[BUG] Deploy - Deploy/GrantPermissions.ps1 does not work

[fujiant]

Describe the bug Running GrantPermissions.ps1 yields an error. I have tried updating all of Az module and all of Graph and .NET frameworks on my workstation and nothing seems to resolve this. Could be related to this https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2148

The precise errors I am getting are:

[+] Connect to the Azure AD tenant: <REDACTED>
Connect-MgGraph : The type initializer for 'Azure.Identity.AuthenticationRecord' threw an exception.
At C:\Users\<REDACTED>\Downloads\<REDACTED>.ps1:49 char:1
+ Connect-MgGraph -TenantId $TenantId -Scopes AppRoleAssignment.ReadWri ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-MgGraph], TypeInitializationException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

[+] Connecting to  to the Azure subscription: <REDACTED>
[-] Login to Azure Management failed. Method not found: 'System.Threading.Tasks.Task`1<Azure.Identity.AuthenticationRecord> Azure.Identity.InteractiveBrowserCredential.AuthenticateAsync(Azure.Core.TokenRequestContext, System.Threading.CancellationToken)'.
Could not find tenant id for provided tenant domain '<REDACTED>'. Please ensure that the provided user is found in the provided tenant domain.
[+] Setting permission Data.Read on Get-UEBAInsights
Get-MgServicePrincipal : Authentication needed. Please call Connect-MgGraph.
At C:\Users\<REDACTED>\Downloads\<REDACTED>.ps1:92 char:5
+     Get-MgServicePrincipal -Filter "displayName eq '$AppName'"
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-MgServicePrincipal_List], AuthenticationException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_List

[-] Principal not found.
[+] Adding Microsoft Sentinel Responder to Get-UEBAInsights
Get-MgServicePrincipal : Authentication needed. Please call Connect-MgGraph.
At C:\Users\<REDACTED>\Downloads\<REDACTED>.ps1:92 char:5
+     Get-MgServicePrincipal -Filter "displayName eq '$AppName'"
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-MgServicePrincipal_List], AuthenticationException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_List
[-] Principal not found.

...

[+] End of the script. Please review the output and check for potential failures as they might not be terminating errors.

I have used Update-Module to update Az and Graph to latest. Here's what my Get-InstalledModule outputs:

