Skip to content

Restore-AzApiManagement fails with token expired for longer operations #29257

New issue
New issue
Open
Open
Restore-AzApiManagement fails with token expired for longer operations#29257
Labels
bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
@tstoian

Description

@tstoian
tstoian
opened on Mar 10, 2026

Description

I ran the Restore-AzApiManagement but it failed ~55m into the backup with the attached error message. It seems that if the restore operations is taking longer than 1h, the Azure access token used for polling the operation status expires and causes this error.

Issue script & Debug output

An error has occurred that was not properly handled. Additional information is shown below. The PowerShell process will exit.
Unhandled exception. Azure.Identity.AuthenticationFailedException: ClientAssertionCredential authentication failed: 
 ---> MSAL.CoreCLR.4.65.0.0.MsalServiceException:
	ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-02-12T12:27:28.5018238Z, assertion valid from 2026-02-12T11:32:15.0000000Z, expiry time of assertion 2026-02-12T11:42:14.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: ed4179d7-e888-4c64-829f-10e91d489400 Correlation ID: db9212e2-203f-4f3c-a120-7457e95b2a95 Timestamp: 2026-02-12 12:27:28Z
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`2 onBeforePostRequestData)
   at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
   at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
   at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
   at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, String claims, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, String claims, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
   at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()

##[error]PowerShell exited with code 'null'.

Environment data

PowerShell 7.5.3

Module versions

Az 14.4.0
Az.Resources 8.1.0
Az.Accounts 5.3.0
Az.ApiManagement 4.1.0

Error output

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions