Authentication via Application-Permission

[aexlz]

Hello Everyone I set up the pipeline with a Service-Principal, for which all the relevant API-Permissions have been consented.

Additionally I use Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $clientSecretCredential to be able to authenticate properly with clientid and clientsecret. I made sure that the app has the sufficient privileges by running Get-MgContext | Select-Object -ExpandProperty Scopes

After that I run Export-Entra $path -All, but receive the following output

Starting backup...
 Organization/Organization.json
 Organization/Settings.json
Response status code does not indicate success: Forbidden (Forbidden)

Long story short: Is it possible to use this script with application-based permissions?

[aexlz]

By playing around with the type-parameter, I was possible to export a few entities. So it seems that not every Type is supported by an Application-Based Permission.

I do like the idea of this script a lot. It would be great to have those enhancements in the feature or at least some kind of a table in the readme.md, which is illustrates something like this:	Type	Permission
User	Application & Delegated
ConditionalAccess	Application & Delegated
...	....

An additional suggestion would be to give the user a better hint by proper error-handling. My pipeline just stopped with e.g.:

Response status code does not indicate success: InternalServerError (Internal Server Error).
Response status code does not indicate success: Forbidden (Forbidden).
Response status code does not indicate success: BadRequest (Bad Request).

[Outlawpete285]

Hello, In case it helps you: I gave the enterprise application the "Global Reader" role and was then able to export all the elements. Of course, that's far too many permissions, but only read and you can secure the company application accordingly. This works fine for my automated Backup.

Best Regards

[israem]

I've been using this module with application permissions and it works flawlessly. Here is a screenshot of the needed permissions:

Here is a snippet to configure the permissions:

# Use application ObjectId rather than clientID
$applicationObjectId = '....'
$requiredPermissionsNames = @(
    'AccessReview.Read.All',
        'Agreement.Read.All',
        'APIConnectors.Read.All',
        'Application.Read.All',
        'Directory.Read.All',
        'EntitlementManagement.Read.All',
        'IdentityProvider.Read.All',
        'IdentityUserFlow.Read.All',
        'Organization.Read.All',
        'Policy.Read.All',
        'Policy.Read.PermissionGrant',
        'PrivilegedAccess.Read.AzureAD',
        'PrivilegedAccess.Read.AzureResources',
        'User.Read.All',
        'UserAuthenticationMethod.Read.All'
)
# get service principal app roles for MS Graph
$sps = Get-MgServicePrincipalByAppId  -AppId "00000003-0000-0000-c000-000000000000"

# Get list of permissions with the id
$requiredAppRoles = $sps.AppRoles  | where {$_.value -in $requiredPermissionsNames}

# update the registered application. 
Update-MgApplication -ApplicationId $applicationObjectId -RequiredResourceAccess (@{
    ResourceAppId = '00000003-0000-0000-c000-000000000000'
    resourceAccess = $requiredAppRoles | foreach {@{Id =$_.id; Type='Role'} }
})

[tld6764]

@israem what version of powershell are you running this in?

[israem]

I ran the module in both PS7 (up tp 7.2.14) and PS5 successfully. I ran the snippet of code I shared in PS7 but there is no reason it wouldn't work in PS5 if you have all the modules installed.

[tld6764]

I see. I've been messing with it all week. Finally figured out that it gives me errors (same as in original post on this issue) in 7.X, but works fine in 5.1.

[ztrhgf]

Seems like same issue I encountered too https://github.com/microsoft/EntraExporter/issues/57