msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

When using in AzureChinaCloud environment, Find-MgGraphPermission changes MSGraph API endpoints from China to Global

Open Ysuuuuuuuu opened this issue 1 year ago • 1 comments

Describe the bug

When using MSGraph Powershell calling AzureChinaCloud MSGraph APIs, right after calling Find-MgGraphPermission, the subsequent MSGraph calls will target https://graph.microsoft.com instead of https://microsoftgraph.chinacloudapi.cn.

Expected behavior

After calling Find-MgGraphPermission, the subsequent MSGraph calls still targets https://microsoftgraph.chinacloudapi.cn.

How to reproduce

  1. Connect to tenant in AzureChinaCloud: Connect-MgGraph -scopes ".default" -Environment China -TenantId $TenantID -AppId $ClientID -ContextScope Process

  2. Try any MSGraph call, it works : Get-MgApplication -Top 1 -Debug

  3. Run Find-MgGraphPermission "User.Read" -ExactMatch -PermissionType "Delegated" -Debug In this step, you can see it's targeting https://graph.microsoft.com

  4. Then run Get-MgApplication -Top 1 -Debug again. It fails with 401 as this time it targets https://graph.microsoft.com.

SDK Version

2.19.0

Latest version known to work for scenario above?

v2.8.0 has issue as well. Not test other versions

Known Workarounds

No workaround as of now.

Debug output

Click to expand log Find-MgGraphPermission "User.Read" -ExactMatch -PermissionType "Delegated" -Debug 

<Log output here>
DEBUG: GET /v1.0/servicePrincipals?$filter=appId%20eq%20'00000003-0000-0000-c000-000000000000' HTTP/1.1
HTTP: graph.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.2 Invoke-MgGraphRequest


DEBUG: GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId%20eq%20'00000003-0000-0000-c000-000000000000'
HTTP/2.0 401 Unauthorized
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 4d3ffd39-c3f6-480e-9425-3e4a98502772
client-request-id: 5a6d2536-ea72-4866-8f93-a41099b2f592
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF0000B1AB"}}
WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="xxxxxx"
Date: Fri, 14 Jun 2024 05:25:30 GMT
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"InvalidAuthenticationToken","message":"Signing key is invalid.","innerError":{"date":"2024-06-14T05:25:31","request-id":"4d3ffd39-c3f6-480e-9425-3e4a98502772","client-request-id":"5a6d2536-ea72-4866-8f93-a41099b2f592"}}}

   PermissionType: Delegated

Id                                   Consent Name      Description
--                                   ------- ----      -----------
e1fe6dd8-ba31-4d61-89e7-88639da4683d User    User.Read Allows you to sign in to the app with your organizational accou…

Configuration

Name Value

PSVersion 7.4.2 PSEdition Core GitCommitId 7.4.2 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Other information

No response

Ysuuuuuuuu avatar Jun 14 '24 06:06 Ysuuuuuuuu

@Ysuuuuuuuu thanks for reporting this issue. This is indeed a bug in the SDK since calling Find-MgGraphPermission command reinitializes the environment to its default Global environment which points to https://graph.microsoft.com instead of picking the environment that was initially set in the context. As we work to resolve this issue, kindly use the Find-MgGraphCommand -Command <Your cmdlet> | Select-Object Permissions to get the permissions required. See screenshot below. image

timayabi2020 avatar Jul 01 '24 06:07 timayabi2020