Export of 'privilegedAccess/azureResources/resources' fails: 400 Bad Request #62
Comments
|
I'm also getting the same error in powershell 7 and Azure DevOps Pipeline. Command: Output: |
|
I'm afraid I'm getting a very similar error. I have successfully run the following as an interactive user with Global Admin privilege:
But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources"
I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome! |
|
Hello,
I think your issue is buried in your error message?
*"error":{"code":"**AadPremiumLicenseRequired","**message":"The tenant
needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance
license."*
It looks like the account doing the data retrieval will need an Entra P2
license to get said data.
…On Wed, Mar 6, 2024 at 1:50 AM mrusso-virtos ***@***.***> wrote:
I'm afraid I'm getting a very similar error.
PowerShell 5
EntraExporter 2.0.7
Microsoft.Graph.Authentication 2.15.0
I have successfully run the following as an interactive user with Global
Admin privilege:
Export-Entra -Path $outFile -All
But my Jenkins-powered Azure Application (without any assigned Azure Roles
mind you) is getting the following fail when it tries to export at or after
"PrivilegedAccess/AzureResources/Resources"
Export-Entra : GET
https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources
HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000 request-id:
cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id:
7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic:
{"ServerInfo":{"DataCenter":"Australia
East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}}
Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT
Content-Encoding: gzip Content-Type: application/json
{"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to
have Microsoft Entra ID P2 or Microsoft Entra ID Governance
license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23
b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}}
I'm hesitant to allocate a Global Admin role to the application...... but
not sure how to proceed. Suggestions would be very welcome!
—
Reply to this email directly, view it on GitHub
<#62 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AZFBPF3W5DUKLG2I3ESNKO3YW3DFRAVCNFSM6AAAAABBLOLNI6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBQGI3TENRWGA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Hello tld6764, The "account" is an App Registration. I'm connecting to MgGraph via a clientID and certificate. Are you saying I have to assign a license to an App Registration?! I'm not even sure how to look that up, and there doesn't appear to be anything in the Entra Licenses page that suggests that an App can have a license assigned. Hence my confusion about the error message. |
|
Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script. |
|
OK - I'll see about getting a P2 license - the part about the tenant having a license makes sense. |
Are you using the |
This sounds like a good idea for a PR to check for P2 license and provide error handling for this case. See also #61. |
|
In my case, the error received is : {"error":{"code":"InvalidFilter","message":"The filter is invalid."}} |
|
I'm using: My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account. Thankyou. |
Yeah I understood afterward that it was not the same mistake as me. We do have P2 licence in the tenant. My problem is the same as OP. |
|
@nextxpert did you resolve it on your part? Thanks |
|
I was able to reproduce it manually.
The first invoke-mggraphrequest is working great
but as soon as it get inside the loop, it fails with 400 error bad request.
I continue to search why... |
|
I think I got it. $skiptoken is not handled by the endpoint. When you see my first example that was working,
it was stripping this : When I tried again only the request with single quote instead of double quote, I get the same 400 error. I will see where to open up a issue on this... |
|
Do we have any updates on this issue? |
nope |
|
I'm seeing something similar with a service principal, however I'm getting a 404 resource not found error. However, it's going to the same endpoint. Anybody figure anything else out around this error? |
|
Any update on this? |
maybe you could push here : microsoftgraph/msgraph-beta-sdk-dotnet#859 |
|
i tried to opened up a ticket here, no anwser... https://learn.microsoft.com/en-us/answers/questions/1757083/graph-microsoft-com-beta-privilegedaccess-azureres |
When running -All -CloudOnly, we see the following error occur:
##[debug] GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=fIO1247ezEmz1lviT8FLJQ
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 7c5e8fb4-6e4d-43e5-9819-448fd17aee46
client-request-id: 1e4a4c8c-93bf-4607-8fa4-832c89993e18
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0001E78A"}}
Date: Wed, 03 Jan 2024 13:27:11 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-01-03T13:27:11","request-id":"7c5e8fb4-6e4d-43e5-9819-448fd17aee46","client-request-id":"1e4a4c8c-93bf-4607-8fa4-832c89993e18"}}}
The text was updated successfully, but these errors were encountered: