID: 63fb12fa-e41b-49bd-b573-f381a5d3f172
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: start_time, Value: 2026-01-09T17:30:37.000Z
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: api_name, Value: SignInInteractively
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: api_status_code, Value: StatusInternal::UserCanceled
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: client_id, Value: 14d82eec-204b-4c2f-b7e8-296a70dab67e
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: correlation_id, Value: 63fb12fa-e41b-49bd-b573-f381a5d3f172
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: broker_app_used, Value: true
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: stop_time, Value: 2026-01-09T17:31:57.000Z
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: all_error_tags, Value: 9zeuv
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: msalruntime_version, Value: 0.19.4
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: original_authority, Value: https://login.microsoftonline.us/common
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: additional_query_parameters_count, Value: 2
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: read_token_last_error, Value: missing required parameter
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: request_eligible_for_broker, Value: true
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: auth_flow, Value: Broker
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: ui_event_count, Value: 1
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: authorization_type, Value: Interactive
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: api_error_code, Value: 0
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: api_error_tag, Value: 9zeuv
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: api_error_context, Value: User canceled the flow
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: is_successful, Value: false
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:464    Key: request_duration, Value: 79388
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:469    Printing Execution Flow:
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [MSAL:0015]    INFO     LogTelemetryData:477    {"t":"646u1","tid":14,"ts":0,"l":2},{"t":"4s7ub","tid":14,"ts":0,"l":2},{"t":"4sufd","tid":14,"ts":0,"s":2,"l":2},{"t":"4swgg","tid":14,"ts":0,"s":5,"l":2},{"t":"4swgf","tid":14,"ts":0,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":0,"s":5,"l":2},{"t":"8dqim","tid":3,"ts":0,"l":2},{"t":"8dqkl","tid":3,"ts":1,"l":2,"a":9,"ie":0},{"t":"4ly8o","tid":3,"ts":1,"l":2},{"t":"54uxe","tid":14,"ts":1,"l":2},{"t":"4wqm9","tid":15,"ts":6450,"l":2},{"t":"4o9ak","tid":15,"ts":6452,"l":2},{"t":"4o9ai","tid":15,"ts":6453,"l":2},{"t":"8dqkn","tid":15,"ts":79380,"l":2,"a":5,"ie":1},{"t":"8dqko","tid":15,"ts":79380,"l":2,"a":9,"ie":1},{"t":"646u1","tid":15,"ts":79380,"l":2}
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [RuntimeBroker] Could not sign in interactively. Status: UserCanceled
Context: User canceled the flow
Tag: 0x23644515
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [RuntimeBroker] Processing WAM exception
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z] [RuntimeBroker] authentication_canceled User canceled authentication.
DEBUG: False MSAL 4.78.0.0 MSAL.CoreCLR .NET 9.0.10 Microsoft Windows 10.0.22631 [2026-01-09 17:31:57Z - 63fb12fa-e41b-49bd-b573-f381a5d3f172] Exception type: Microsoft.Identity.Client.MsalClientException
, ErrorCode: authentication_canceled
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.WamAdapters.HandleResponse(AuthResult authResult, AuthenticationRequestParameters authenticationRequestParameters, ILoggerAdapter logger, String errorMessage)
   at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.SignInInteractivelyAsync(AuthenticationRequestParameters authenticationRequestParameters)
   at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.AcquireTokenInteractiveAsync(AuthenticationRequestParameters authenticationRequestParameters, AcquireTokenInteractiveParameters acquireTokenInteractiveParameters)
   at Microsoft.Identity.Client.Internal.Broker.BrokerInteractiveRequestComponent.FetchTokensAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.FetchTokensFromBrokerAsync(String brokerInstallUrl, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.GetTokenResponseAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ User.Read ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: User canceled authentication.
 ---> Microsoft.Identity.Client.MsalClientException (0x80131500): User canceled authentication.
Connect-MgGraph: InteractiveBrowserCredential authentication failed: User canceled authentication.

Configuration

Name                           Value
----                           -----
PSVersion                      7.5.4
PSEdition                      Core
GitCommitId                    7.5.4
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    type:bugA broken experience

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions