Disconnecting from Graph or Exchange in one script, also disconnects other scripts / Memory leak debugging

Question

Hi,

I am wondering how cloud connections should be handled across scripts for things to run as smooth as possible. For example, if I disconnect from Graph in one script in a scheduled task, and another script in a different schedule task is using Graph, I either get Authentication needed. Please call Connect-MgGraph. or Object reference not set to an instance of an object.. While for Exchange I get Exception calling "GetCurrentConnectionContext" with "1" argument(s): "You must call Connect-ExchangeOnline before calling any other cmdlet.".

If I stop disconnecting at the end of the scripts, I don't get such errors. The solution is of course apparently quite simple; don't disconnect, and that's exactly how I have done it for a long time. However, I am struggling with a memory leak in the Adaxes Service, which I cannot seem to find the root cause for. I have tried to find out if a single script is the culprit or if it is a more widespread problem, by correlating the memory consumption increase with when the various scripts are running. But there is not any clear jumps in memory consumption, but a steady creep, sort of. Here is a plot of how the number of threads and memory consumption (MB) is growing throughout the lifetime of the Adaxes Service (at about 8GB, all of the servers memory (14GB) is consumed): Here is for a singe day (14. February): The growth is most rapid in the morning, which makes sense, since there is definitely most activity then.

To give a sense of the scope, we have about 30 scheduled tasks and about 2500 users. With automated onboarding and offboarding, group related events, property and group member synchronizations, integrations between AD/Adaxes and different systems.

To wrap it up:

1. What is the recommended way to handle Graph/Exchange/Teams connections across scripts?
2. ExchangeOnline keeps filling the servers temp folder with tmpEXO folders, probably due to not closing connections. Do you know how this can be prevented?
3. What resources/modules/connections are shared between scripts? Should I import modules in each script?
4. Do you have any tips for troubleshooting memory leaks?

For reference, this is how I am connecting to the various cloud services:

function Connect-MgGraphAdaxes
{
  Param (
    [Parameter()]
    [int]
    $RetryCount = 1
  )
  try
  {
    $token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
    $tokenSecure = ConvertTo-SecureString -String $token -AsPlainText -Force
    $null = Connect-MgGraph -AccessToken $tokenSecure
  }
  catch
  {
    if ($RetryCount -gt 0)
    {
      Connect-MgGraphAdaxes -RetryCount ($RetryCount - 1)
    }
    else
    {
      throw
    }
  }
}

function Connect-ExchangeOnlineAdaxes
{
  Connect-ExchangeOnline `
    -Organization '<domain>.onmicrosoft.com' `
    -AppId '<app ID>' `
    -CertificateThumbprint '<certificate thumbprint>'
  #Gives "The token has expired" error:
  #[void]$Context.CloudServices.ConnectExchangeOnline()
}

function Connect-MicrosoftTeamsAdaxes
{
  $graphToken = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
  $teamsToken = $Context.CloudServices.GetAzureAuthAccessToken("48ac35b8-9aa8-4d74-927d-1f4a14a0b239")
  $null = Connect-MicrosoftTeams -AccessTokens @($graphToken, $teamsToken)
}

Best regards, Martin

Answer 1

Hello Martin,

What is the recommended way to handle Graph/Exchange/Teams connections across scripts?

For examples of the scripts that connect to the Microsoft services, have a look at the following repository articles:

• Microsoft Graph: https://www.adaxes.com/script-repository/sign-out-from-all-microsoft-365-services-s597.htm.
• Exchange Online: https://www.adaxes.com/script-repository/connect-to-exchange-with-powershell-s506.htm.
• Microsoft Teams: https://www.adaxes.com/script-repository/connect-to-microsoft-teams-s615.htm.

The connection to the required service must be established separately in each script executed in Adaxes.

ExchangeOnline keeps filling the servers temp folder with tmpEXO folders, probably due to not closing connections. Do you know how this can be prevented?

First of all, you need to remove the Connect-ExchangeOnline and Disconnect-ExchangeOnline cmdlets from all the scripts executed in Adaxes. Starting with Adaxes 2023.2, the cmdlets are prohibited. To connect to Exchange Online, you need to use the ConnectExchangeOnline method of the CloudServicesScriptContext class. There is no need to make a disconnect at all. Once you update the scripts, do the following on each computer where the Adaxes service runs:

1. Stop the Softerra Adaxes Service Windows service.
2. Delete all subfolders whose name starts with tmpEXO from the following folder: C:\Users<Adaxesserviceaccount>\AppData\Local\Temp, where <Adaxes_service_account> is the username of the Adaxes service account.
3. Start the Adaxes service.

What resources/modules/connections are shared between scripts? Should I import modules in each script?

No resources or connections are shared among scripts executed in Adaxes. You need to get the required values and establish a connection to the required services in each script separately. PowerShell modules installed on the computer where the Adaxes service runs are loaded automatically, there is no need to import them explicitly.

Do you have any tips for troubleshooting memory leaks?

There is no general troubleshooting guide. However, there were known issues related to memory leaks in Adaxes 2023.2 that were addressed in Update 2. For details, have a look at the following What’s New article: https://www.adaxes.com/info_whats-new_2023.2.htm#update2.

Comments

Thank you for the quick response. We are on 2023.3 (3.16.21906.0), so the memory leak patched in 2023.2 should not be the culprit.

I have done what you have suggested regarding Exchange, and I'll keep an eye on the memory consumption development the next week to see if it helps. Previously this method of connecting to Exchange did not work, but it seems to have been fixed in some of your updates.

However, the link you sent about how to handle Graph connections was about something else (signing users out of their Entra sessions). On saturday I got this error for a script that had run for 13 minutes [Authentication_ExpiredToken] : Your access token has expired. Please renew it before submitting the request.. Do you know how I can prevent these?

---

Hello Martin,

Thank you for specifying. The repository article we referenced is an example of a script that connects to Microsoft Graph. You can use the same approach in your scripts. To troubleshoot the issue with the error you are facing, please, post here or send us (support@adaxes.com) the following:

• The script you are executing in TXT format
• A screenshot of the error you are facing.