Fix: Unable to login to GCC High due to Windows WAM not supporting national cloud accounts#1501
Fix: Unable to login to GCC High due to Windows WAM not supporting national cloud accounts#1501
Conversation
…n fallback Co-authored-by: SamErde <20478745+SamErde@users.noreply.github.com> Agent-Logs-Url: https://github.com/maester365/maester/sessions/ba28225e-de5b-446b-894c-8e6d4230ba1a
Deploying maester with
|
| Latest commit: |
9084258
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ad785159.maester.pages.dev |
| Branch Preview URL: | https://copilot-fix-unable-to-login.maester.pages.dev |
|
Needs review of facts stated by GitHub Copilot and needs testing in GCCH/non-GCCH environments to validate changes. |
There was a problem hiding this comment.
Pull request overview
Updates Connect-Maester to better support national cloud (GCC High/DoD/China) sign-in on Windows where WAM-backed interactive auth can’t surface those accounts, and fixes the Security & Compliance fallback connection path to use the correct sovereign endpoints.
Changes:
- Adds a proactive Windows WAM tip (for non-Global environments) recommending
-UseDeviceCode, plus a follow-up message on failures. - Fixes the
Connect-IPPSSessionUPN-based fallback to pass the same-ConnectionUriand-AzureADAuthorizationEndpointUrias the primary path.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Build a suggested retry command using only the non-default parameter values provided by the caller. | ||
| $retryCmd = "Connect-Maester -UseDeviceCode -Environment $Environment" | ||
| if ($AzureEnvironment -ne 'AzureCloud') { $retryCmd += " -AzureEnvironment $AzureEnvironment" } | ||
| if ($ExchangeEnvironmentName -ne 'O365Default') { $retryCmd += " -ExchangeEnvironmentName $ExchangeEnvironmentName" } |
There was a problem hiding this comment.
The suggested $retryCmd doesn’t currently include several caller-supplied non-default parameters (e.g., -TenantId, -GraphClientId, -Service, -SendMail, -SendTeamsMessage, -Privileged, -TeamsEnvironmentName). This can cause the copy/paste “retry” command to change behavior vs the original invocation. Consider generating the retry command from $PSBoundParameters (adding UseDeviceCode=$true, preserving any explicitly provided params, and optionally omitting values that match defaults) so the guidance is accurate and future-proof.
| # Build a suggested retry command using only the non-default parameter values provided by the caller. | |
| $retryCmd = "Connect-Maester -UseDeviceCode -Environment $Environment" | |
| if ($AzureEnvironment -ne 'AzureCloud') { $retryCmd += " -AzureEnvironment $AzureEnvironment" } | |
| if ($ExchangeEnvironmentName -ne 'O365Default') { $retryCmd += " -ExchangeEnvironmentName $ExchangeEnvironmentName" } | |
| # Build a suggested retry command based on the caller-supplied parameters, forcing UseDeviceCode = $true. | |
| $retryParams = @{} | |
| foreach ($entry in $PSBoundParameters.GetEnumerator()) { | |
| $retryParams[$entry.Key] = $entry.Value | |
| } | |
| $retryParams['UseDeviceCode'] = $true | |
| $retryCmd = 'Connect-Maester' | |
| foreach ($entry in $retryParams.GetEnumerator()) { | |
| $name = $entry.Key | |
| $value = $entry.Value | |
| if ($null -eq $value) { | |
| continue | |
| } | |
| # Handle switch/bool parameters: include only when $true. | |
| if ($value -is [bool]) { | |
| if ($value) { | |
| $retryCmd += " -$name" | |
| } | |
| continue | |
| } | |
| # Handle collections by joining values into a single, quoted string. | |
| if ($value -is [System.Collections.IEnumerable] -and -not ($value -is [string])) { | |
| $joined = ($value | ForEach-Object { $_.ToString() }) -join ',' | |
| $escaped = $joined -replace "'", "''" | |
| $retryCmd += " -$name '$escaped'" | |
| continue | |
| } | |
| # Default: quote string values and escape single quotes. | |
| $stringValue = [string]$value | |
| $escapedValue = $stringValue -replace "'", "''" | |
| $retryCmd += " -$name '$escapedValue'" | |
| } |
| } catch { | ||
| # For non-global environments on Windows, WAM (Windows Account Manager) may not support national cloud accounts, | ||
| # causing authentication to fail or be cancelled. Provide actionable guidance to the user. | ||
| if ($Environment -ne 'Global' -and ($IsWindows -or $PSVersionTable.PSEdition -eq 'Desktop') -and -not $UseDeviceCode) { | ||
| $retryCmd = "Connect-Maester -UseDeviceCode -Environment $Environment" | ||
| if ($AzureEnvironment -ne 'AzureCloud') { $retryCmd += " -AzureEnvironment $AzureEnvironment" } | ||
| if ($ExchangeEnvironmentName -ne 'O365Default') { $retryCmd += " -ExchangeEnvironmentName $ExchangeEnvironmentName" } | ||
| Write-Host "`n💡 Authentication failed for the '$Environment' environment on Windows." -ForegroundColor Yellow | ||
| Write-Host " Windows Account Manager (WAM) may not support national cloud accounts in the sign-in prompt." -ForegroundColor Yellow | ||
| Write-Host " Run Connect-Maester with -UseDeviceCode to authenticate via browser instead of WAM:`n" -ForegroundColor Yellow | ||
| Write-Host " $retryCmd`n" -ForegroundColor Cyan | ||
| } |
There was a problem hiding this comment.
