msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Get-MgBetaSecurityAuditLogQueryRecord
It seems a string formatting error since it's missing the } that close the object
Following the script that I use:
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppID, (ConvertTo-SecureString -String $AppSecret -AsPlainText -Force) Connect-MgGraph -ClientSecretCredential $ClientSecretCredential -TenantId $TID -ErrorAction Stop
New-MgBetaSecurityAuditLogQuery -FilterStartDateTime "2024-03-25 00:00" -FilterEndDateTime "2024-03-29 23:59" -DisplayName "activities"
PS C:\Users\Skype4bsched> Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId QueryID -All -Debug DEBUG: [CmdletBeginProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord begin processing with parameterSet 'List'. DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientSecret', ContextScope: 'Process', AppName: 'GOSP-UCC-Reporting'. DEBUG: [Authentication]: - Scopes: [...AuditLogsQuery.Read.All, AuditLog.Read.All, ...]. DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records
Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696 Accept-Encoding : gzip SdkVersion : graph-powershell-beta/2.17.0 client-request-id : ClientID
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 49dd6246-10aa-4a4f-ba47-e2820c958696 client-request-id : ClientID x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}} OData-Version : 4.0 Cache-Control : no-cache Date : Fri, 12 Apr 2024 08:34:30 GMT
Body: { "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('QueryID')/records", "@odata.count": 150, "@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAwOGE5ZTQtYTgzOC00NjcxLTI3OTgtMDhkYzRkOGNiYTY1", "value": [...] }
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAwOGE5ZTQtYTgzOC00NjcxLTI3OTgtMDhkYzRkOGNiYTY1
Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache Accept-Encoding : gzip SdkVersion : graph-powershell-beta/2.17.0, client-request-id : 25806d5f-7bdd-4a3d-ac0b-c0496b2cd5e5 User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 95a34a58-4332-493c-820d-0692c61ce6b6 client-request-id : 25806d5f-7bdd-4a3d-ac0b-c0496b2cd5e5 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}} OData-Version : 4.0 Cache-Control : no-cache Date : Fri, 12 Apr 2024 08:34:32 GMT
Body: { "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('QueryID')/records", "@odata.count": 150, "@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAxMGYwNDAtYmM5Mi00YzZmLTZlZTYtMDhkYzRjYTE3ODA2", "value": [...] }
Id AdministrativeUnits AuditLogRecordType ClientIP CreatedDateTime ObjectId
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAxMGYwNDAtYmM5Mi00YzZmLTZlZTYtMDhkYzRjYTE3ODA2
Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache Accept-Encoding : gzip SdkVersion : graph-powershell-beta/2.17.0, client-request-id : 0ed353da-584c-4760-b8be-d5aa082b1c47 User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : edb7916f-f77e-451b-b610-bf02b4851563 client-request-id : 0ed353da-584c-4760-b8be-d5aa082b1c47 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}} OData-Version : 4.0 Cache-Control : no-cache Date : Fri, 12 Apr 2024 08:34:34 GMT
Body: { "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('QueryID')/records", "@odata.count": 150, "@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAxOTcwNzEtMWMxYy00NWNkLWQzZjktMDhkYzRlMzkyMGRi", "value": [...] }
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAxOTcwNzEtMWMxYy00NWNkLWQzZjktMDhkYzRlMzkyMGRi
Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache Accept-Encoding : gzip SdkVersion : graph-powershell-beta/2.17.0, client-request-id : 5e3b79cc-e9de-4de9-8676-0f7ddca8f5e2 User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 8ba8f3e4-9459-4777-b506-5d1152fceeca client-request-id : 5e3b79cc-e9de-4de9-8676-0f7ddca8f5e2 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}} OData-Version : 4.0 Cache-Control : no-cache Date : Fri, 12 Apr 2024 08:34:35 GMT
Body: { "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('QueryID')/records", "@odata.count": 150, "@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAyMWRkNzgtN2ZiYi00ZWI2LWYxZTYtMDhkYzRlNTBiZjVh", "value": [...] }
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://graph.microsoft.com/beta/security/auditLog/queries/QueryID/records?$skiptoken=1!4!MA--%2f1!48!MDAyMWRkNzgtN2ZiYi00ZWI2LWYxZTYtMDhkYzRlNTBiZjVh
Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache Accept-Encoding : gzip SdkVersion : graph-powershell-beta/2.17.0, client-request-id : 917fecde-2343-4130-add3-db179e2392fd User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; it-IT),PowerShell/5.1.17763.5696
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : a91c3698-df25-4b46-a0e9-2e3aa996b628 client-request-id : 917fecde-2343-4130-add3-db179e2392fd x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"MI2PEPF000002CD"}} OData-Version : 4.0 Cache-Control : no-cache Date : Fri, 12 Apr 2024 08:34:37 GMT
Body: {..., {"id":"002aae90-f402-c84e-6212-2a14a29e4f36", "createdDateTime":"2024-03-27T13:04:31Z", "auditLogRecordType":"Yammer", "operation":"FileVisited", "organizationId":"", "userType":"Regular", "userId":"", "service":"Yammer", "objectId":".jpg", "userPrincipalName":"", "clientIp":null, "administrativeUnits":[""] {"error": {"code":"UnknownError", "message":"Unexpected Jsontoken. Check response for property value[141].auditData.ActorYammerUserId", "innerError":{"date":"2024-04-12T08:44:40", "request-id":"e6e1bd2f-3476-453d-903f-945dda906c28", "client-request-id":"3d8b7b60-2d19-416e-9e0e-0d973fea9101" } } }
}
DEBUG: [CmdletException]: Received exception with message 'ParserException - Expected String while reading Expected field name). Was LeftBrace: {. : at Microsoft.Graph.Beta.PowerShell.Runtime.Json.TokenReader.Ensure(TokenKind kind, String readerName)
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadArray()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadFieldValue()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadField()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadNode()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode.Parse(SourceReader sourceReader)
at Microsoft.Graph.Beta.PowerShell.Security.<>c.<SecurityAuditLogQueryListRecord_Call>b__375_0(Task1 body) at System.Threading.Tasks.ContinuationResultTaskFromResultTask2.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.<on2Xx>d__94.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.<on2Xx>d__94.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord_Call>d__375.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Security.<SecurityAuditLogQueryListRecord>d__373.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.<ProcessRecordAsync>d__92.MoveNext()'
Get-MgBetaSecurityAuditLogQueryRecord : Expected String while reading Expected field name). Was LeftBrace: {.
At line:1 char:1
- Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId ****- ...
-
+ CategoryInfo : NotSpecified: (:) [Get-MgBetaSecur...ueryRecord_List], ParserException + FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List
DEBUG: [CmdletEndProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord end processing.
Module Version Get-Module Microsoft.Graph*
ModuleType Version Name ExportedCommands
Script 2.17.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext...}
Script 2.17.0 Microsoft.Graph.Beta.Security {Add-MgBetaSecurityCaseEdiscoveryCaseCustodianHold, Add-MgBetaSecurityCaseEdiscoveryCaseNoncustodialDataSourceHold, Add-MgBetaSecurityCaseEdiscoveryCaseReviewSetQueryTag, Add-MgBetaSecurityCaseEdi...
Script 2.17.0 Microsoft.Graph.Users {Get-MgUser, Get-MgUserCount, Get-MgUserCreatedObject, Get-MgUserCreatedObjectAsServicePrincipal...}
Environment Data $PSVersionTable
Name Value
PSVersion 5.1.17763.5696
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.5696
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Hi,
For your information, I'm getting the exact same error.
@timayabi2020 did you have any time to investigate ?
Thanks a lot in advance :)
@Maxiz80 @EmilienCourt I couldn't replicate the issue because I get a success whenever I try to out the command.
Maybe you can share an audit log query payload which you suspect is causing the issue so that I create it on my end, retrieve it's record and see whether I'll get the error.
@timayabi2020 Thanks for trying it out ! As it turns out, the issue only appears with some specific events (it is difficult to find which one, as the -Skip option of the cmdlet does not work).
I tested it again on a production tenant (~30k users), without any filter (except for startDate (-> 2 days ago) and endDate (->today), and here is the log :
The status of the request is succeeded
$(Get-MgBetaSecurityAuditLogQuery -AuditLogQueryId $auditLogQueryId).status
succeeded
But when I try to get the results ...
Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $auditLogQueryId -Debug -Verbose
DEBUG: [CmdletBeginProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '<REDACTED>'.
