HttpClient.Timeout error when using a filter on Get-MGAuditLogSignIn

CloudVikingr commented 1 month ago

Describe the bug

I am trying to run Get-MGAuditLogSignIn with a filter to retrieve the signin attempts from a specific application (Azure Portal). When I run the command I get this result:

> $AppId = 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'
> get-mgauditlogsignin -all -filter "(AppId eq '$AppId')"
Get-MgAuditLogSignIn_List: The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing.

If I don't supply the filter the command runs successfully. It returns the results in a paginated manner and does not encounter the HttpClient.Timeout of 300 seconds:

PS C:\temp> Measure-Command { $events = Get-MgAuditLogSIgnin -all }

**TotalSeconds      : 817.4071132**

I can't find any option to override the default timeout using the specified command.

Expected behavior

I would expect that supplying a filter to the request would result in the specified results returning. If there are a lot of logs, this can take longer than the default timeout of 300s.

How to reproduce

Execute

$AppId = 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'
get-mgauditlogsignin -all -filter "(AppId eq '$AppId')"

SDK Version

2.22.0

Latest version known to work for scenario above?

No response

Known Workarounds

Retrieve the entire dataset and filter on the client side.

$AppId = 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'
$events = Get-MgAuditLogSIgnin -all
$events | where {$_.AppId -eq $AppId}

Debug output

Click to expand log

``` PS C:\temp> get-mgauditlogsignin -all -filter "(AppId eq '$AppId')" -debug DEBUG: [CmdletBeginProcessing]: - Get-MgAuditLogSignIn begin processing with parameterSet 'List'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [AuditLog.Read.All, Device.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, Directory.Read.All, Directory.ReadWrite.All, Files.Read.All, Group.Read.All, Group.ReadWrite.All, OnPremDirectorySynchronization.ReadWrite.All, openid, Organization.Read.All, Policy.Read.All, Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, profile, RoleManagement.ReadWrite.Directory, SecurityIncident.Read.All, Sites.Read.All, ThreatIntelligence.Read.All, User.Read, User.Read.All, UserAuthenticationMethod.Read.All, email]. DEBUG: [CmdletException]: Received exception with message 'TaskCanceledException - The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing. : at System.Net.Http.HttpClient.HandleFailure(Exception e, Boolean telemetryStarted, HttpResponseMessage response, CancellationTokenSource cts, CancellationToken cancellationToken, CancellationTokenSource pendingRequestsCts) at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at Microsoft.Graph.PowerShell.Reports.AuditLogListSignIn_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender) at Microsoft.Graph.PowerShell.Reports.AuditLogListSignIn_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender) at Microsoft.Graph.PowerShell.Reports.AuditLogListSignIn(Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, IDictionary headers, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender) at Microsoft.Graph.PowerShell.Cmdlets.GetMgAuditLogSignIn_List.ProcessRecordAsync()' Get-MgAuditLogSignIn_List: The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing. DEBUG: [CmdletEndProcessing]: - Get-MgAuditLogSignIn end processing. ```

Configuration

OS: Windows 11

Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Other information

No response

timayabi2020 commented 1 month ago

@CloudVikingr Thank you for raising this issue, however, I couldn't reproduce your issue. How often does this happen?

rdfrocha commented 1 month ago

Can confirm this timeout when running Get-MgAuditLogSignIn -Filter "userId eq '$userId' and createdDateTime ge $startDate and createdDateTime le $endDate" -All

Running Get-MGAuditLogSignIn -All went on for 96 minutes with no time out, returning close to 600k records.

CloudVikingr commented 1 month ago

@timayabi2020 This happens for me every time. It only happens when I try and filter the dataset on the server side. If the results take longer than some built-in timeout, it fails. If I don't supply a filter, it returns paginated results which don't seem to trigger the timeout.

neilfairall commented 3 weeks ago

Same behavior for me. Running without filters will take as long at it likes. Using any kind of filter times out after five minutes.

timayabi2020 commented 2 weeks ago

@CloudVikingr please let me know if you are still getting the same experience when using this tool. https://developer.microsoft.com/en-us/graph/graph-explorer

CloudVikingr commented 2 weeks ago

@CloudVikingr please let me know if you are still getting the same experience when using this tool. https://developer.microsoft.com/en-us/graph/graph-explorer

The tool is not working for me at the moment. I am unable to delegate permissions and it's saying there's network connectivity issues.

I generated the REST call in PowerShell and it returns the first paginated result:

PS C:\src> $url = "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=AppId eq 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'"  
PS C:\src> $response = Invoke-RestMethod -Method GET -headers $header -Uri $url
PS C:\src\CheckPointFirewall> $response | fl

@odata.context  : https://graph.microsoft.com/v1.0/$metadata#auditLogs/signIns
@odata.nextLink : https://graph.microsoft.com/v1.0/auditLogs/signIns?%5C=AppId+eq+%27c44b4083-3bb0-49c1-b47d-974e53cbdf3c%27&$skiptoken=
value           :  <redacted>

I am getting a slightly different error now when I try and use Get-MgAuditLogSignIn. Instead of the error The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing. I am now getting an error A task was canceled but it still fails. No filter returns.

PS C:\src> Get-MgAuditLogSignIn -Filter "(AppId eq '$AppId')"
Get-MgAuditLogSignIn : A task was canceled.
At line:1 char:1
+ Get-MgAuditLogSignIn -Filter "(AppId eq '$AppId')"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-MgAuditLogSignIn_List], TaskCanceledException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgAuditLogSignIn_List

PS C:\src> Get-MgAuditLogSignIn -all

Id                                   AppDisplayName                                     AppId
--                                   --------------                                     -----
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b1 Office365 Shell WCSS-Client                        89bee1f7-5e6e-4d8a-9f3d-ecd6...
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b10 Microsoft Teams Web Client                         5e3ce6c0-2b1f-4285-8d4b-75ee...
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b1 Microsoft Teams Web Client                         5e3ce6c0-2b1f-4285-8d4b-75ee...
...

Filtering after retrieving all of the logs still works. It took about 15m to return all of the result set.

PS C:\src> Get-MgAuditLogSignIn -all | where {$_.AppId -eq $AppId}
Id                                   AppDisplayName AppId                                ClientAppUsed ConditionalAcces
                                                                                                       sStatus
--                                   -------------- -----                                ------------- ----------------
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b1 Azure Portal   c44b4083-3bb0-49c1-b47d-974e53cbdf3c Browser       success
...

gordonthree commented 1 week ago

Seeing the same timeout error as the original poster, trying to request a filtered log by UPN. This request also times out using the Entra ID web portal.

Get-MgAuditLogSignIn_List: C:\Temp\get-sign-in-logs.ps1:11
Line |
  11 |  $signInLogs = Get-MgAuditLogSignin -Filter "userPrincipalName eq '$us …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing.

microsoftgraph / msgraph-sdk-powershell