The generic catch {} will run for any failure in Connect-MgGraph, but the message printed is always “Authentication failed… WAM may not support…”. For non-authentication failures (invalid tenant, network/DNS issues, module bugs), this guidance is misleading. Consider narrowing this guidance to known auth-cancellation / broker-related exceptions (or checking the error record/exception message) so the message is only shown when it’s likely relevant.
On Windows, the Microsoft Graph SDK uses Windows Account Manager (WAM) as the authentication broker by default. WAM's account picker does not surface national cloud accounts (GCC High, DoD, China) registered at
login.microsoftonline.us, causing users to cancel the prompt and receiveInteractiveBrowserCredential authentication failed: User canceled authentication.Changes
powershell/public/Connect-Maester.ps1Proactive WAM warning: Before calling
Connect-MgGraph, display a tip when connecting to a non-Globalenvironment on Windows without-UseDeviceCode. Shows the exact retry command with only non-default parameters:Auth failure handler: Added a general
catchblock (afterCommandNotFoundException) that repeats the same actionable guidance when authentication actually fails for non-Global+ Windows scenarios, then re-throws the original exception.Connect-IPPSSessionfallback fix: The UPN-based fallback retry for Security & Compliance was callingConnect-IPPSSessionwithout-ConnectionUriand-AzureADAuthorizationEndpointUri, causing GCC High/DoD compliance connections to silently target commercial endpoints in the fallback path.Contribution Checklist
Before submitting this PR, please confirm you have completed the following:
/powershell/tests/pester.ps1on your local system.Join us at the Maester repository discussions 💬 or Entra Discord 🧑💻 for more help and conversations!
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
management.azure.com/usr/bin/pwsh pwsh -Command ./powershell/tests/pester.ps1(dns block)/usr/bin/pwsh pwsh -Command Import-Module PSFramework -Force Import-Module PSModuleDevelopment -Force Import-Module Microsoft.Graph.Authentication -Force Import-Module Pester -Force Write-Host 'Modules loaded' ./powershell/tests/pester.ps1(dns block)/usr/bin/pwsh pwsh -Command Install-Module PSScriptAnalyzer -Scope CurrentUser -Force -AllowClobber -ErrorAction SilentlyContinue Import-Module PSScriptAnalyzer -Force -ErrorAction SilentlyContinue $results = Invoke-ScriptAnalyzer -Path 'powershell/public/Connect-Maester.ps1' -Seve(dns block)us.i.posthog.com/usr/bin/pwsh pwsh -Command ./powershell/tests/pester.ps1(dns block)/usr/bin/pwsh pwsh -Command Import-Module PSFramework -Force Import-Module PSModuleDevelopment -Force Import-Module Microsoft.Graph.Authentication -Force Import-Module Pester -Force Write-Host 'Modules loaded' ./powershell/tests/pester.ps1(dns block)www.powershellgallery.com/usr/bin/pwsh pwsh -Command Install-Module PSFramework -Force -SkipPublisherCheck -Scope CurrentUser -AllowClobber -ErrorAction SilentlyContinue Install-Module PSModuleDevelopment -Force -SkipPublisherCheck -Scope CurrentUser -AllowClobber -ErrorAction SilentlyContinue Install-Modu(dns block)/usr/bin/pwsh pwsh -Command ./powershell/tests/pester.ps1(dns block)/usr/bin/pwsh pwsh -Command Import-Module PSFramework -Force Import-Module PSModuleDevelopment -Force Import-Module Microsoft.Graph.Authentication -Force Import-Module Pester -Force Write-Host 'Modules loaded' ./powershell/tests/pester.ps1(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
This section details on the original issue you should resolve
<issue_title>🪲 Unable to login to GCC High</issue_title>
<issue_description>Thanks for reporting the bug. Please ensure you've gone through the following checklist before opening an issue:
Maester.Describe the bug
When trying to connect to a GCC High tenant, we receive the attached error.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Successful connection
Debug Output
⚠ ATTENTION: Be sure to remove any sensitive information that may be in the logs.