DEBUG: [Authentication]: - Scopes: [AuditLogsQuery.Read.All, AuditLog.Read.All].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Linux; Ubuntu 22.04.4 LTS; en-US),PowerShell/7.4.2
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.19.0
client-request-id : <REDACTED>
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : <REDACTED>
client-request-id : <REDACTED>
x-ms-ags-diagnostic : <REDACTED>
odata-version : 4.0
Date : Mon, 01 Jul 2024 12:18:27 GM
Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('<REDACTED>')/records",
"@odata.count": 150,
"@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records?$skiptoken=<REDACTED>",
"value": [
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{
"id": "<REDACTED>",
"createdDateTime": "2024-07-01T11:47:43Z",
"auditLogRecordType": "Yammer",
"operation": "FileVisited",
"organizationId": "<REDACTED>",
"userType": "Regular",
"userId": "<REDACTED>",
"service": "Yammer",
"objectId": "<REDACTED>",
"userPrincipalName": "<REDACTED>",
"clientIp": null,
"administrativeUnits":[""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[12].auditData.FileId","innerError":{"date":"2024-07-01T12:18:28","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}
DEBUG: [CmdletException]: Received exception with message 'ParserException - Expected String while reading Expected field name). Was LeftBrace: {. : at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadArray()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode.Parse(SourceReader sourceReader)
at Microsoft.Graph.Beta.PowerShell.Security.<>c.<SecurityAuditLogQueryListRecord_Call>b__375_0(Task`1 body)
at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.on2Xx(HttpResponseMessage responseMessage, Task`1 response)
at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord(String auditLogQueryId, Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, IDictionary headers, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.ProcessRecordAsync()'
Get-MgBetaSecurityAuditLogQueryRecord_List: Expected String while reading Expected field name). Was LeftBrace: {.
DEBUG: [CmdletEndProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord end processing.
(I have beautified the JSON and <REDACTED> the first events, which are fine).
I went ahead and got the specific event which was crashing the Purview API, using Search-UnifiedAuditLog :
{
"UserId": "<REDACTED>",
"ActorYammerUserId": <REDACTED>,
"ActorUserId": "<REDACTED>",
"YammerNetworkId": <REDACTED>,
"Version": 1,
"Id": "<REDACTED>",
"RecordType": 22,
"CreationTime": "2024-07-01T11:47:43",
"Operation": "FileVisited",
"OrganizationId": "<REDACTED>",
"UserType": 0,
"UserKey": "<REDACTED>",
"Workload": "Yammer",
"ResultStatus": "TRUE",
"ObjectId": "<REDACTED>",
"ClientIP": "<REDACTED>",
"Details": "",
"FileId": 2121248555008,
"FileName": "<REDACTED>",
"VersionId": 2145063878656
}
So my guess is that the Purview backend did not like that event :)
@EmilienCourt this was a strange one. If that is the case, then I would suggest that you also open an issue here so that the API owner can investigate further.
@timayabi2020 I'm in the process of opening a support ticket for that API, if that's what you meant by "open an issue". Please note that this API issue is reproducible in every production tenant and totally breaks (unfiltered) log collection using Purview.
In the meantime, would it be possible to fix the -Skip parameter of the Get-MgBetaSecurityAuditLogQueryRecord cmdlet ? This could be a way of manually "skipping" the problematic events.
Regards,
@timayabi2020 another example :
{
"id": "<REDACTED>",
"createdDateTime": "2024-06-24T18:19:56Z",
"auditLogRecordType": "SharePointFileOperation",
"operation": "FileDownloaded",
"organizationId": "<REDACTED>",
"userType": "Regular",
"userId": "<REDACTED>",
"service": "OneDrive",
"objectId": "<REDACTED>",
"userPrincipalName": "<REDACTED>",
"clientIp": null,
"administrativeUnits": [""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[19].auditData.FileSizeBytes","innerError":{"date":"2024-07-04T08:47:09","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
I have the same problem which appears randomly. In the meantime I manage to skip the error page by writing data to a file. The command gives malformed data in the file but I can extract the next url.
Invoke-MgGraphRequest -Method Get -Uri $apiUrl OutputFilePath $file
$apiUrl=((Get-Content "$file").split('@odata.nextLink":"') | select-object -last 1).split('","value":[{') | select-object -first 1
So I lose data but less than if I interrupt the whole process. The smaller the page size, the smaller the data lost. I also have to put "Start-Sleep 1" between download. Without sleep, sometimes Invoke-MgGraphRequest just hang. So reducing page size too much is also a problem because it's create very long download time.
Problem seems to be linked to big sharepoint file event with this error message in downloaded corrupted data: "Unexpected Jsontoken. Check response for property value[0].auditData.FileSizeBytes""
