search

jhoneill / MsftGraph

A PowerShell module for interacting with the Microsoft Graph API for Directory, OneNote, OneDrive, Outlook, Planner, Teams and Sharepoint in Office 365 or consumer versions
MIT License
93 stars 12 forks source link

contexthas issue? #11

Open i-windows opened 2 years ago

i-windows commented 2 years ago

steps to produce error : ggu -userid user@somwhere -teams ggg somegroup

error reported (user) WARNING: Only the -Drive, -Calendars and -Notebooks options work when you are logged in with this kind of account.

error reported (groups) WARNING: This requires a work or school account.

running environment install on windows 11 version 1.5.3 graph version : latest auth: app auth via cert.

Comments ggu -userid user@somwhere -groups will work and return groups as expected,

I'm guessing ContextHas isnt working as expected.

jhoneill commented 2 years ago

Thanks I'll investigate.

jhoneill commented 2 years ago

OK. It seems to ignore what ContextHas says if you specify -groups but not -teams. I need to check if Groups work with a non-work-or-school account - possibly it just returns an empty set.

The ContextHas function checks 

[Microsoft.Graph.PowerShell.Authentication.GraphSession]::instance.AuthContext

and in this case it is only told to look at .WorkOrSchool

My AuthContext looks like this

TenantName            : Mobula Consulting
WorkOrSchool          : True
UserDisplayName       : James O'Neill (ADMIN)
UserID                : blah-blah-blah-blah-blah
RefreshTokenPresent   : False
TokenAutoRefresh      : False
ClientId              : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId              : blah-blah-blah-blah-blah
CertificateThumbprint :
Scopes                : {AppCatalog.Read.All, AuditLog.Read.All, Calendars.ReadWrite, Calendars.ReadWrite.Shared…}
AuthType              : Delegated
AuthProviderType      : InteractiveAuthenticationProvider
CertificateName       :
Account               : James@blahblahblah.com
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :
PSHostVersion         : 2022.6.1
ClientTimeout         : 00:05:00

Are you using an Azure AD account? What does ...AuthContext show ?

i-windows commented 2 years ago

so we only use AppOnly authentication and not delegated which I don't think will return either work or school, you can see the auth context below.

ClientId : xxxxxx-x TenantId : xxxxxx-x CertificateThumbprint : xxxx Scopes : {DeviceManagementManagedDevices.Read.All, Device.Read.All, UserAuthenticationMethod.Read.All, AuthenticationContext.Read.All…} AuthType : AppOnly AuthProviderType : ClientCredentialProvider CertificateName : Account : AppName : ESO-MSGraphPowershell ContextScope : Process Certificate : PSHostVersion : 2022.6.1 ClientTimeout : 00:05:00

If we bypass the ContextHas then we have no issues returning the data we are interested in.

jhoneill commented 2 years ago

I have just checked some code into the the repo which should set WorkOrSchool correctly, would you like to try it before I push it to the gallery ?

i-windows commented 2 years ago

sure I can try it out if it helps you - prob have some time tomorrow.

RyanVanCleave commented 2 years ago

I can confirm that I am having the same issue, using Azure AD accounts, in both my lab tenant and production tenants.

Trying: 

Get-GraphUser polly -MemberOf
WARNING: Only the -Drive, -Calendars and -Notebooks options work when you are logged in with this kind of account.

My AuthContext:

ClientId              : gibber-jabber
TenantId              : gibber-jabber
CertificateThumbprint : 
Scopes                : {AppCatalog.Read.All, AuditLog.Read.All, Calendars.ReadWrite, Calendars.ReadWrite.Shared…}
AuthType              : Delegated
AuthProviderType      : InteractiveAuthenticationProvider
CertificateName       :
Account               : someadmin@sometenant.onmicrosoft.com
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :
PSHostVersion         : 7.2.5
ClientTimeout         : 00:05:00
jhoneill commented 2 years ago

@gingerXpat How are you logging on ? If you use the connect-graph which is part of PlusPlus it adds a bunch of properties to the auth context object If you don't have any of

TenantName            :
WorkOrSchool          :
UserDisplayName       :
UserID                :
RefreshTokenPresent   :
TokenAutoRefresh      :

I'm guessing you're logging on and then loading plusplus ? You should also get a greeting of

Welcome To Microsoft Graph++, name@domain .

When you connect

RyanVanCleave commented 2 years ago

You are correct. I have been using Connect-MgGraph. I'm on the road now, but will try this and get back to you by tomorrow morning. Thanks for the quick response.

RyanVanCleave commented 2 years ago

Okay, I did try this and ran into the following problem, which reminds me why I was using Connect-MgGraph instead of Connect-Graph. 

Connect-Graph
Get-Command: C:\myfolder\Documents\PowerShell\Modules\Microsoft.Graph.PlusPlus\1.5.3\Authentication.ps1:298
Line |
 298 |          if (Get-Command az) {
     |              ~~~~~~~~~~~~~~
     | The term 'az' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
     | again.

I am still able to authenticate and connect to the Graph. However, the additional properties are still not present when I check my AuthContext with the following: [Microsoft.Graph.PowerShell.Authentication.GraphSession]::instance.AuthContext

In the case there is a dependency on the Az module:

Get-InstalledModule az

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
8.1.0                Az                                  PSGallery

I hope this helps. Perhaps I'm overlooking something on my end.

jhoneill commented 2 years ago

That's a problem which I thought I had fixed - basically I added something to allow people with the Az cli to get an access token with that if it was present, and I missed an -ErrorAction Silentlycontinue. I thought that was in the version on the gallery but your error says you're running the newest version so I will investigate and ensure the fix is in place.

https://github.com/jhoneill/MsftGraph/blob/PlusPlus/Authentication.ps1 shows the line has moved down the file and does have the silently continue in it so I need to figure out why that isn't in the gallery.

jhoneill commented 2 years ago

Loud "Doh" noises and face-palm sounds - it looks like I had V1.5.4 all set to go to the gallery but never hit publish.

RyanVanCleave commented 2 years ago

Ok, just updated to 1.5.4. Much better!

 Get-Module Microsoft.Graph.PlusPlus

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     1.5.4                 Microsoft.Graph.PlusPlus

image