Open agonzalezm opened 3 years ago
andrueastman
commented
3 years ago Hey @agonzalezm, Thanks for raising this issue. Are you able to provide more details on how you are setting up the AuthProvider/TokenCredentials to access the token in the app you are building?
agonzalezm
commented
3 years ago We are using clientsecret auth and beta sdk and most of things works like listing AD users, but last signin for users doesnt work.
var clientId = "xxx"; var tenantID = "xxxxxx"; var clientSecret = "xxxxx"; IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder .Create(clientId) .WithTenantId(tenantID) .WithClientSecret(clientSecret) .Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
andrueastman
commented
3 years ago Is the tenantID the same tenant that the users are part of?
This is the same error documented here. https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api#error-tenant-is-not-b2c-or-tenant-doesnt-have-premium-license
agonzalezm
commented
3 years ago Yes, The tenantID is the tenant from where I am listing AzureAD users and trying to get last signin time.
Yes that is the error, but getting last signing doesnt require AzureAD P1 license anymore, I think that is outdated document.
We have Azure AD for Office 365 and I can list last signin reports in Azure Portal with my global admin user, I gave application api permissions global administrator role too. I am using application permissions for a background service to collect this, not delegated.
I can get the last activity signins using REST API https://graph.microsoft.com/beta/auditLogs/signIns?api-version=beta so this proof that P1 license is not needed for REST API.
I think the problem is the graph c# sdk beta.
Also I tried to trial update AzureAD license to P1 and same error from graph c# sdk, so i think is a generic error for other issue.
andrueastman
commented
3 years ago Thanks for the info about trying it out with the enabling the P1 licence. For some reason then, the issue must be with the token you are acquiring via the SDK.
I can get the last activity signins using REST API https://graph.microsoft.com/beta/auditLogs/signIns?api-version=beta so this proof that P1 license is not needed for REST API.
Did you acquire the token for this call via the SDK? Also, have you added these graph permissions to your app registration?
agonzalezm
commented
3 years ago Yes my registered application has permissions.
Application | AuditLog.Read.All, Directory.Read.All
Also tried adding Delegated but doesnt work. We do not add delegatedperms because is a service, is not run in behalf of a user and doesnt require user signon.
For the REST API I acquired the token from browser F12 once I login in azure portal as global admin, so probably yes it is related with the graph token.
If I use the REST API with the token from the sdk I get same error:
{ "error": { "code": "Authentication_RequestFromNonPremiumTenantOrB2CTenant", "message": "Neither tenant is B2C or tenant doesn't have premium license", "innerError": { "date": "2021-05-26T16:47:20", "request-id": "xx6", "client-request-id": "xxx" } } }
So yes it is an application token issue, but i have all those permissions. What can be missing?
agonzalezm
commented
3 years ago any update on this on how to fix or workaround?
andrueastman
commented
3 years ago Hey @agonzalezm, Apologies for the delayed response. I was running into similar issues as you.
When you go to the following link on azure what do you see as the tenant type of your tenant? https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/DirectorySwitchBlade/subtitle/
Is it Azure Active Directory B2C or just Azure Active Directory?
If it not Azure Active Directory B2C I had to (upgrade/try) to a premium license for you to access the reports programmatically via graph (despite the fact I could view the logs on the portal). This is documented here too
agonzalezm
commented
3 years ago I see Azure Active Directory
Is this a bug and will be fixed? Why you need to upgrade to premium if the signins feature is included in my subscription too?
Doesnt make sense i can see signins in portal but not through api, is not consistent. All features should be available in both portal or api.
Microsoft announced that sigins report are available in all AD subscriptions, so it should be both portal and apis.
And problem is really not the api, is the the graph client SDK token, because if I use the portal token i can do the rest request and retrieve signins.
andrueastman
commented
3 years ago Hey @agonzalezm,
Apologies for any frustrations caused. The SDK simply does the job of making the requests to the various APIs and acquires the token from the token endpoint. The SDK will not acquire the token in a separate/unique way based on your subscription info. Therefore, the SDK isn't the cause since changing the subscription causes the same call to work.
I'm not sure if this a bug/feature on the reports API. I have however raised your questions at the link below. Let's follow it up with them there and see what feedback they will provide.
petrhollayms
commented
5 months ago Thank you for reporting this issue. This appears to be an issue or limitation with the service APIs. Unfortunately, as the Microsoft Graph SDK team, we do not have ownership of the APIs that are causing you issues. We invite you to create a question about the service API to Microsoft Q&A and tagged with one of the [microsoft-graph-*] tags, that way it will get routed to the appropriate team for them to triage:
https://aka.ms/msgraphsupport or directly https://aka.ms/askgraph
For now, we will close the issue on our side but feel free to open it in the relevant repository if you think the issue is specific to SDK. Please let us know if this helps!
Note: We will close this repository on April 19, 2024.
I am using graph sdk 4.0-preview4 to get last user logon or listing signings report but all these operations:
graphClient.Users.Request().Select(s=> new { s.DisplayName, s.SignInActivity }) graphClient.AuditLogs.SignIns
Fails with error:
Microsoft.Graph.ServiceException: 'Code: Authentication_RequestFromNonPremiumTenantOrB2CTenant Message: Neither tenant is B2C or tenant doesn't have premium license
If I login in azure portal I can see the the signins report and I can get the auth token for the portal user from browser tools and use it from postman to run this REST API requests and they work successfully:
https://graph.microsoft.com/beta/users?$select=displayName,signInActivity https://graph.microsoft.com/beta/auditLogs/signIns?api-version=beta
But if I use the token returned from Microsoft.Graph api sdk in c# and put in postman it doesnt work.
Why portal and api have different functionality, tokens and errors?
How can I workaround this and get auditlogs and last sigins from microsoft.graph rest api or c# sdk ?
AB#9500