msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest Not returning correct results
Describe the bug
I used to have a script that would search for eligibility requests using Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest . Today it stopped working, and it has some odd results. I suspect it's on the api side.
Some results aren't returned. For instance, I know I have eligible assignments for particular group, since I see them in the Azure Portal, but filtering by groupId returns nothing. Filtering only on status eq 'Provisioned', I can see some results there, but not all records that should be there are returned.
Filtering by only principalId throws an error for some reason, so I can't check that way.
Since my script assumes that policy assignment doesn't exist, it attempts to create it and request returns with "Role assignment already exists."
These groups and policies have been around for months at this point, so I'm not sure what changed to cause this behavior, but its critical for our release process and we don't have a solution that would be reliable.
Verification that eligibility request exists:
$filter = "groupId eq 'ece6de44-7ed6-4358-a67f-661c46e6ed88'"
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -Filter $filter
--Returns no results, but from the above picture, you can see there should be results
--Pick another group in the list
$filter2 = "groupId eq '584ad8b1-335a-4b5b-8cd1-06799460c920'"
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -Filter $filter2
--This one returns results for some reason
Results:
Version info:
ModuleType Version Name ExportedCommands
Script 2.12.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext...}
Script 2.12.0 Microsoft.Graph.Groups {Add-MgGroupDriveListContentTypeCopy, Add-MgGroupDriveListContentTypeCopyFromContentTypeHub, Add-MgGroupFavorite, Add-M...
Script 2.12.0 Microsoft.Graph.Identity.Governance {Add-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision, Get-MgAgreement, Get-MgAgreementAcceptance, Get-MgAgre...
Script 2.12.0 Microsoft.Graph.Identity.SignIns {Confirm-MgRiskyServicePrincipalCompromised, Confirm-MgRiskyUserCompromised, Get-MgDataPolicyOperation, Get-MgDataPolic...
Expected behavior
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest should return the correct results.
How to reproduce
I'm not exactly sure how to reproduce it. I can see the policy assignment in the portal along with the other policy assignments, but some are not returned by the commandlet and throw and error when trying to create them.
SDK Version
2.12.0
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
Click to expand log
```Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -Filter $filter -Debug
DEBUG: [CmdletBeginProcessing]: - Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest begin processing with parameterSet 'List'.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): a
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, Directory.AccessAsUser.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All,
GroupMember.ReadWrite.All, Mail.Send, Mail.Send.Shared, openid, PrivilegedAccess.Read.AzureADGroup, PrivilegedAccess.ReadWrite.AzureADGroup,
PrivilegedEligibilitySchedule.Read.AzureADGroup, PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup, profile, RoleManagement.ReadWrite.Directory,
RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, User.Read, User.Read.All, User.ReadWrite.All, email].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/eligibilityScheduleRequests?$filter=principalId eq '408ef5c0-7e92-490b-acfe-06e575177856' and status eq
'Provisioned'
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-US),PowerShell/5.1.22621.2506
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.12.0
client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 41c0b5a5-d7ca-4180-8436-0f78d67aa578
client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL6PEPF0002399A"}}
Date : Wed, 05 Jun 2024 15:29:05 GMT
Body:
{
"error": {
"code": "UnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {
"date": "2024-06-05T15:29:06",
"request-id": "41c0b5a5-d7ca-4180-8436-0f78d67aa578",
"client-request-id": "7d3047ed-b236-47a0-a31f-16f3911cbcda"
}
}
}
Confirm
Attempted to perform an unauthorized operation.
Status: 403 (Forbidden)
ErrorCode: UnauthorizedAccessException
Date: 2024-06-05T15:29:06
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 41c0b5a5-d7ca-4180-8436-0f78d67aa578
client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL6PEPF0002399A"}}
Date : Wed, 05 Jun 2024 15:29:05 GMT
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): a
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest : Attempted to perform an unauthorized operation.
Status: 403 (Forbidden)
ErrorCode: UnauthorizedAccessException
Date: 2024-06-05T15:29:06
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 41c0b5a5-d7ca-4180-8436-0f78d67aa578
client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL6PEPF0002399A"}}
Date : Wed, 05 Jun 2024 15:29:05 GMT
At line:1 char:1
+ Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleReque ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ Top = , Skip ...ndProperty = }:<>f__AnonymousType24`8) [Get-MgIdentityG...uleRequest_List], Exception
+ FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Graph.PowerShell.Cmdlets.GetMgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest_List
DEBUG: [CmdletEndProcessing]: - Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest end processing.
</details>
### Configuration
Name Value
---- -----
PSVersion 5.1.22621.2506
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.2506
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
### Other information
_No response_
Is there any update with this? Still noticing that it's impossible to get all the results back.
Calling the cmdlet with no arguments returns nothing. The only thing filterable seems to be status eq 'Provisioned'. There's also no way to find out the different status values. I see in the UI it shows 'Eligible', but trying to filter by this throws an error saying it's an invalid status.
Page Sizes and -All do absolutely nothing. -All actually returns less results than status eq 'Provisioned'.
Being able to export the PIM eligibility list is important for auditing and compliance.