supajo
commented
1 month ago I can confirm the exact same issue on my side. Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity
Open ross-r opened 1 month ago
supajo
commented
1 month ago I can confirm the exact same issue on my side. Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity
ross-r
commented
1 month ago I can confirm the exact same issue on my side. Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity
Yep, this seems to be a long running issue since MailSettings was added to Microsoft Graph which is disappointing. I'd love to spend the time transitioning to Graph but until these issues are fixed, better yet, even acknowledged seriously, I don't see a point.
Creating an application within Entra for this specific thing is not a solution as delegation for the same tasks has worked fine in past APIs from Microsoft, nor is it a solution at a enterprise level for MSPs supporting many organizations.
Describe the bug
I'm trying to use the powershell cmdlet Get-MgUserMailboxSetting and Update-MgUserMailboxSetting to automate work flow in my organization, however, I'm receiving access denied errors despite granting the correct permissions and consenting on behalf of my organization.
I've attempted to use Graph Explorer and unfortunately the same issue occurs there too.
Upon checking the permission details for Get-MgUserMailboxSetting, I'm led to believe this is unintended behavior:
The permissions descriptions for MailboxSettings.Read and MailboxSettings.ReadWrite explicitly state access to all users, however, it's only working on the user which had authenticated the application to begin with.
Reading around, I've came across multiple others experiencing this issue and other GitHub issues within this repo. The general consensus is that you need to register an application and authenticate with application permissions as opposed to delegated permissions, but again, the permission descriptions imply otherwise.
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal https://stackoverflow.com/questions/54767695/error-access-denied-on-mailboxsettings-for-users https://github.com/MartinM85/graph-mailbox-user-purpose/issues/1 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2120
Here's an example of the powershell code I am running:
The sign in / authentication process:
I am authenticating with a Global Administrator account and attempting to access the mailbox settings of a regular licensed user.
Error:
As I mentioned earlier, I've done the exact same process using Graph Explorer, even consenting to the application on behalf of my organization within Entra
Expected behavior
I should, according to the permission descriptions for MailboxSettings.ReadWrite, be able to read and write mailbox settings for all users within an organization with delegated scopes.
How to reproduce
Execute:
Authenticate with a Global Administrator account and select "Consent on behalf of your organization"
SDK Version
2.23.0
Latest version known to work for scenario above?
Unknown, appears to be a long term issue with many reports and no official solution besides application permissions which again, the permission description implies is not needed
Known Workarounds
Unconfirmed, however, other users have reported this working with application permissions as opposed to delegated scope permissions.
Debug output
Click to expand log
``` DEBUG: [CmdletBeginProcessing]: - Get-MgUserMailboxSetting begin processing with parameterSet 'Get'. Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y DEBUG: [Authentication]: - Scopes: [Chat.ReadWrite.All, Directory.Read.All, Group.Read.All, Mail.ReadWrite, MailboxSettings.ReadWrite, openid, People.Read.All, profile, Sites.Manage.All, User.Read.All, User.ReadWrite.All, email]. Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y DEBUG: ============================ HTTP REQUEST ============================ HTTP Method: GET Absolute Uri: https://graph.microsoft.com/v1.0/users/[redacted]@[redacted].onmicrosoft.com/mailboxSettings Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-AU),PowerShell/2024.2.2 Accept-Encoding : gzip SdkVersion : graph-powershell/2.23.0 client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4 Body: Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y DEBUG: ============================ HTTP RESPONSE ============================ Status Code: Forbidden Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5 client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}} Cache-Control : private Date : Sat, 21 Sep 2024 13:47:03 GMT Body: { "error": { "code": "ErrorAccessDenied", "message": "Access is denied. Check credentials and try again." } } Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A Confirm Access is denied. Check credentials and try again. Status: 403 (Forbidden) ErrorCode: ErrorAccessDenied Date: Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5 client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}} Cache-Control : private Date : Sat, 21 Sep 2024 13:47:03 GMT [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A SkuId Name ----- ---- 3b555118-da6a-4418-894f-7df1e2096870 Microsoft 365 Business Basic Get-MgUserMailboxSetting : Access is denied. Check credentials and try again. Status: 403 (Forbidden) ErrorCode: ErrorAccessDenied Date: Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5 client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}} Cache-Control : private Date : Sat, 21 Sep 2024 13:47:03 GMT At <> + Get-MgUserMailboxSetting -UserId $UserId -Debug + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: ({ UserId = djon... , Headers = }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get DEBUG: [CmdletEndProcessing]: - Get-MgUserMailboxSetting end processing. ```Configuration
PSVersion 5.1.22621.963 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.22621.963 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
Other information
No response