Debug Output
PS: C:\scripts | 03/20/2026 15:05 > Connect-Maester -Environment USGov -AzureEnvironment AzureUSGovernment -ExchangeEnvironmentName O365USGovGCCHigh -Debug
WARNING: Note: Sign in by Web Account Manager (WAM) is enabled by default on Windows. If using an embedded terminal, the interactive browser window may be hidden behind other windows.
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, Directory.Read.All, DirectoryRecommendations.Read.All, IdentityRiskEvent.Read.All, Policy.Read.All, Policy.Read.ConditionalAccess, PrivilegedAccess.Read.AzureAD, Reports.Read.All, ReportSettings.Read.All, RoleManagement.Read.All, SecurityIdentitiesSensors.Read.All, SecurityIdentitiesHealth.Read.All, SharePointTenantSettings.Read.All, ThreatHunting.Read.All, UserAuthenticationMethod.Read.All ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.82.1.0 MSAL.CoreCLR .NET 10.0.5 Microsoft Windows 10.0.26200 [2026-03-20 20:23:20Z - e2c07326-df59-4198-b8d0-dbda1435bcca] MSAL MSAL.CoreCLR with assembly version '4.82.1.0'. CorrelationId(e2c07326-df59-4198-b8d0-dbda1435bcca)
DEBUG: False MSAL 4.82.1.0 MSAL.CoreCLR .NET 10.0.5 Microsoft Windows 10.0.26200 [2026-03-20 20:23:20Z - e2c07326-df59-4198-b8d0-dbda1435bcca] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.82.1.0 MSAL.CoreCLR .NET 10.0.5 Microsoft Windows 10.0.26200 [2026-03-20 20:23:20Z - e2c07326-df59-4198-b8d0-dbda1435bcca]
=== Request Data ===
Authority Provided? - True
Scopes - DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All Directory.Read.All DirectoryRecommendations.Read.All IdentityRiskEvent.Read.All Policy.Read.All Policy.Read.ConditionalAccess PrivilegedAccess.Read.AzureAD Reports.Read.All ReportSettings.Read.All RoleManagement.Read.All SecurityIdentitiesSensors.Read.All SecurityIdentitiesHealth.Read.All SharePointTenantSettings.Read.All ThreatHunting.Read.All UserAuthenticationMethod.Read.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - e2c07326-df59-4198-b8d0-dbda1435bcca
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
FMI Path:
Credential FMI Path:
DEBUG: False MSAL 4.82.1.0 MSAL.CoreCLR .NET 10.0.5 Microsoft Windows 10.0.26200 [2026-03-20 20:23:20Z - e2c07326-df59-4198-b8d0-dbda1435bcca] === Token Acquisition (InteractiveRequest) started:
Scopes: DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All Directory.Read.All DirectoryRecommendations.Read.All IdentityRiskEvent.Read.All Policy.Read.All Policy.Read.ConditionalAccess PrivilegedAccess.Read.AzureAD Reports.Read.All ReportSettings.Read.All RoleManagement.Read.All SecurityIdentitiesSensors.Read.All SecurityIdentitiesHealth.Read.All SharePointTenantSettings.Read.All ThreatHunting.Read.All UserAuthenticationMethod.Read.All
Authority Host: login.microsoftonline.us
DEBUG: False MSAL 4.82.1.0 MSAL.CoreCLR .NET 10.0.5 Microsoft Windows 10.0.26200 [2026-03-20 20:23:20Z - e2c07326-df59-4198-b8d0-dbda1435bcca] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.82.1.0 MSAL.CoreCLR .NET 10.0.5 Microsoft Windows 10.0.26200 [2026-03-20 20:23:20Z - e2c07326-df59-4198-b8d0-dbda1435bcca] [Region discovery] Not using a regional authority.
D...
📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.