intune-backup-restore-withgui | Token Expires

[FerryBodijn]

Hi,

I like you're 'intune-backup-restore-withgui' script and want to use it for our environment.
I have tested the script and now I'm trying to back-up everything.
I make use of a app registration with the needed permissions.
Sadly, the backup runs more then one hour and after one hour the backup is failing because of the token that has expired.
{"error":{"code":"InvalidAuthenticationToken","message":"Lifetime validation failed, the token is expired.

Is it possible to make some checks in the script so the token gets renewed, lets say 5 minutes before it gets expired?

[andrew-s-taylor]

Hi,

It might be easier to expand the token expiry time

https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes

[FerryBodijn]

Hi,

That will be indeed the easiest solution.
Sadly because of our Company policy, I'm not allowed to expand the token expiry time. :-(

[andrew-s-taylor]

You could try adding some additional connections in the script, but I don't know how well that would work. Or maybe a disconnect and reconnect?

[FerryBodijn]

I was thinking to add some extra code in the function 'Connect-ToGraph', something like:
$Tokenresponse = [pscustomobject]@{ access_token = $Response.access_token expires_in = $Response.expires_in granted_on = [datetime]$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') } $accessToken = $Tokenresponse.access_token

And then at some places (or make a extra function) to check if the token is still valid, something like:

`try {

# Calculate Token Expiry time
$TokenExpiryTime = $accessToken.granted_on.ToUniversalTime().AddSeconds($accessToken.expires_in)

# If token expires in 5 minutes then generate new token
If ($TokenExpiryTime.AddMinutes(-5) -lt [DateTime]::UtcNow) {

    # Regenerate token
    Connect-ToGraph -TenantId $tenantID -AppId $app -AppSecret $secret
}

}
catch {
$message = "An error has occurred!"
Write-Output $message
}`

I will find a solution, because the script is nice! 👍

[andrew-s-taylor]

That should work ok. If you do get it working, I can add it to the main script

[FerryBodijn]

I'm going to try this tomorrow.
I will keep you posted.

[FerryBodijn]

I have implemented the code to check the expiration of the token. So far, it works.

I made a pull request. I hope I did it correct. :-)

[andrew-s-taylor]

That was quick!

I've merged the request, code signed it and updated the PSGallery version as well

[FerryBodijn]

Thank you for merging the code. And great to hear you also have updated the PSGallery version. 👍
I will make use of the script even more, so if I found something, I will let you know.
And especially, thanks for sharing this script!

[FerryBodijn]

I have reorganized the script. I also found a little error in the rename part.
I changed line 251 from this:
if ($rename -eq "yes") { $changename -eq "yes" }

To this:

if ($rename -eq "yes") { $changename = "yes" }

But, I still can not get the rename to work. :-), maybe I 'm doing something wrong.

Do you want me to sent a pull request?

[andrew-s-taylor]

I can sort that bit without a pull request :)

How are you triggering the rename?

[FerryBodijn]

I trigger it like this: intune-backup-restore-withgui -type "$type" -reponame "$reponame" -ownername "$ownername" -token $token -repotype "github" -tenant "$TenantID" -clientid "$clientid" -clientsecret "$clientsecret" -rename "yes".

[andrew-s-taylor]

Is type set to backup? The rename happens when backing up, not when restoring

[FerryBodijn]

I tried both, but it is not a very big deal. :-)