search

microsoftgraph / msgraph-sdk-powershell

Powershell SDK for Microsoft Graph
https://www.powershellgallery.com/packages/Microsoft.Graph
Other
691 stars 165 forks source link

Review Get-MgDeviceManagementReportFilter permissions #2928

Closed i5513 closed 1 month ago

i5513 commented 1 month ago

Describe the bug

I'm trying:

$appid = (Get-MgDeviceAppManagementMobileApp -Filter "DisplayName eq 'XXXXX'" ).id
Get-MgDeviceManagementReportFilter -OutFile prueba.csv -BodyParameter @{ name = "DeviceInstallStatusFilter" ; filter = "(ApplicationId eq '$appid')"

I have all needed permissions:

C:\> Find-MgGraphCommand Get-MgDeviceManagementReportFilter | select -ExpandProperty permissions | select name

Name
----
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementManagedDevices.Read.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All
DeviceManagementApps.Read.All

But the result is unexpected:

Get-MgDeviceManagementReportFilter : {
  "_version": 3,
  "Message": "User is not authorized to perform this operation - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 83c3aed8-faa3-4e83-b426-152a4153738a - Url:
https://fef.msub06.manage.microsoft.com/ReportingService/StatelessReportingFEService/deviceManagement/reports/microsoft.management.services.api.getReportFilters?api-version=2021-04-21",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
Status: 403 (Forbidden)
ErrorCode: Forbidden
Date: 2024-08-27T07:49:51
Headers:
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 156b932f-ba6d-4b92-b0f0-c621343385fc
client-request-id             : 83c3aed8-faa3-4e83-b426-152a4153738a
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"France Central","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"PA3PEPF0000B95A"}}
Date                          : Tue, 27 Aug 2024 07:49:51 GMT
En línea: 1 Carácter: 1
+ Get-MgDeviceManagementReportFilter -OutFile prueba.csv -BodyParameter ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ Headers = , b...ionJsonSchema }:<>f__AnonymousType1`2) [Get-MgDeviceManagementReportFilter_Get], Exception
    + FullyQualifiedErrorId : Forbidden,Microsoft.Graph.PowerShell.Cmdlets.GetMgDeviceManagementReportFilter_Get

Expected behavior

The Get-MgDeviceManagementReportFilter works as expected, like a gui query

How to reproduce

See the bug description

SDK Version

2.22.0

Latest version known to work for scenario above?

No response

Known Workarounds

None but do it throw gui (not good)

Debug output

Click to expand log ``` ```

Configuration

Other information

No response

timayabi2020 commented 1 month ago

@i5513 thank you for reporting this issue, however based on the Api reference documentation here https://learn.microsoft.com/graph/api/intune-reporting-devicemanagementreports-getreportfilters?view=graph-rest-1.0, the permissions seem to coincide with what Find-MgGraphCommand is returning. We unfortunately don't have complete visibility on service issues and so I would advise that you open an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

i5513 commented 1 month ago

Thank you, I opened a SR (2408271410000952) to this issue