EntraExporter icon indicating copy to clipboard operation
EntraExporter copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Export of 'privilegedAccess/azureResources/resources' fails: 400 Bad Request

Open nextxpert opened this issue 1 year ago • 16 comments

When running -All -CloudOnly, we see the following error occur:

##[debug] GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=fIO1247ezEmz1lviT8FLJQ HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 7c5e8fb4-6e4d-43e5-9819-448fd17aee46 client-request-id: 1e4a4c8c-93bf-4607-8fa4-832c89993e18 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0001E78A"}} Date: Wed, 03 Jan 2024 13:27:11 GMT Content-Encoding: gzip Content-Type: application/json

{"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-01-03T13:27:11","request-id":"7c5e8fb4-6e4d-43e5-9819-448fd17aee46","client-request-id":"1e4a4c8c-93bf-4607-8fa4-832c89993e18"}}}

nextxpert avatar Jan 03 '24 13:01 nextxpert

I'm also getting the same error in powershell 7 and Azure DevOps Pipeline. PowerShell 7.4.0 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.9.1

Command: Export-Entra "$root\$BACKUP_FOLDER" -All -CloudUsersAndGroupsOnly

Output:

PrivilegedAccess/AzureResources/Resources
Export-Entra: GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=<REMOVED>
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: <REMOVED>
client-request-id: <REMOVED>
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"<REMOVED>","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"<REMOVED>"}}
Date: Thu, 04 Jan 2024 22:11:48 GMT
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"InvalidFilter","message":"The  filter is invalid.","innerError":{"date":"2024-01-04T22:11:49","request-id":"<REMOVED>","client-request-id":"<REMOVED>"}}}

richardgarciajr avatar Jan 04 '24 22:01 richardgarciajr

I'm afraid I'm getting a very similar error. PowerShell 5 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.15.0

I have successfully run the following as an interactive user with Global Admin privilege:

Export-Entra -Path $outFile -All

But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources"

Export-Entra : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id: 7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}} Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23 b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}}

I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome!

mrusso-virtos avatar Mar 06 '24 07:03 mrusso-virtos

Hello, I think your issue is buried in your error message? *"error":{"code":"**AadPremiumLicenseRequired","*message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license." It looks like the account doing the data retrieval will need an Entra P2 license to get said data.

On Wed, Mar 6, 2024 at 1:50 AM mrusso-virtos @.***> wrote:

I'm afraid I'm getting a very similar error. PowerShell 5 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.15.0

I have successfully run the following as an interactive user with Global Admin privilege:

Export-Entra -Path $outFile -All

But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources"

Export-Entra : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id: 7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}} Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23 b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}}

I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome!

— Reply to this email directly, view it on GitHub https://github.com/microsoft/EntraExporter/issues/62#issuecomment-1980272660, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZFBPF3W5DUKLG2I3ESNKO3YW3DFRAVCNFSM6AAAAABBLOLNI6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBQGI3TENRWGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

tld6764 avatar Mar 06 '24 13:03 tld6764

Hello tld6764,

The "account" is an App Registration. I'm connecting to MgGraph via a clientID and certificate. Are you saying I have to assign a license to an App Registration?! I'm not even sure how to look that up, and there doesn't appear to be anything in the Entra Licenses page that suggests that an App can have a license assigned. Hence my confusion about the error message.

mrusso-virtos avatar Mar 06 '24 23:03 mrusso-virtos

Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script.

tld6764 avatar Mar 07 '24 02:03 tld6764

OK - I'll see about getting a P2 license - the part about the tenant having a license makes sense. What is odd is that my other Global Admin account, in the same tenant, without a P2 license, can run the entire (-All) export without a problem, albeit interactively.

mrusso-virtos avatar Mar 07 '24 02:03 mrusso-virtos

When running -All -CloudOnly, we see the following error occur:

Are you using the -CloudUsersAndGroupsOnly parameter? I don't believe there is a -CloudOnly one.

SamErde avatar May 31 '24 13:05 SamErde

Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script.

This sounds like a good idea for a PR to check for P2 license and provide error handling for this case. See also #61.

SamErde avatar May 31 '24 13:05 SamErde

In my case, the error received is :

{"error":{"code":"InvalidFilter","message":"The filter is invalid."}}

milapointe avatar Jun 20 '24 18:06 milapointe

I'm using: Export-Entra -Path $ExportLocation -All

My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account. image

Thankyou.

mrusso-virtos avatar Jun 20 '24 23:06 mrusso-virtos

I'm using: Export-Entra -Path $ExportLocation -All

My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account. image

Thankyou.

Yeah I understood afterward that it was not the same mistake as me. We do have P2 licence in the tenant.

My problem is the same as OP.

milapointe avatar Jun 21 '24 00:06 milapointe

@nextxpert did you resolve it on your part?

Thanks

milapointe avatar Jun 21 '24 11:06 milapointe

I was able to reproduce it manually.

image

The first invoke-mggraphrequest is working great

image

but as soon as it get inside the loop, it fails with 400 error bad request.

image

I continue to search why...

milapointe avatar Jun 25 '24 19:06 milapointe

I think I got it. $skiptoken is not handled by the endpoint.

When you see my first example that was working,

The first invoke-mggraphrequest is working great

image

it was stripping this :

https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=vY7z1EU*[ABC]*mQ

to this :
https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?=vY7z1EU*[ABC]mQ&$skiptoken=[REMOVED]*

When I tried again only the request with single quote instead of double quote, I get the same 400 error. image So, the endpoint doesn't support $skiptoken and take it as a filter (which is not!)

I will see where to open up a issue on this...

milapointe avatar Jun 25 '24 20:06 milapointe

Do we have any updates on this issue?

nixtaz avatar Aug 05 '24 23:08 nixtaz

Do we have any updates on this issue?

nope

milapointe avatar Aug 05 '24 23:08 milapointe