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
10.4.1               Az                                  PSGallery            Microsoft Azure PowerShell - Cmdlets t...
2.13.1               Az.Accounts                         PSGallery            Microsoft Azure PowerShell - Accounts ...
2.0.0                Az.Advisor                          PSGallery            Microsoft Azure PowerShell: Advisor cm...
5.5.1                Az.Aks                              PSGallery            Microsoft Azure PowerShell - Azure man...
1.1.4                Az.AnalysisServices                 PSGallery            Microsoft Azure PowerShell - Analysis ...
4.0.2                Az.ApiManagement                    PSGallery            Microsoft Azure PowerShell - Api Manag...
1.3.0                Az.AppConfiguration                 PSGallery            Microsoft Azure PowerShell: AppConfigu...
2.2.2                Az.ApplicationInsights              PSGallery            Microsoft Azure PowerShell: Applicatio...
1.0.0                Az.ArcResourceBridge                PSGallery            Microsoft Azure PowerShell: ArcResourc...
2.0.0                Az.Attestation                      PSGallery            Microsoft Azure PowerShell - Attestati...
1.0.0                Az.Automanage                       PSGallery            Microsoft Azure PowerShell: Automanage...
1.9.1                Az.Automation                       PSGallery            Microsoft Azure PowerShell - Automatio...
3.5.0                Az.Batch                            PSGallery            Microsoft Azure PowerShell - Batch ser...
2.0.3                Az.Billing                          PSGallery            Microsoft Azure PowerShell - Billing s...
3.1.1                Az.Cdn                              PSGallery            Microsoft Azure PowerShell: Cdn cmdlets
1.2.0                Az.CloudService                     PSGallery            Microsoft Azure PowerShell: CloudServi...
1.14.0               Az.CognitiveServices                PSGallery            Microsoft Azure PowerShell - Cognitive...
6.3.0                Az.Compute                          PSGallery            Microsoft Azure PowerShell - Compute s...
1.0.0                Az.ConfidentialLedger               PSGallery            Microsoft Azure PowerShell: Confidenti...
3.2.2                Az.ContainerInstance                PSGallery            Microsoft Azure PowerShell: ContainerI...
4.1.1                Az.ContainerRegistry                PSGallery            Microsoft Azure PowerShell - Container...
1.12.0               Az.CosmosDB                         PSGallery            Microsoft Azure PowerShell - CosmosDB ...
1.1.0                Az.DataBoxEdge                      PSGallery            Microsoft Azure PowerShell - DataBoxEd...
1.7.0                Az.Databricks                       PSGallery            Microsoft Azure PowerShell: Databricks...
1.17.0               Az.DataFactory                      PSGallery            Microsoft Azure PowerShell - Data Fact...
1.0.3                Az.DataLakeAnalytics                PSGallery            Microsoft Azure PowerShell - Data Lake...
1.3.0                Az.DataLakeStore                    PSGallery            Microsoft Azure PowerShell - Azure Dat...
2.1.0                Az.DataProtection                   PSGallery            Microsoft Azure PowerShell: DataProtec...
1.0.1                Az.DataShare                        PSGallery            Microsoft Azure PowerShell - DataShare...
1.1.0                Az.DeploymentManager                PSGallery            PowerShell .Net Core Microsoft Azure P...
4.0.0                Az.DesktopVirtualization            PSGallery            Microsoft Azure PowerShell: DesktopVir...
1.0.2                Az.DevTestLabs                      PSGallery            Microsoft Azure PowerShell - DevTest L...
1.1.3                Az.Dns                              PSGallery            Microsoft Azure PowerShell - DNS servi...
1.6.0                Az.EventGrid                        PSGallery            Microsoft Azure PowerShell - Event Gri...
4.1.0                Az.EventHub                         PSGallery            Microsoft Azure PowerShell - Event Hub...
1.10.0               Az.FrontDoor                        PSGallery            Microsoft Azure PowerShell - Front Doo...
4.0.6                Az.Functions                        PSGallery            Microsoft Azure PowerShell - Azure Fun...
6.0.1                Az.HDInsight                        PSGallery            Microsoft Azure PowerShell - HDInsight...
2.0.0                Az.HealthcareApis                   PSGallery            Microsoft Azure PowerShell: Healthcare...
2.7.5                Az.IotHub                           PSGallery            Microsoft Azure PowerShell - IoT Hub s...
4.12.0               Az.KeyVault                         PSGallery            Microsoft Azure PowerShell - Key Vault...
2.2.0                Az.Kusto                            PSGallery            Microsoft Azure PowerShell: Kusto cmdlets
1.0.0                Az.LoadTesting                      PSGallery            Microsoft Azure PowerShell: LoadTestin...
1.5.0                Az.LogicApp                         PSGallery            Microsoft Azure PowerShell - Logic App...
1.1.3                Az.MachineLearning                  PSGallery            Microsoft Azure PowerShell - Machine L...
1.0.0                Az.MachineLearningServices          PSGallery            Microsoft Azure PowerShell: MachineLea...
1.3.1                Az.Maintenance                      PSGallery            Microsoft Azure PowerShell - Maintenan...
1.1.1                Az.ManagedServiceIdentity           PSGallery            Microsoft Azure PowerShell: ManagedSer...
3.0.0                Az.ManagedServices                  PSGallery            Microsoft Azure PowerShell: ManagedSer...
2.0.0                Az.MarketplaceOrdering              PSGallery            Microsoft Azure PowerShell: Marketplac...
1.1.2                Az.Media                            PSGallery            Microsoft Azure PowerShell - Media ser...
2.2.0                Az.Migrate                          PSGallery            Microsoft Azure PowerShell: Migrate cm...
4.6.0                Az.Monitor                          PSGallery            Microsoft Azure PowerShell - Monitor s...
1.1.1                Az.MySql                            PSGallery            Microsoft Azure PowerShell: MySql cmdlets
6.2.0                Az.Network                          PSGallery            Microsoft Azure PowerShell - Networkin...
1.1.2                Az.NotificationHubs                 PSGallery            Microsoft Azure PowerShell - Notificat...
