search

microsoft / EntraExporter

PowerShell module to export a local copy of an Entra (Azure AD) tenant configuration.
https://aka.ms/EntraExporter
MIT License
568 stars 89 forks source link

Export of 'privilegedAccess/azureResources/resources' fails: 400 Bad Request #62

Open nextxpert opened 8 months ago

nextxpert commented 8 months ago

When running -All -CloudOnly, we see the following error occur:

[debug] GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=fIO1247ezEmz1lviT8FLJQ

HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 7c5e8fb4-6e4d-43e5-9819-448fd17aee46 client-request-id: 1e4a4c8c-93bf-4607-8fa4-832c89993e18 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0001E78A"}} Date: Wed, 03 Jan 2024 13:27:11 GMT Content-Encoding: gzip Content-Type: application/json

{"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-01-03T13:27:11","request-id":"7c5e8fb4-6e4d-43e5-9819-448fd17aee46","client-request-id":"1e4a4c8c-93bf-4607-8fa4-832c89993e18"}}}

richardgarciajr commented 8 months ago

I'm also getting the same error in powershell 7 and Azure DevOps Pipeline. PowerShell 7.4.0 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.9.1

Command: Export-Entra "$root\$BACKUP_FOLDER" -All -CloudUsersAndGroupsOnly

Output:

PrivilegedAccess/AzureResources/Resources
Export-Entra: GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=<REMOVED>
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: <REMOVED>
client-request-id: <REMOVED>
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"<REMOVED>","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"<REMOVED>"}}
Date: Thu, 04 Jan 2024 22:11:48 GMT
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"InvalidFilter","message":"The  filter is invalid.","innerError":{"date":"2024-01-04T22:11:49","request-id":"<REMOVED>","client-request-id":"<REMOVED>"}}}
mrusso-virtos commented 6 months ago

I'm afraid I'm getting a very similar error. PowerShell 5 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.15.0

I have successfully run the following as an interactive user with Global Admin privilege:

Export-Entra -Path $outFile -All

But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources"

Export-Entra : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id: 7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}} Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23 b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}}

I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome!

tld6764 commented 6 months ago

Hello, I think your issue is buried in your error message? "error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license." It looks like the account doing the data retrieval will need an Entra P2 license to get said data.

On Wed, Mar 6, 2024 at 1:50 AM mrusso-virtos @.***> wrote:

I'm afraid I'm getting a very similar error. PowerShell 5 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.15.0

I have successfully run the following as an interactive user with Global Admin privilege:

Export-Entra -Path $outFile -All

But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources"

Export-Entra : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id: 7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}} Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23 b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}}

I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome!

— Reply to this email directly, view it on GitHub https://github.com/microsoft/EntraExporter/issues/62#issuecomment-1980272660, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZFBPF3W5DUKLG2I3ESNKO3YW3DFRAVCNFSM6AAAAABBLOLNI6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBQGI3TENRWGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

mrusso-virtos commented 6 months ago

Hello tld6764,

The "account" is an App Registration. I'm connecting to MgGraph via a clientID and certificate. Are you saying I have to assign a license to an App Registration?! I'm not even sure how to look that up, and there doesn't appear to be anything in the Entra Licenses page that suggests that an App can have a license assigned. Hence my confusion about the error message.

tld6764 commented 6 months ago

Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script.

mrusso-virtos commented 6 months ago

OK - I'll see about getting a P2 license - the part about the tenant having a license makes sense. What is odd is that my other Global Admin account, in the same tenant, without a P2 license, can run the entire (-All) export without a problem, albeit interactively.

SamErde commented 3 months ago

When running -All -CloudOnly, we see the following error occur:

Are you using the -CloudUsersAndGroupsOnly parameter? I don't believe there is a -CloudOnly one.

SamErde commented 3 months ago

Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script.

This sounds like a good idea for a PR to check for P2 license and provide error handling for this case. See also #61.

milapointe commented 2 months ago

In my case, the error received is :

{"error":{"code":"InvalidFilter","message":"The filter is invalid."}}

mrusso-virtos commented 2 months ago

I'm using: Export-Entra -Path $ExportLocation -All

My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account. image

Thankyou.

milapointe commented 2 months ago

I'm using: Export-Entra -Path $ExportLocation -All

My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account. image

Thankyou.

Yeah I understood afterward that it was not the same mistake as me. We do have P2 licence in the tenant.

My problem is the same as OP.

milapointe commented 2 months ago

@nextxpert did you resolve it on your part?

Thanks

milapointe commented 2 months ago

I was able to reproduce it manually.

image

The first invoke-mggraphrequest is working great

image

but as soon as it get inside the loop, it fails with 400 error bad request.

image

I continue to search why...

milapointe commented 2 months ago

I think I got it. $skiptoken is not handled by the endpoint.

When you see my first example that was working,

The first invoke-mggraphrequest is working great

image

it was stripping this :

https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=vY7z1EU*[ABC]*mQ

to this :
https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?=vY7z1EU*[ABC]*mQ&$skiptoken=*[REMOVED]*

When I tried again only the request with single quote instead of double quote, I get the same 400 error. image So, the endpoint doesn't support $skiptoken and take it as a filter (which is not!)

I will see where to open up a issue on this...

nixtaz commented 1 month ago

Do we have any updates on this issue?

milapointe commented 1 month ago

Do we have any updates on this issue?

nope