microsoft
Permissions for Azure Service Principal vs. Workload Federation Identity
Hi, unfortunately, i'm having issues running the Entra-Export with a Workload Federation Identity instead of an Azure Service Principal, which I used before, but recently tried to replace. The API-permissions for the corresponding app-registration have been set up exactly the same way as previously for the Service Principal, but it seems that there is a slight difference. The job always stops at a certain point:
14:09 (UTC) Creating Azure config backup Organization/Organization.json Organization/Branding/Localizations.json Organization/CertificateBasedAuthConfiguration.json Directory/OnPremisesSynchronization.json Export-Entra: /home/vsts/work/_temp/ea701ba8-b502-46bd-98bb-3c04bb0ca7ea.ps1:36 Line | 36 | Export-Entra "$root\prod-backup" -All -CloudUsersAndGroupsOnly | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | GET | https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization/*** HTTP/2.0 403 Forbidden Cache-Control: no-cache Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 160fe4ea-30e4-4f4f-9232-97b5200d358e client-request-id: ff85ec41-26c0-4bf5-a309-9e25a5e9c4b5 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"France Central","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"PA2PEPF00012B92"}} x-ms-resource-unit: 1 Date: Tue, 22 Oct 2024 14:09:54 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-10-22T14:09:54","request-id":"160fe4ea-30e4-4f4f-9232-97b5200d358e","client-request-id":"ff85ec41-26c0-4bf5-a309-9e25a5e9c4b5"}}}
##[error]PowerShell exited with code '1'. ##[error]PowerShell wrote one or more lines to the standard error stream. ##[error]Export-Entra: /home/vsts/work/_temp/ea701ba8-b502-46bd-98bb-3c04bb0ca7ea.ps1:36 Line | 36 | Export-Entra "$root\prod-backup" -All -CloudUsersAndGroupsOnly | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | GET | https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization/*** HTTP/2.0 403 Forbidden Cache-Control: no-cache Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 160fe4ea-30e4-4f4f-9232-97b5200d358e client-request-id: ff85ec41-26c0-4bf5-a309-9e25a5e9c4b5 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"France Central","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"PA2PEPF00012B92"}} x-ms-resource-unit: 1 Date: Tue, 22 Oct 2024 14:09:54 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-10-22T14:09:54","request-id":"160fe4ea-30e4-4f4f-9232-97b5200d358e","client-request-id":"ff85ec41-26c0-4bf5-a309-9e25a5e9c4b5"}}}
The next entry to be backed up which I looked up from a previously successful EntraExporter run would be "Domains". However, the application is already permitted to read all Domains:
What could be the cause of this?
EDIT: using Graph-explorer, I found that the request for graph.microsoft.com/v1.0/directory/onPremis.. also requires the permission "OnPremDirectorySynchronization.Read.All".
However, after granting that API-permission it still spits out exactly the same error :-/
Does your export take more than one hour to run? There is a limitation with Workload Identity Federation where it can renew the access token after the initial one hour.
If you still need it to run with WIF, then you might want to split out the calls to the different components and run them seperately.
The export stops after less than a minute, so a timeout is probably not the culprit. For the time being, I've switched back to using a Service Principal with an application secret. Funny thing is, that I recycled the Entra app registration for that purpose, which got previously created for the WFI. I didn't change any of the assigned API permissions given to the app, and it completes flawlessly.
