search

microsoft / EntraExporter

PowerShell module to export a local copy of an Entra (Azure AD) tenant configuration.
https://aka.ms/EntraExporter
MIT License
568 stars 89 forks source link

DuplicateKey: There is already a duplicated entity #27

Closed aaronparker closed 1 year ago

aaronparker commented 2 years ago

The following error is encountered recently - this wasn't occuring a couple of weeks ago, so permissions should be OK (I think). The target environment is my lab, so not many Azure AD configuration changes.

The export is running on PowerShell Core on Windows or macOS with AzureADExporter 1.0.957478.

IdentityGovernance/EntitlementManagement/Settings
Export-AzureAD: /Users/aaron/projects/azuread-export/scripts/Export-AzureAD.ps1:16
Line |
  16 |  Export-AzureAD -Path "/Users/aaron/projects/azuread-export/azuread"
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/settings HTTP/1.1 409 Conflict
     | Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id:
     | 56214806-d0a8-4d7b-99f8-9b407f71d4df client-request-id: 56214806-d0a8-4d7b-99f8-9b407f71d4df x-ms-ags-diagnostic:
     | {"ServerInfo":{"DataCenter":"Australia
     | Southeast","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"ML1PEPF000058C8"}} Date: Mon, 01 Aug 2022 10:52:23 GMT
     | Content-Type: application/json Content-Encoding: gzip  {"error":{"code":"DuplicateKey","message":"There is already a
     | duplicated
     | entity.","innerError":{"date":"2022-08-01T10:52:24","request-id":"56214806-d0a8-4d7b-99f8-9b407f71d4df","client-request-id":"56214806-d0a8-4d7b-99f8-9b407f71d4df"}}}

This is the currently exported data at `IdentityGovernance/EntitlementManagement/Settings/singleton/singleton.json. Note that the result of this error is that this file is not exported:

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/settings/$entity",
  "daysUntilExternalUserDeletedAfterBlocked": 30,
  "externalUserLifecycleAction": "BlockSignInAndDelete",
  "id": "singleton"
}

Authn to Azure AD is via an app registration with the following permissions:

API / Permissions name Type Description
AccessReview.Read.All Application Read all access reviews
AdministrativeUnit.Read.All Application Read all administrative units
Agreement.Read.All Application Read all terms of use agreements
APIConnectors.Read.All Application Read API connectors for authentication flows
Directory.Read.All Application Read directory data
EntitlementManagement.Read.All Application Read all entitlement management resources
Group.Read.All Application Read all groups
GroupMember.Read.All Application Read all group memberships
IdentityProvider.Read.All Application Read identity providers
IdentityUserFlow.Read.All Application Read all identity user flows
Organization.Read.All Application Read organization information
Policy.Read.All Application Read your organization's policies
Policy.Read.PermissionGrant Application Read consent and permission grant policies
PrivilegedAccess.Read.AzureAD Application Read privileged access to Azure AD roles
PrivilegedAccess.Read.AzureResources Application Read privileged access to Azure resources
RoleManagement.Read.Directory Application Read all directory RBAC settings
User.Read Delegated Sign in and read user profile
User.Read.All Application Read all users' full profiles
UserAuthenticationMethod.Read.All Application Read all users' authentication methods
merill commented 1 year ago

Can you please try the new EntraExporter module and re-open this issue if it is still occuring? Tx.