msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

HttpClient.Timeout error when using a filter on Get-MGAuditLogSignIn

Open CloudVikingr opened this issue 1 year ago • 6 comments

Describe the bug

I am trying to run Get-MGAuditLogSignIn with a filter to retrieve the signin attempts from a specific application (Azure Portal). When I run the command I get this result:

> $AppId = 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'
> get-mgauditlogsignin -all -filter "(AppId eq '$AppId')"
Get-MgAuditLogSignIn_List: The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing.

If I don't supply the filter the command runs successfully. It returns the results in a paginated manner and does not encounter the HttpClient.Timeout of 300 seconds:

PS C:\temp> Measure-Command { $events = Get-MgAuditLogSIgnin -all }


**TotalSeconds      : 817.4071132**

I can't find any option to override the default timeout using the specified command.

Expected behavior

I would expect that supplying a filter to the request would result in the specified results returning. If there are a lot of logs, this can take longer than the default timeout of 300s.

How to reproduce

  1. Execute
$AppId = 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'
get-mgauditlogsignin -all -filter "(AppId eq '$AppId')"

SDK Version

2.22.0

Latest version known to work for scenario above?

No response

Known Workarounds

Retrieve the entire dataset and filter on the client side.

$AppId = 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'
$events = Get-MgAuditLogSIgnin -all
$events | where {$_.AppId -eq $AppId}

Debug output

Click to expand log ``` PS C:\temp> get-mgauditlogsignin -all -filter "(AppId eq '$AppId')" -debug DEBUG: [CmdletBeginProcessing]: - Get-MgAuditLogSignIn begin processing with parameterSet 'List'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [AuditLog.Read.All, Device.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, Directory.Read.All, Directory.ReadWrite.All, Files.Read.All, Group.Read.All, Group.ReadWrite.All, OnPremDirectorySynchronization.ReadWrite.All, openid, Organization.Read.All, Policy.Read.All, Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, profile, RoleManagement.ReadWrite.Directory, SecurityIncident.Read.All, Sites.Read.All, ThreatIntelligence.Read.All, User.Read, User.Read.All, UserAuthenticationMethod.Read.All, email]. DEBUG: [CmdletException]: Received exception with message 'TaskCanceledException - The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing. : at System.Net.Http.HttpClient.HandleFailure(Exception e, Boolean telemetryStarted, HttpResponseMessage response, CancellationTokenSource cts, CancellationToken cancellationToken, CancellationTokenSource pendingRequestsCts) at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at Microsoft.Graph.PowerShell.Reports.AuditLogListSignIn_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender) at Microsoft.Graph.PowerShell.Reports.AuditLogListSignIn_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender) at Microsoft.Graph.PowerShell.Reports.AuditLogListSignIn(Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, IDictionary headers, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender) at Microsoft.Graph.PowerShell.Cmdlets.GetMgAuditLogSignIn_List.ProcessRecordAsync()' Get-MgAuditLogSignIn_List: The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing. DEBUG: [CmdletEndProcessing]: - Get-MgAuditLogSignIn end processing. 
</details>


### Configuration

- OS: Windows 11

Name Value

PSVersion 7.4.4 PSEdition Core GitCommitId 7.4.4 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0


### Other information

_No response_

CloudVikingr avatar Sep 04 '24 18:09 CloudVikingr

@CloudVikingr Thank you for raising this issue, however, I couldn't reproduce your issue. How often does this happen?

timayabi2020 avatar Sep 05 '24 05:09 timayabi2020

Can confirm this timeout when running Get-MgAuditLogSignIn -Filter "userId eq '$userId' and createdDateTime ge $startDate and createdDateTime le $endDate" -All

Running Get-MGAuditLogSignIn -All went on for 96 minutes with no time out, returning close to 600k records.

rdfrocha avatar Sep 09 '24 18:09 rdfrocha

@timayabi2020 This happens for me every time. It only happens when I try and filter the dataset on the server side. If the results take longer than some built-in timeout, it fails. If I don't supply a filter, it returns paginated results which don't seem to trigger the timeout.

