403 Forbidden when making Graph calls in TeamsGropActivityReport, but admin Graph permissions in Azure app

[heimdal-31]

I'm sure I'm missing something obvious, because I've not used MS Graph in PowerShell anymore, and instructions for doing that with TeamsGroupActivityREportV5.PS1 are light.

I'm getting a permissions error starting at line 164, which is the Invoke-RestMethod for the 90 day SharePoint site usage detail as well as for all the other calls after that.

I've created the Azure app. I've given it Group.Read.All, Reports.Read.All, User.Read.All, and GroupMember.Read.All, as well as admin consent for those in the tenant. I'm assuming there is some other obvious step in the app setup that I have missed.

I've updated lines 133 - 134 with the appropriate AppID, TenantID and AppSecret. If I change the app secret to be invalid, I get an error on line 147 which is the grabbing of the token.

First error with the correct data in lines 133 - 134

Checking Microsoft 365 Groups and Teams in the tenant: contoso.onmicrosoft.com Invoke-RestMethod : The remote server returned an error: (403) Forbidden. At C:\changed\TeamsGroupsActivityReportV5.PS1:164 char:17

• ... SPOUsage = (Invoke-RestMethod -Uri $SPOUsageReportsURI -Headers $Head ...

• 
  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

First error if the AppSecret is wrong:

Checking Microsoft 365 Groups and Teams in the tenant: contoso.onmicrosoft.com Invoke-WebRequest : {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 7e4df9ab-aad3-4239-b36a-d64aad72f900\r\nCorrelation ID: e388d8ed-e34f-480a-a8f5-8085b82c65da\r\nTimestamp: 2021-05-11 18:46:33Z","error_codes":[7000215],"timestamp":"2021-05-11 18:46:33Z","trace_id":"7e4df9ab-aad3-4239-b36a-d64aad72f900","correlation_id":"e388d8ed-e34f-480a-a8f5-8085b82c65da","error_uri":"https://login.microsoftonline.com/error?code=7000215"} At C:\changed\TeamsGroupsActivityReportV5.PS1:147 char:17

• ... enRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType "ap ...

• 
  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

[heimdal-31]

I did read the closed issue 28 and added AccessReview.ReadWrite.All and AccessReview.ReadWrite.Membership. I'm still seeing a 403 forbidden error on line 164, which is

$SPOUsage = (Invoke-RestMethod -Uri $SPOUsageReportsURI -Headers $Headers -Method Get -ContentType "application/json") -Replace "...Report Refresh Date", "Report Refresh Date" | ConvertFrom-Csv

So, my complete list of permissions is:

• AccessReview.ReadWrite.All
• AccessReview.ReadWrite.Membership
• Group.Read.All
• Reports.Read.All
• User.Read.All
• GroupMember.Read.All

[12Knocksinna]

By any chance is this a test tenant? If it is, there might not be any report data to fetch. I've met that issue before.

[heimdal-31]

5 year old tenant with 1200 users. I was trying to run the script because I'd stumbled across a Team with three users, two of whom no longer work for the company, with last activity in 2018. I'm trying to figure out how many dead Teams we have out there.

[12Knocksinna]

The error looks as if the Reports.Read.All permission isn't assigned. It's the Reports API which is used to grab the SPO usage data for the tenant and if you don't have access to it...

[heimdal-31]

I agree. That does seem to be the issue. That permission is granted and administratively approved.

Can you point me at any further steps on the Azure side to figure out what is going on? My successful grabbing of the token and then the 403 does not show up in the Azure logs for the application.

Unfortunately, your response confirms what I expect. I've done something non-obvious with the Azure app setup that is causing an issue.

[12Knocksinna]

You're using delegated permissions. I use application permissions. Try using an application consent for Reports.Read.All

[heimdal-31]

Thank you! As I wrote at the beginning, this is the first time I've used MS Graph in PowerShell.

Changing those grants to Application permissions was the answer. I have results now.

Thanks for your response and for the incredibly useful too.

[12Knocksinna]

The code posted here is to help people develop their own solutions. To do that, you've got to get past my horrible code. But I am glad that it worked out in the end.