3.2.0                Az.OperationalInsights              PSGallery            Microsoft Azure PowerShell - Operation...
1.6.3                Az.PolicyInsights                   PSGallery            Microsoft Azure PowerShell - Azure Pol...
1.1.0                Az.PostgreSql                       PSGallery            Microsoft Azure PowerShell: PostgreSql...
1.2.1                Az.PowerBIEmbedded                  PSGallery            Microsoft Azure PowerShell - Power BI ...
1.0.4                Az.PrivateDns                       PSGallery            Microsoft Azure PowerShell - Private D...
6.6.0                Az.RecoveryServices                 PSGallery            Microsoft Azure PowerShell - Recovery ...
1.8.0                Az.RedisCache                       PSGallery            Microsoft Azure PowerShell - Redis Cac...
1.2.0                Az.RedisEnterpriseCache             PSGallery            Microsoft Azure PowerShell: RedisEnter...
2.0.0                Az.Relay                            PSGallery            Microsoft Azure PowerShell: Relay cmdlets
1.2.0                Az.ResourceMover                    PSGallery            Microsoft Azure PowerShell: ResourceMo...
6.11.1               Az.Resources                        PSGallery            Microsoft Azure PowerShell - Azure Res...
1.4.0                Az.Security                         PSGallery            Microsoft Azure PowerShell - Azure Sec...
3.1.0                Az.SecurityInsights                 PSGallery            Microsoft Azure PowerShell: SecurityIn...
3.0.0                Az.ServiceBus                       PSGallery            Microsoft Azure PowerShell - Service B...
3.2.0                Az.ServiceFabric                    PSGallery            Microsoft Azure PowerShell - Service F...
2.0.0                Az.SignalR                          PSGallery            Microsoft Azure PowerShell - Azure Sig...
4.10.0               Az.Sql                              PSGallery            Microsoft Azure PowerShell - SQL servi...
2.1.0                Az.SqlVirtualMachine                PSGallery            Microsoft Azure PowerShell: SqlVirtual...
2.2.0                Az.StackHCI                         PSGallery            Microsoft Azure PowerShell: StackHci c...
5.10.1               Az.Storage                          PSGallery            Microsoft Azure PowerShell - Storage s...
1.0.1                Az.StorageMover                     PSGallery            Microsoft Azure PowerShell: StorageMov...
2.0.0                Az.StorageSync                      PSGallery            Microsoft Azure PowerShell - Storage S...
2.0.0                Az.StreamAnalytics                  PSGallery            Microsoft Azure PowerShell: StreamAnal...
1.0.0                Az.Support                          PSGallery            Microsoft Azure PowerShell - Azure Sup...
3.0.3                Az.Synapse                          PSGallery            Microsoft Azure PowerShell - Azure Syn...
1.2.1                Az.TrafficManager                   PSGallery            Microsoft Azure PowerShell - Traffic M...
3.1.1                Az.Websites                         PSGallery            Microsoft Azure PowerShell - App Servi...
2.0.2.182            AzureAD                             PSGallery            Azure Active Directory V2 General Avai...
2.6.1                Microsoft.Graph.Authentication      PSGallery            Microsoft Graph PowerShell Authenticat...
2.6.1                Microsoft.Graph.Identity.Directo... PSGallery            Microsoft Graph PowerShell Cmdlets
1.1.183.66           MSOnline                            PSGallery            Microsoft Azure Active Directory Modul...
1.4.8.1              PackageManagement                   PSGallery            PackageManagement (a.k.a. OneGet) is a...
2.2.5                PowerShellGet                       PSGallery            PowerShell module with commands for di...
2.6.1                Microsoft.Graph                     PSGallery            Microsoft Graph PowerShell module
2.6.1                Microsoft.Graph.Applications        PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Bookings            PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Calendar            PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.ChangeNotifications PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.CloudCommunications PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Compliance          PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.CrossDeviceExper... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.DeviceManagement    PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.DeviceManagement... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.DeviceManagement... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.DeviceManagement... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.DeviceManagement... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Devices.CloudPrint  PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Devices.Corporat... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Devices.ServiceA... PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.DirectoryObjects    PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Education           PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Files               PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Groups              PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Identity.Governance PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Identity.Partner    PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Identity.SignIns    PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Mail                PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Notes               PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.People              PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.PersonalContacts    PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Planner             PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Reports             PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.SchemaExtensions    PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Search              PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Security            PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Sites               PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Teams               PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Users               PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Users.Actions       PSGallery            Microsoft Graph PowerShell Cmdlets
2.6.1                Microsoft.Graph.Users.Functions     PSGallery            Microsoft Graph PowerShell Cmdlets

