Write-Error contains bearer access token and is written in the console log

microsoft / EntraExporter

PowerShell module to export a local copy of an Entra (Azure AD) tenant configuration.

https://aka.ms/EntraExporter

MIT License

568 stars 89 forks source link

Write-Error contains bearer access token and is written in the console log #74

Open milapointe opened 2 months ago

milapointe commented 2 months ago

Using EntraExporter and not having sufficient rights, it give an error. This error is not handled by the module and passed through the console log and we can clearly see the bearer access token (stripped from this capture)

Any way to hive this part of the request? I don't mind having the error but having the access token all over in the logs....even if it's valid only for 1 hour and having limited access, I prefer not having it :)

Thanks !

ptmetcalf commented 1 month ago

The skiptoken field wouldn't be an access token, it's just used for pagination in the Graph API to handle large datasets. If you wanted to redact that or something from the output you could always wrap the command in a try/catch and use regex to redact any output that you don't want to see.

milapointe commented 1 month ago

See below, I mask the authorization header bearer... its weird on dark mode browser 😅

Plus, I run this inside an azure function so maybe its more verbose than usually.