msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Get-MgUserDefaultDrive returns 403 for recently created onedrive users

Open g-at-bme opened this issue 1 year ago • 0 comments

Describe the bug

When leveraging the Get-MgUserDefaultDrive -UserId to retrieve the default Onedrive of a user, the API seems to fail on recent default accounts. When logged in as a Global Admin I can retrieve the data of all named domains we have in our company (multiple operating companies in the same tenant, each with their own @company address).

While doing a tenant migration we wanted to leverage the Get-MgUserDefaultDrive -UserId to see if Onedrive preprovision had succeeded after calling Request-SPOPersonalSite -UserEmails but this was not possible as all recent accounts throw a 403 error.

As a test I've used the API to call longer lasting accounts with an @company extension as well as a @defaultdomain.onmicrosoft.com and only the recent accounts (provisioned yesterday) throw a 403

Expected behavior

As a global admin I expect that I am able to leverage Get-MgUserDefaultDrive -UserId and always have a value returned.

How to reproduce

Recent users

  • Execute Get-MgUserDefaultDrive -UserId with a recent provisioned account
  • Execute the same user via graph explorer https://graph.microsoft.com/v1.0/users//drive
  • API returns a 403

Other users

  • Execute Get-MgUserDefaultDrive -UserId with an existing account
  • Execute the same user via graph explorer https://graph.microsoft.com/v1.0/users//drive
  • API returns drive values properly

Considering this behavior is both on the SDK as well as the graph API explorer itself, it seems to be on the API side. This test was run by two different global admins. In both cases the

SDK Version

2.4.0

Latest version known to work for scenario above?

No response

Known Workarounds

We can leverage the Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" but this commandlet is extremely slow (when checking 80 accounts we spend around 30-45 minutes to get all responses in.

Debug output

Click to expand log ```

DEBUG: [CmdletBeginProcessing]: - Get-MgUserDefaultDrive begin processing with parameterSet 'Get'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, ChannelMessage.Read.All, ChannelMessage.ReadWrite, ChannelSettings.Read.All, DelegatedPermissionGrant.ReadWrite.All, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, email, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, openid, Organization.Read.All, Policy.Read.All, Policy.ReadWrite.AuthenticationMethod, profile, Reports.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, Sites.FullControl.All, Sites.Read.All, Team.ReadBasic.All, TeamMember.Read.All, TeamMember.ReadWrite.All, TeamsApp.ReadWrite.All, TeamSettings.Read.All, TeamSettings.ReadWrite.All, TeamworkAppSettings.ReadWrite.All, User.Read, User.Read.All, User.ReadBasic.All, User.ReadWrite.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All]. DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: GET

Absolute Uri: https://graph.microsoft.com/v1.0/users/recentuser/drive

Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Macintosh; Darwin 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:12:58 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6000; en-NL),PowerShell/7.2.5 Accept-Encoding : gzip SdkVersion : graph-powershell/2.4.0 client-request-id : ce0a2802-6552-4eef-b6ac-fad19d040c9

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code: Forbidden

Headers: Cache-Control : no-store, no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : e0d086d6-8d89-4cff-8bdf-119a57dcb01a client-request-id : ce0a2802-6552-4eef-b6ac-fad19d040c96 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"005","RoleInstance":"AM4PEPF00015143"}} Date : Sat, 29 Jun 2024 11:52:59 GM

Body: { "error": { "code": "accessDenied", "message": "Access denied", "innerError": { "date": "2024-06-29T11:52:59", "request-id": "e0d086d6-8d89-4cff-8bdf-119a57dcb01a", "client-request-id": "ce0a2802-6552-4eef-b6ac-fad19d040c96" } } }

Get-MgUserDefaultDrive_Get: Access denied Status: 403 (Forbidden) ErrorCode: accessDenied Date: 2024-06-29T11:52:59 Headers: Cache-Control : no-store, no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : e0d086d6-8d89-4cff-8bdf-119a57dcb01a client-request-id : ce0a2802-6552-4eef-b6ac-fad19d040c96 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"005","RoleInstance":"AM4PEPF00015143"}} Date : Sat, 29 Jun 2024 11:52:59 GM

DEBUG: [CmdletEndProcessing]: - Get-MgUserDefaultDrive end processing.

Configuration

Run from Powershell version 7.2.5 as a global admin on Sanoma 14.5 Mac OSX (ARM)

Other information

No response

g-at-bme avatar Jun 29 '24 12:06 g-at-bme