Isolate Microsoft.Graph.Authentication assembly loading#3632
Merged
ramsessanchez merged 1 commit intoJun 4, 2026
Merged
Conversation
PrzemyslawKlys
force-pushed
the
codex/auth-root-alc
branch
from
0309b97 to
faa068f
Compare
ramsessanchez
changed the base branch from
main
to
fixauth-module-assembly-loading
Contributor
|
merging to different branch to kick off tests in ADO |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request updates the Microsoft.Graph.Authentication PowerShell module wrapper to load Microsoft.Graph.Authentication.dll into a named, non-default AssemblyLoadContext on PowerShell Core, enabling better dependency isolation (notably for Microsoft 365 module interop scenarios where incompatible auth dependencies may already be loaded in-process).
Changes:
- Added a custom
AssemblyLoadContext-based import path (PowerShell Core only) with a small managed resolving handler for packaged dependencies. - Updated export logic in the script-module wrapper to preserve cmdlet/alias exports without re-importing the binary module by path.
- Removed build-time generation of authentication DLLs as
NestedModulesand added focused import tests for ALC isolation + worker-thread dependency resolution.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Authentication/Authentication/Microsoft.Graph.Authentication.psm1 | Loads the authentication binary module via a named ALC on PowerShell Core and re-exports cmdlets/aliases from the imported binary module. |
| src/Authentication/Authentication/build-module.ps1 | Stops adding authentication assemblies as NestedModules to prevent premature default-context loading. |
| src/Authentication/Authentication/test/Microsoft.Graph.Authentication.Tests.ps1 | Adds Pester coverage to validate non-default ALC loading and worker-thread dependency resolution behavior on PowerShell Core. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+118
to
+122
| $dependencyAssembly.GetName().Name | Should -Be 'Azure.Core' | ||
| $dependencyContext.Name | Should -Be $loadContext.Name | ||
| [System.Runtime.Loader.AssemblyLoadContext]::Default.Assemblies | | ||
| Where-Object { $_.GetName().Name -eq 'Azure.Core' } | | ||
| Should -BeNullOrEmpty |
ramsessanchez
merged commit 3a55148
into
microsoftgraph:fixauth-module-assembly-loading
2 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes proposed in this pull request
Microsoft.Graph.Authentication.dllthrough a namedAssemblyLoadContexton PowerShell Core before importing it as a binary module.AssemblyLoadContextis unavailable.NestedModules, because that causes PowerShell to load the DLLs before the script module can choose the load context.AssemblyLoadContext.Defaulton PowerShell Core.Why
This is intended as a narrow assembly-isolation improvement for Microsoft 365 module interop scenarios where another module has already loaded incompatible authentication dependencies in the same PowerShell process. The existing module initializer resolver can help with dependency resolution after the root binary is loaded, but it cannot prevent the root authentication assembly itself from being loaded into the default context when the manifest/import path loads the DLL first.
By letting the script module load the root binary into a custom context first, the authentication module has a chance to keep its dependency graph isolated while preserving the existing exported cmdlet surface.
Validation
pwsh -NoProfile -File .\src\Authentication\Authentication\build-module.ps1 -Releasepwsh -NoProfile -Command 'Invoke-Pester .\src\Authentication\Authentication\test\Microsoft.Graph.Authentication.Tests.ps1 -Output Detailed'Microsoft.Graph.Authenticationwas not present inAssemblyLoadContext.DefaultMicrosoft.Graph.Authentication.<hash>Connect-MgGraphexported successfullyConnect-GraphandInvoke-MgRestMethodaliases resolved correctlyConnect-MgGraph -Scopes User.Read -NoWelcomesucceededAzure.Identity,Azure.Identity.Broker,Microsoft.Identity.Client,Microsoft.Identity.Client.Broker, andMicrosoft.Identity.Client.Extensions.Msalloaded in the Graph authentication ALC rather than default context.Import-Module ExchangeOnlineManagement; Connect-ExchangeOnlineloaded Exchange MSAL/Broker assemblies in default context.Microsoft.Graph.Authenticationartifact and runningConnect-MgGraph -Scopes User.Read -NoWelcomethen succeeded.git diff --checkOther links
vscode-powershell#2978