GetAzureADAccessReviewDetailsGraph.PS1 needed permissions?

[saempyla]

I have defined required delegated permissions and try to run the script, but getting errors: Get-GraphData : System.Net.WebException: The remote server returned an error: (403) Forbidden. Get-GraphData : System.Net.WebException: The remote server returned an error: (400) Bad Request.

Seems that permissions are not enough to read the API. I can access Groups through API, but not Access Reviews. I have tried to give Application Permissions but also tried with Delegated (AccessReview.ReadWrite.All and Group.Read.All).

If i understood correctly, if I use Application Permissions, I do not to give User Administrator to App? and with Delegated it also should have that role?

[12Knocksinna]

An administrator will have to grant consent to allow the app to read access review information. Can you ask an admin to do so?

[saempyla]

I have done it and access is granted

[12Knocksinna]

Looking at the app I used, I see AccessReview.ReadWrite.All, AccessReview.ReadWrite.Members, Group.Read.,All, Reports.Read.ALl, and User.Read.All.

All are application permissions with consent.

[saempyla]

Thanks, let me try with those

[saempyla]

Still same error, your app does not have any directory roles, right?

I tried to access Groups API, that was successful (like before) but issue is when access Acces Review API.

[12Knocksinna]

It has User.Read,All.

It also has Reports.Read.All which I used for another test, but I don't think that this is relevant.

[saempyla]

Actually, now Forbidden error were solved, so seems that permissions are correct now, but still getting Bad Requests errors: Get-GraphData : System.Net.WebException: The remote server returned an error: (400) Bad Request. at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request) at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()

Is the code still working for you? Just thinking if this uses beta APIs and something has changed

[saempyla]

Found the issue, the URl is not forming correctly, because this will return empty value: $Id = $Accessdata |?{$_.displayname -eq "Review guest access across Microsoft 365 Groups"} | Select -ExpandProperty Id

[12Knocksinna]

That line depends on the name of the access review you've chosen to use. There were other issues caused by changes in the API last month. The code runs properly on my tenant after I made some adjustments. Try the new version.

[saempyla]

Great! Thank you, seems to be almost working. This line causes errors: $GroupId = $Instance.scope.query.substring($Start + 2,$End - 13)

Exception calling "Substring" with "2" argument(s): "Length cannot be less than zero.
Parameter name: length"
At AccessReviewGraphV2.ps1:114 char:5
+     $GroupId = $Instance.scope.query.substring($Start + 2,$End - 13)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

[12Knocksinna]

The code works fine on my tenant... I can't see what's happening on yours. This line is to extract a group object identifier from the access review data. The first thing to look at is what's in $Instance.scope.query. It should be something like:

/v1.0/groups/72ee570e-3dd8-41d2-bc84-7c9eb8024dd4/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')

The code extracts the identifier to create $GroupId. It is 72ee570e-3dd8-41d2-bc84-7c9eb8024dd4 in this example. If you're not seeing the kind of information shown above in $instance.scope,query, it indicates that information is not being read from the access review.

Remember that this is demo code written to illustrate a principal and help people understand what's happening. It is not warranted to be bulletproof.

[saempyla]

Thanks, it is now working. My $Instance.scope.query was something like this: /v1.0/groups/1234567-1234-1234-1234-123456789/transitiveMembers So I changed the line 113: $End = $Instance.scope.query.IndexOf("/transitiveMembers")

And now it works like charm! Thank you so much for your help!