Get-MgAuditLogDirectoryAudit : The stream was already consumed. It cannot be read again.

[chris-dnv]

Hi! I'm trying to run your pipeline but get the following error, the pipeline ran for over 8 hours could it be as per this issue that the access token needs refreshed? : https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1911

##[error]Get-MgAuditLogDirectoryAudit : The stream was already consumed. It cannot be read again.
At C:\a\_temp\561e9809-62b8-4fbf-845c-c93ab44c31a1.ps1:171 char:3
+   $modificationEvent = Get-MgAuditLogDirectoryAudit -All -Filter $eve ...
    + CategoryInfo          : NotSpecified: (:) [Get-MgAuditLogDirectoryAudit_List], InvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgAuditLogDirectoryAudit_List
##[debug]Processed: ##vso[task.logissue source=CustomerScript;type=error]Get-MgAuditLogDirectoryAudit : The stream was already consumed. It cannot be read again.
At C:\a\_temp\561e9809-62b8-4fbf-845c-c93ab44c31a1.ps1:171 char:3
+   $modificationEvent = Get-MgAuditLogDirectoryAudit -All -Filter $eve ...
    + CategoryInfo          : NotSpecified: (:) [Get-MgAuditLogDirectoryAudit_List], InvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgAuditLogDirectoryAudit_List
##[error]PowerShell exited with code '1'.

[ztrhgf]

Hi,
this is the initial backup run (a.k.a. the first one)? 8 hours seem like bug, or do you have huge Azure environment?

[chris-dnv]

Yes we have a large environment so the run does take around 8-9 hours (i have another export workflow but I was trying yours for the logging capability)

[ztrhgf]

I see. I haven't seen this error, but google tells me that you are right and it is because token has to be renewed. You are on your own I am afraid. I don't know how to fix this right now.

[chris-dnv]

No problem, thanks for taking a look

[ztrhgf]

I was thinking about it and there is one obvious workaround. Modify the code to split audit log searches by 24 hours and before each search make new authentication. And just join the results afterwards.

[MendelD]

Getting the same error in my environment since september 10th.
Pretty large environment as well, the pipeline runs for maximum of 6 hours (timeoutInMinutes: 360), but seems to fail with this error just around 1 hour and 15 minutes.
Might this be related to token lifetime?
https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes

[ztrhgf]

Just to be sure, what pipeline are we talking about? Azure or Intune? I assume Azure.

In the pipeline output there should be something like:

"`n$(Get-Date -format 'HH:mm') (UTC) Getting Azure Audit events"
"`t- from: '$lastCommitDate' (UTC) to: '$backupStart' (UTC)"
"`t- filter: $eventFilter"

before Get-MgAuditLogDirectoryAudit is being called.

What does it say in your case?

Have you tried to split the searches by 24 hours as I suggested in the previous comment?

[chris-dnv]

Hi, from what I remember using certificate based auth for the service principal used to run the script fixed this issue in my testing (I never tested using a workload identity), hope that helps!