search

microsoftgraph / entra-powershell

Microsoft Entra PowerShell
https://aka.ms/entraps
MIT License
28 stars 3 forks source link

Get-EntraUser Requires AuditLog.Read.All Permission #858

Open ahmadnshehadeh opened 1 week ago

ahmadnshehadeh commented 1 week ago

Thanks for reporting the bug. Please ensure you've gone through the following checklist before opening an issue:

Using the latest released versions of Microsoft.Graph.Entra and Microsoft.Graph.Entra.Beta v0.9.0 Searched existing issues, didn't find a similar issue that talks about this.

Describe the bug

Running the function Get-EntraUser results with an error message: {"error":"code":"Authentication_MSGraphPermissionMissing","message":"Calling principal does not have required MSGraph permissions AuditLog.Read.All"

To Reproduce Steps to reproduce the behavior:

  1. Run Connect-Entra -Scopes User.ReadWrite.All
  2. Execute Get-EntraUser without any arguments
  3. Receive the following error: {"error":{"code":"Authentication_MSGraphPermissionMissing","message":"Calling principal does not have required MSGraph permissions AuditLog.Read.All"}}

Expected behavior

Running Get-EntraUser with scope User.ReadWrite.All should output the list of all users.

Debug Output

Run the problematic command with -Debug and paste the resulting debug stream below.

Get-EntraUser -Debug 
DEBUG: ============================ TRANSFORMATIONS ============================
DEBUG: Uri : https://graph.microsoft.com/v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity
DEBUG: Method : GET
DEBUG: =========================================================================
DEBUG: GET /v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity HTTP/1.1
HTTP: graph.microsoft.com
User-Agent: PowerShell/7.4.3 EntraPowershell/0.9.0 Get-EntraUser
DEBUG: GET https://graph.microsoft.com/v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity
HTTP/2.0 403 Forbidden
<removed>
{"error":{"code":"Authentication_MSGraphPermissionMissing","message":"Calling principal does not have required MSGraph permissions AuditLog.Read.All"<removed>}}}

Module Version

0.9.0

Environment Data Name Value PSVersion 7.4.3 PSEdition Core GitCommitId 7.4.3 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Screenshots

n/a

Additional context

After running Connect-Entra -Scopes User.ReadWrite.All, Directory.ReadWrite.All, AuditLog.Read.All I was able to run the command successfully.


Get-EntraUser -Debug
DEBUG: ============================ TRANSFORMATIONS ============================
DEBUG: Uri : https://graph.microsoft.com/v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity
DEBUG: Method : GET
DEBUG: =========================================================================
DEBUG: GET /v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity HTTP/1.1
HTTP: graph.microsoft.com
User-Agent: PowerShell/7.4.3 EntraPowershell/0.9.0 Get-EntraUser

DEBUG: GET https://graph.microsoft.com/v1.0/users/?$select=Id,AccountEnabled,AgeGroup,OfficeLocation,AssignedLicenses,AssignedPlans,City,CompanyName,ConsentProvidedForMinor,Country,CreationType,Department,DisplayName,GivenName,OnPremisesImmutableId,JobTitle,LegalAgeGroupClassification,Mail,MailNickName,MobilePhone,OnPremisesSecurityIdentifier,OtherMails,PasswordPolicies,PasswordProfile,PostalCode,PreferredLanguage,ProvisionedPlans,OnPremisesProvisioningErrors,ProxyAddresses,RefreshTokensValidFromDateTime,ShowInAddressList,State,StreetAddress,Surname,BusinessPhones,UsageLocation,UserPrincipalName,ExternalUserState,ExternalUserStateChangeDateTime,UserType,OnPremisesLastSyncDateTime,ImAddresses,SecurityIdentifier,OnPremisesUserPrincipalName,ServiceProvisioningErrors,IsResourceAccount,OnPremisesExtensionAttributes,DeletedDateTime,OnPremisesSyncEnabled,EmployeeType,EmployeeHireDate,CreatedDateTime,EmployeeOrgData,preferredDataLocation,Identities,onPremisesSamAccountName,EmployeeId,EmployeeLeaveDateTime,AuthorizationInfo,FaxNumber,OnPremisesDistinguishedName,OnPremisesDomainName,IsLicenseReconciliationNeeded,signInSessionsValidFromDateTime,SignInActivity HTTP/2.0 200 OK



> Beta module experience is slightly different. I was able to run the command `get-entrabetauser` but I had to use `connect-mggraph` since `connect-entra` is not available in the beta module.
snehalkotwal commented 1 week ago

@ahmadnshehadeh Thanks for raising the issue, we are looking into it.

v-uansari commented 6 days ago

@ahmadnshehadeh can you provide other details like which roles/groups/permissions are assigned to your user?

alexandair commented 6 days ago

@v-uansari The reason why OP is getting the missing permission error is that Get-EntraUser returns the SignInActivity property by default. The SignInActivity property requires the AuditLog.Read.All permission.

Comparing to Get-MgUser, Get-MgUser doesn't return the SignInActivity property as one of the default properties, and User.Read.All permission is enough. As soon as you add -Select SignInActivity, you will need the AuditLog.Read.All as well.

cking22001 commented 5 days ago

So, at this time, it appears a documentation issue. It does not sound like a bug so much as knowing you need either get specific properties or grant auditlog.read.all.

Also, I don't see a -select but if I do this the command works: Get-EntraUser -ObjectId xxx -Property userprincipalname But with this I get the failure: Get-EntraUser -ObjectId xxx -Property userprincipalname, signinactivity

Anyone feel like the default be to not return sign in activity?

adamfowlerit commented 5 days ago

Just installed the module and ran into this exact problem in my test tenant using a Global Administrator account with the basic 'Get-EntraUser' command - because it's the example given here https://learn.microsoft.com/en-gb/powershell/entra-powershell/quickstart-entra-powershell?view=entra-powershell#get-user-information after it instructs you to connect with Connect-Entra -Scopes 'User.Read.All'

I also don't quite get why I can just use 'Connect-Entra' without defining the scopes which is in this documentation https://learn.microsoft.com/en-gb/powershell/entra-powershell/installation?view=entra-powershell&tabs=powershell&pivots=windows#sign-in as it's not explained in either.

FInally, I tried Connect-Entra -Scopes 'Auditlog.Read.All' to give myself access but got this error: {"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Neither tenant is B2C or tenant doesn't have premium license","innerError":{"date":"2024-07-04T02:22:49","request-id":"9779c94c-2d6c-40c9-b03d-5ab3c6d3a52b","client-request- id":"54855775-7114-44a5-9fa3-52114e6b8cae"}}}

Which makes sense as I don't have a premium license in this tenant :) So the Get-EntraUser command is also expecting a high tier license by default.

Edit: Bought a higher license and it works.