Open i-windows opened 2 years ago
Thanks I'll investigate.
OK. It seems to ignore what ContextHas says if you specify -groups but not -teams. I need to check if Groups work with a non-work-or-school account - possibly it just returns an empty set.
The ContextHas
function checks
[Microsoft.Graph.PowerShell.Authentication.GraphSession]::instance.AuthContext
and in this case it is only told to look at .WorkOrSchool
My AuthContext looks like this
TenantName : Mobula Consulting
WorkOrSchool : True
UserDisplayName : James O'Neill (ADMIN)
UserID : blah-blah-blah-blah-blah
RefreshTokenPresent : False
TokenAutoRefresh : False
ClientId : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId : blah-blah-blah-blah-blah
CertificateThumbprint :
Scopes : {AppCatalog.Read.All, AuditLog.Read.All, Calendars.ReadWrite, Calendars.ReadWrite.Shared…}
AuthType : Delegated
AuthProviderType : InteractiveAuthenticationProvider
CertificateName :
Account : James@blahblahblah.com
AppName : Microsoft Graph PowerShell
ContextScope : CurrentUser
Certificate :
PSHostVersion : 2022.6.1
ClientTimeout : 00:05:00
Are you using an Azure AD account? What does ...AuthContext
show ?
so we only use AppOnly authentication and not delegated which I don't think will return either work or school, you can see the auth context below.
ClientId : xxxxxx-x TenantId : xxxxxx-x CertificateThumbprint : xxxx Scopes : {DeviceManagementManagedDevices.Read.All, Device.Read.All, UserAuthenticationMethod.Read.All, AuthenticationContext.Read.All…} AuthType : AppOnly AuthProviderType : ClientCredentialProvider CertificateName : Account : AppName : ESO-MSGraphPowershell ContextScope : Process Certificate : PSHostVersion : 2022.6.1 ClientTimeout : 00:05:00
If we bypass the ContextHas then we have no issues returning the data we are interested in.
I have just checked some code into the the repo which should set WorkOrSchool
correctly, would you like to try it before I push it to the gallery ?
sure I can try it out if it helps you - prob have some time tomorrow.
I can confirm that I am having the same issue, using Azure AD accounts, in both my lab tenant and production tenants.
Trying:
Get-GraphUser polly -MemberOf
WARNING: Only the -Drive, -Calendars and -Notebooks options work when you are logged in with this kind of account.
My AuthContext:
ClientId : gibber-jabber
TenantId : gibber-jabber
CertificateThumbprint :
Scopes : {AppCatalog.Read.All, AuditLog.Read.All, Calendars.ReadWrite, Calendars.ReadWrite.Shared…}
AuthType : Delegated
AuthProviderType : InteractiveAuthenticationProvider
CertificateName :
Account : someadmin@sometenant.onmicrosoft.com
AppName : Microsoft Graph PowerShell
ContextScope : CurrentUser
Certificate :
PSHostVersion : 7.2.5
ClientTimeout : 00:05:00
@gingerXpat How are you logging on ?
If you use the connect-graph
which is part of PlusPlus it adds a bunch of properties to the auth context object
If you don't have any of
TenantName :
WorkOrSchool :
UserDisplayName :
UserID :
RefreshTokenPresent :
TokenAutoRefresh :
I'm guessing you're logging on and then loading plusplus ? You should also get a greeting of
Welcome To Microsoft Graph++, name@domain
.
When you connect
You are correct. I have been using Connect-MgGraph. I'm on the road now, but will try this and get back to you by tomorrow morning. Thanks for the quick response.
Okay, I did try this and ran into the following problem, which reminds me why I was using Connect-MgGraph
instead of Connect-Graph
.
Connect-Graph
Get-Command: C:\myfolder\Documents\PowerShell\Modules\Microsoft.Graph.PlusPlus\1.5.3\Authentication.ps1:298
Line |
298 | if (Get-Command az) {
| ~~~~~~~~~~~~~~
| The term 'az' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
| again.
I am still able to authenticate and connect to the Graph. However, the additional properties are still not present when I check my AuthContext
with the following:
[Microsoft.Graph.PowerShell.Authentication.GraphSession]::instance.AuthContext
In the case there is a dependency on the Az module:
Get-InstalledModule az
Version Name Repository Description
------- ---- ---------- -----------
8.1.0 Az PSGallery
I hope this helps. Perhaps I'm overlooking something on my end.
That's a problem which I thought I had fixed - basically I added something to allow people with the Az cli to get an access token with that if it was present, and I missed an -ErrorAction Silentlycontinue
. I thought that was in the version on the gallery but your error says you're running the newest version so I will investigate and ensure the fix is in place.
https://github.com/jhoneill/MsftGraph/blob/PlusPlus/Authentication.ps1 shows the line has moved down the file and does have the silently continue in it so I need to figure out why that isn't in the gallery.
Loud "Doh" noises and face-palm sounds - it looks like I had V1.5.4 all set to go to the gallery but never hit publish.
Ok, just updated to 1.5.4. Much better!
Get-Module Microsoft.Graph.PlusPlus
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 1.5.4 Microsoft.Graph.PlusPlus
steps to produce error : ggu -userid user@somwhere -teams ggg somegroup
error reported (user) WARNING: Only the -Drive, -Calendars and -Notebooks options work when you are logged in with this kind of account.
error reported (groups) WARNING: This requires a work or school account.
running environment install on windows 11 version 1.5.3 graph version : latest auth: app auth via cert.
Comments ggu -userid user@somwhere -groups will work and return groups as expected,
I'm guessing ContextHas isnt working as expected.