Open ahmadnshehadeh opened 1 week ago
@ahmadnshehadeh Thanks for raising the issue, we are looking into it.
@ahmadnshehadeh can you provide other details like which roles/groups/permissions are assigned to your user?
@v-uansari
The reason why OP is getting the missing permission error is that Get-EntraUser
returns the SignInActivity property by default.
The SignInActivity property requires the AuditLog.Read.All permission.
Comparing to Get-MgUser
, Get-MgUser
doesn't return the SignInActivity property as one of the default properties, and User.Read.All permission is enough.
As soon as you add -Select SignInActivity
, you will need the AuditLog.Read.All as well.
So, at this time, it appears a documentation issue. It does not sound like a bug so much as knowing you need either get specific properties or grant auditlog.read.all.
Also, I don't see a -select but if I do this the command works: Get-EntraUser -ObjectId xxx -Property userprincipalname But with this I get the failure: Get-EntraUser -ObjectId xxx -Property userprincipalname, signinactivity
Anyone feel like the default be to not return sign in activity?
Just installed the module and ran into this exact problem in my test tenant using a Global Administrator account with the basic 'Get-EntraUser' command - because it's the example given here https://learn.microsoft.com/en-gb/powershell/entra-powershell/quickstart-entra-powershell?view=entra-powershell#get-user-information after it instructs you to connect with Connect-Entra -Scopes 'User.Read.All'
I also don't quite get why I can just use 'Connect-Entra' without defining the scopes which is in this documentation https://learn.microsoft.com/en-gb/powershell/entra-powershell/installation?view=entra-powershell&tabs=powershell&pivots=windows#sign-in as it's not explained in either.
FInally, I tried Connect-Entra -Scopes 'Auditlog.Read.All' to give myself access but got this error: {"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Neither tenant is B2C or tenant doesn't have premium license","innerError":{"date":"2024-07-04T02:22:49","request-id":"9779c94c-2d6c-40c9-b03d-5ab3c6d3a52b","client-request- id":"54855775-7114-44a5-9fa3-52114e6b8cae"}}}
Which makes sense as I don't have a premium license in this tenant :) So the Get-EntraUser command is also expecting a high tier license by default.
Edit: Bought a higher license and it works.
Thanks for reporting the bug. Please ensure you've gone through the following checklist before opening an issue:
Microsoft.Graph.Entra
orMicrosoft.Graph.Entra.Beta
.Describe the bug
To Reproduce Steps to reproduce the behavior:
Connect-Entra -Scopes User.ReadWrite.All
Get-EntraUser
without any arguments{"error":{"code":"Authentication_MSGraphPermissionMissing","message":"Calling principal does not have required MSGraph permissions AuditLog.Read.All"}}
Expected behavior
Debug Output
Module Version
Environment Data Name Value PSVersion 7.4.3 PSEdition Core GitCommitId 7.4.3 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
Screenshots
Additional context
DEBUG: GET https://graph.microsoft.com/v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity HTTP/2.0 200 OK