1.5 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| ps51-invoke-restmethod-headers-variable | PS5.1 via RMM powershell -File - Invoke-RestMethod -Headers $H (script-scope hashtable) sent an EMPTY Authorization header; build headers inline per call instead |
|
On ACG-DWP-X-BB (WS2019, PowerShell 5.1, script executed via GuruRMM agent as
powershell -NoProfile -File script.ps1), passing a script-scope hashtable variable to
Invoke-RestMethod -Headers $H (where $H=@{Authorization="Bearer $tok"}) resulted in
Graph rejecting every call with InvalidAuthenticationToken / "Access token is empty" —
even though the token variable was verifiably populated (fingerprint printed correctly)
and the same token + same URL worked with an inline-built header from the same machine.
Fix that works: build the header at each call site — e.g.
function Hdr { return @{Authorization=("Bearer " + $script:tok)} } then
Invoke-RestMethod -Uri $u -Headers (Hdr). Inline @{Authorization=('Bearer '+$t)} also works.
Diagnosed 2026-07-02 during the BirthBio Datto-vs-SharePoint reconciliation after two full failed runs (masqueraded first as token expiry, then as clock skew — the real tell was the Graph error body "Access token is empty", captured only after adding response-body extraction to the retry helper). Always capture the Graph error BODY, not just the exception message: "(401) Unauthorized" alone cost three debugging cycles.
Related: gururmm-command-timeout-seconds, sharepoint-graph-large-file-upload