Enhancement: Show user friendly message when running `external connection get` without required permissions

[MartinM85]

When running the command external connection get --id <connection_name> the output was

Error: [object Object]

It was not clear what's the issue until I run external connection get --id <connection_name> --debug

Executing command external connection get with options {"options":{"id":"contosohr","debug":true,"output":"json"}}
Existing access token xxx still valid. Returning...
Request:
{
  "url": "https://graph.microsoft.com/v1.0/external/connections/contosohr",
  "method": "get",
  "headers": {
    "Accept": "application/json;odata.metadata=none",
    "user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/7.5.0",
    "accept-encoding": "gzip, deflate",
    "X-ClientService-ClientTag": "M365CLI:7.5.0",
    "authorization": "Bearer xxx"
  },
  "responseType": "json",
  "decompress": true
}
Request error:
{
  "url": "https://graph.microsoft.com/v1.0/external/connections/contosohr",
  "status": 401,
  "statusText": "Unauthorized",
  "headers": {
    "transfer-encoding": "chunked",
    "content-type": "application/json",
    "vary": "Accept-Encoding",
    "strict-transport-security": "max-age=31536000",
    "request-id": "79fa98d1-e457-42ff-bf4d-b949a1ce2f16",
    "client-request-id": "79fa98d1-e457-42ff-bf4d-b949a1ce2f16",
    "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"Germany West Central\",\"Slice\":\"E\",\"Ring\":\"5\",\"ScaleUnit\":\"005\",\"RoleInstance\":\"FR3PEPF0000045F\"}}",
    "x-backendhttpstatus": "401,401",
    "x-calculatedfetarget": "GV3P280CU003.internal.outlook.com",
    "x-calculatedbetarget": "GV2P250MB0976.EURP250.PROD.OUTLOOK.COM",
    "x-feserver": "FR0P281CA0170",
    "x-beserver": "GV2P250MB0976",
    "date": "Thu, 08 Feb 2024 07:38:08 GMT"
  },
  "error": {
    "error": {
      "code": "UnknownError",
      "message": "",
      "innerError": {
        "date": "2024-02-08T07:38:08",
        "request-id": "79fa98d1-e457-42ff-bf4d-b949a1ce2f16",
        "client-request-id": "79fa98d1-e457-42ff-bf4d-b949a1ce2f16"
      }
    }
  }
}

Timings:
api: 686.3315ms
core: 7.3379ms
command: 709.9964ms
options: 0.1148ms
total: 719.53ms
validation: 0.2701ms
Error: [object Object]

Maybe it's general issue for all commands without appropriate permission.

[milanholemans]

That's indeed something we've been looking into, to throw a clear message when you lack the permissions. However if I remember it correctly that wasn't so easy. Anyone knows on which issue we had this discussion @pnp/cli-for-microsoft-365-maintainers ?

[waldekmastykarz]

Do you mean this one @milanholemans https://github.com/pnp/cli-microsoft365/issues/5642?

The problem here is that the message property is empty so we default to trying to print the error object, which in this case is useless. We could extend the error printing logic so that when can't show a human-friendly message, we try to deduct what's wrong based on the status code and the API used in the request.

[Adam-it]

Exactly, even in this case we may see that the error is

error": {
      "code": "UnknownError",
      "message": "",
      "innerError": {
        "date": "2024-02-08T07:38:08",
        "request-id": "79fa98d1-e457-42ff-bf4d-b949a1ce2f16",
        "client-request-id": "79fa98d1-e457-42ff-bf4d-b949a1ce2f16"
      }

So actually the API that we use under the hood is not really helping us to say with 100% confidence to the user what happened and what is the reason. We may only provide some guesses. It would be best if the MS Graph API could provide the error message. 🙂

[waldekmastykarz]

It would be best if the MS Graph API could provide the error message. 🙂

Ideally, yes, and we should definitely bring it up with the Graph team. Until then, let's see if we can add a reasonable workaround to the CLI to make it a bit more user-friendly.