Module Name Deploy

To Reproduce Steps to reproduce the behavior:

1. Fill the script with your tenant id, subscription id, and Sentinel resource group name
2. Unblock the script with Unblock-File
3. Try to run the script .\GrantPermissions.ps1
4. Be prompted for credentials, login successfully
5. See error

Expected behavior No errors, script runs as supposed to

Additional context I am running Windows Powershell 5.1 that comes with Windows 10.

[briandelmsft]

If this is an issue with some inter-module dependency the script could be split out into 2 as the use of each module is independant

All the Set-APIPermissions lines and function could be one script with only the MsGraph module needed. All the Set-RBACPermissions lines and function could be another with only the Az module needed.

@piaudonn thoughts? Looks like this may be more of a module issue than a issue with the script.

[fujiant]

Thank you for fast response! Meanwhile I've tried removing all of Az and Microsoft.Graph and reinstalling the modules. It has not made a difference. My colleagues could also reproduce the issue on their Windows workstations with latest module versions and Windows Powershell 5.1.

I also tested on Ubuntu Linux with Powershell 7 and could not reproduce the issue, the script seemed to work there. So I did test with Powershell 7 and latest modules on my Windows 10 workstation, but the issue still remains. The first error message however is a bit different.

[+] Connect to the Azure AD tenant: <REDACTED>
Connect-MgGraph: C:\Users\<REDACTED>\Downloads\<REDACTED>.ps1:49
Line |
  49 |  Connect-MgGraph -TenantId $TenantId -Scopes AppRoleAssignment.ReadWri …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Could not load file or assembly 'Microsoft.Identity.Client.Extensions.Msal, Version=2.25.3.0, Culture=neutral,
     | PublicKeyToken=<REDACTED>'. Could not find or load a specific file. (0x80131621)
[+] Connecting to  to the Azure subscription: <REDACTED>
[+] Setting permission Data.Read on Get-UEBAInsights
Get-MgServicePrincipal_List: C:\Users\<REDACTED>\Downloads\<REDACTED>.ps1:92

[piaudonn]

@briandelmsft indeed, that's a PowerShell/Module issues, that you would get regardless of what is using those cmdlets.

The first error looks a lot like what is described here: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2284 and fixed by updating the Az module.

I can't repro on my side. I'll try later on a lab to see if I can repro. In the meantime, I would encourage you to keep those GitHub issues in the microsoftgraph org going. I know that's not great of an answer, but that's where the SMEs for those problems are.

[fujiant]

Yes, as mentioned, module updates do not seem to have an effect on this. I have the latest. I have also tried to remove everything and old versions and then reinstall from scratch. Still getting the errors when Az and Graph are both used in the same file.

[AxelBornauw]

@fujiant I had the same exact issue, but downgrading Microsoft.Graph.Applications/Authentication & Az.Accounts/Resources did the trick for me. I used:

• Microsoft.Graph.Application: 2.3.0
• Microsoft.Graph.Authentication: 1.13.0
• Az.Accounts: 2.10.3
• Az.Resources: 6.2.0

[piaudonn]

Yes, as mentioned, module updates do not seem to have an effect on this. I have the latest. I have also tried to remove everything and old versions and then reinstall from scratch. Still getting the errors when Az and Graph are both used in the same file.

But I am not sure if there is anything, we as STAT owner can do about it, it seems that the root cause of the problem is outside of the solution. @fujiant I don't want to look like I am trying to punt here, but I am unsure of how we can help here. Perhaps we can provide a "manual" way to grant the permissions in the documentation. Would that help?

[fujiant]

Yes, as mentioned, module updates do not seem to have an effect on this. I have the latest. I have also tried to remove everything and old versions and then reinstall from scratch. Still getting the errors when Az and Graph are both used in the same file.

But I am not sure if there is anything, we as STAT owner can do about it, it seems that the root cause of the problem is outside of the solution. @fujiant I don't want to look like I am trying to punt here, but I am unsure of how we can help here. Perhaps we can provide a "manual" way to grant the permissions in the documentation. Would that help?

Thanks, this would be helpful! I am keeping the issue up in the Graph side, still no solution on their end.

[piaudonn]

The issue seems to be related to one's system configuration and not the script per say. I will archive this issue. It will remain searchable, but it will not show as open anymore.