Get-MgDrive and Get-MgSiteDefaultDrive Don't work with MFA Authentication Context

[12Knocksinna]

Describe the bug

I am trying to get the list of drives in a site that is assigned a sensitivity label that uses an authentication context with MFA to restict access to the site (see picture). The Graph Explorer is able to return details, but running the cmdlet cannot, probably because the additional authentication requirement cannot be met.

Expected behavior

I expect Get-MgSiteDrive and Get-MgSiteDefaultDrive to both work.

$Uri = 'https://redmondassociates.sharepoint.com/sites/aircraftwaterchers'
$Global:Site = Get-MgSite -Search $Uri

Get-MgSiteDrive -SiteId $Site.Id
Get-MgSiteDrive_List: Access denied

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-12-23T15:09:39

Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 26b4436a-ed72-42c5-98d1-080fdce6b64f
client-request-id : 71a791a6-f477-45d7-bf1e-6b5541cadc23
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF0000B5DA"}}
Date : Mon, 23 Dec 2024 15:09:39 GMT

Get-MgSiteDefaultDrive -SiteId $Site.id
Get-MgSiteDefaultDrive_Get: Access denied

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-12-23T15:14:05

Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 6612f91c-3871-4240-a77f-caff957b486b
client-request-id : 32e516a7-d391-4420-9a41-44db00081f99
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF000158AA"}}
Date : Mon, 23 Dec 2024 15:14:04 GMT

Here's what happens with the Graph Explorer

How to reproduce

1. Create a sensitivity label that requires an MFA authentication context. Publish the label to SharePoint and wait for replication.
2. Apply the label to a site.
3. Attempt to use Get-MgSiteDrive and Get-MgSiteDefaultDrive to retrieve drive information. The attempts should fail.
4. Change the label for the site (or remove it)
5. Run the cmdlets again. They will work.

SDK Version

2.25

Latest version known to work for scenario above?

None

Known Workarounds

None. The Graph API request fails too.

Debug output

Click to expand log

``` Get-MgSiteDefaultDrive -SiteId $Site.id -debug DEBUG: [CmdletBeginProcessing]: - Get-MgSiteDefaultDrive begin processing with parameterSet 'Get'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, Agreement.Read.All, Analytics.Read, APIConnectors.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, AuditLogsQuery.Read.All, BackupRestore-Control.Read.All, Calendars.Read, Calendars.ReadWrite, Channel.ReadBasic.All, ChannelMessage.Read.All, ChannelMessage.ReadWrite, ChannelMessage.Send, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Chat.Create, Chat.ManageDeletion.All, Chat.ReadWrite, Community.ReadWrite.All, Contacts.ReadWrite, CopilotSettings-LimitedMode.ReadWrite, CrossTenantUserProfileSharing.Read, CrossTenantUserProfileSharing.Read.All, DelegatedPermissionGrant.ReadWrite.All, DeviceManagementManagedDevices.Read.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, DirectoryRecommendations.Read.All, Domain.Read.All, eDiscovery.Read.All, email, EntitlementManagement.Read.All, Files.Read, Files.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, GroupMember.ReadWrite.All, IdentityProvider.Read.All, IdentityProvider.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.Read.All, IdentityRiskyUser.ReadWrite.All, IdentityUserFlow.Read.All, InformationProtectionPolicy.Read, Mail.Read, Mail.ReadWrite, Mail.Send, Mail.Send.Shared, MailboxSettings.ReadWrite, Notes.Create, OnlineMeetingArtifact.Read.All, OnlineMeetings.Read, OnPremDirectorySynchronization.ReadWrite.All, openid, Organization.Read.All, PeopleSettings.Read.All, PeopleSettings.ReadWrite.All, Place.Read.All, Policy.Read.All, Policy.Read.ConditionalAccess, Policy.Read.PermissionGrant, Policy.ReadWrite.ApplicationConfiguration, Policy.ReadWrite.AuthenticationMethod, Policy.ReadWrite.ConditionalAccess, POP.AccessAsUser.All, PrivilegedAccess.Read.AzureAD, PrivilegedAccess.Read.AzureResources, profile, RecordsManagement.Read.All, Reports.Read.All, ReportSettings.ReadWrite.All, RoleAssignmentSchedule.Read.Directory, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.Read.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleEligibilitySchedule.Remove.Directory, RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, SecurityActions.ReadWrite.All, SecurityEvents.Read.All, SecurityEvents.ReadWrite.All, ServiceHealth.Read.All, ServiceMessage.Read.All, SharePointTenantSettings.ReadWrite.All, Sites.FullControl.All, Sites.Manage.All, Sites.Read.All, Sites.ReadWrite.All, Tasks.Read, Tasks.ReadWrite, Team.ReadBasic.All, TeamMember.Read.All, TeamSettings.Read.All, TeamsTab.Read.All, TeamworkTag.ReadWrite, User.Read, User.Read.All, User.ReadBasic.All, User.ReadWrite, User.ReadWrite.All, UserActivity.ReadWrite.CreatedByApp, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All, User-ConvertToInternal.ReadWrite.All, VirtualEvent.Read, WindowsUpdates.Read.All]. DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/sites/redmondassociates.sharepoint.com%2Ca9e1c768-05af-4304-a90b-c1b97cbbecc5%2C914c85be-8f02-4006-a38e-63b89e545165/drive

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-IE),PowerShell/7.4.6
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : be07a3b6-638c-463f-b3bb-df9fde5120a4

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 28eb1bbc-a01d-4f78-ba39-11427a3fa823
client-request-id : be07a3b6-638c-463f-b3bb-df9fde5120a4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF000158A7"}}
Date : Mon, 23 Dec 2024 15:17:35 GMT

Body:
{
"error": {
"code": "accessDenied",
"message": "Access denied",
"innerError": {
"date": "2024-12-23T15:17:36",
"request-id": "28eb1bbc-a01d-4f78-ba39-11427a3fa823",
"client-request-id": "be07a3b6-638c-463f-b3bb-df9fde5120a4"
}
}
}

Get-MgSiteDefaultDrive_Get: Access denied

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-12-23T15:17:36

Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 28eb1bbc-a01d-4f78-ba39-11427a3fa823
client-request-id : be07a3b6-638c-463f-b3bb-df9fde5120a4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF000158A7"}}
Date : Mon, 23 Dec 2024 15:17:35 GMT

DEBUG: [CmdletEndProcessing]: - Get-MgSiteDefaultDrive end processing.

Configuration

Name Value

---

PSVersion 7.4.6
PSEdition Core
GitCommitId 7.4.6
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Other information

No response

[12Knocksinna]

Info on MFA authentication context: https://office365itpros.com/2021/06/10/authentication-context-ca/