CloudVikingr avatar Sep 18 '24 14:09 CloudVikingr

Same behavior for me. Running without filters will take as long at it likes. Using any kind of filter times out after five minutes.

neilfairall avatar Oct 10 '24 18:10 neilfairall

@CloudVikingr please let me know if you are still getting the same experience when using this tool. https://developer.microsoft.com/en-us/graph/graph-explorer

timayabi2020 avatar Oct 17 '24 08:10 timayabi2020

@CloudVikingr please let me know if you are still getting the same experience when using this tool. https://developer.microsoft.com/en-us/graph/graph-explorer

The tool is not working for me at the moment. I am unable to delegate permissions and it's saying there's network connectivity issues.

I generated the REST call in PowerShell and it returns the first paginated result:

PS C:\src> $url = "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=AppId eq 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c'"  
PS C:\src> $response = Invoke-RestMethod -Method GET -headers $header -Uri $url
PS C:\src\CheckPointFirewall> $response | fl

@odata.context  : https://graph.microsoft.com/v1.0/$metadata#auditLogs/signIns
@odata.nextLink : https://graph.microsoft.com/v1.0/auditLogs/signIns?%5C=AppId+eq+%27c44b4083-3bb0-49c1-b47d-974e53cbdf3c%27&$skiptoken=
value           :  <redacted>

I am getting a slightly different error now when I try and use Get-MgAuditLogSignIn. Instead of the error The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing. I am now getting an error A task was canceled but it still fails. No filter returns.

PS C:\src> Get-MgAuditLogSignIn -Filter "(AppId eq '$AppId')"
Get-MgAuditLogSignIn : A task was canceled.
At line:1 char:1
+ Get-MgAuditLogSignIn -Filter "(AppId eq '$AppId')"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-MgAuditLogSignIn_List], TaskCanceledException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgAuditLogSignIn_List

PS C:\src> Get-MgAuditLogSignIn -all

Id                                   AppDisplayName                                     AppId
--                                   --------------                                     -----
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b1 Office365 Shell WCSS-Client                        89bee1f7-5e6e-4d8a-9f3d-ecd6...
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b10 Microsoft Teams Web Client                         5e3ce6c0-2b1f-4285-8d4b-75ee...
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b1 Microsoft Teams Web Client                         5e3ce6c0-2b1f-4285-8d4b-75ee...
...

Filtering after retrieving all of the logs still works. It took about 15m to return all of the result set.

PS C:\src> Get-MgAuditLogSignIn -all | where {$_.AppId -eq $AppId}
Id                                   AppDisplayName AppId                                ClientAppUsed ConditionalAcces
                                                                                                       sStatus
--                                   -------------- -----                                ------------- ----------------
1e3d5c10-9a1e-4a1b-8d2c-3f6e6e59e7b1 Azure Portal   c44b4083-3bb0-49c1-b47d-974e53cbdf3c Browser       success
...

CloudVikingr avatar Oct 17 '24 18:10 CloudVikingr

Seeing the same timeout error as the original poster, trying to request a filtered log by UPN. This request also times out using the Entra ID web portal.

Get-MgAuditLogSignIn_List: C:\Temp\get-sign-in-logs.ps1:11
Line |
  11 |  $signInLogs = Get-MgAuditLogSignin -Filter "userPrincipalName eq '$us …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The request was canceled due to the configured HttpClient.Timeout of 300 seconds elapsing.

gordonthree avatar Oct 22 '24 22:10 gordonthree

@gordonthree @CloudVikingr if the behavior is the same across various tools (Portal and SDKs) then it only means that there is an issue with the service. Unfortunately, we do not have visibility on Api related issues. Please open a ticket here so that the service owner can respond to it.

timayabi2020 avatar Nov 27 '24 09:11 timayabi2020