msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

New-MgBetaSecurityAuditLogQuery seems to drop authentication

Open 12Knocksinna opened this issue 9 months ago • 4 comments

Describe the bug

I am running an audit job to retrieve audit events. I create the hash table containing the audit query and attempt to submit it with the New-MgBetaSecurityAuditLogQuery cmdlet, but the cmdlet fails.

$AuditJob = New-MgBetaSecurityAuditLogQuery -BodyParameter $AuditQueryParameters | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Invalid URI: The format of the URI could not be determined.

If the session is disconnected and reconnected with Disconnect-MgGraph and Connect-MgGraph, the cmdlet runs as expected. This makes me think that the automatic access token refresh is being ignored by the cmdlet, which then thinks that it is not authorized to submit the job and therefore fails. The error message is very misleading...

Expected behavior

I expect to be able to submit audit jobs...

How to reproduce

Here's the code I used:

$AuditQueryName = ("Copilot Interactions audit job created at {0}" -f (Get-Date -format 'dd-MMM-yyyy HH:mm')) $StartDate = (Get-Date).AddDays(-30) $EndDate = (Get-Date).AddDays(1) $AuditQueryStart = (Get-Date $StartDate -format s) $AuditQueryEnd = (Get-Date $EndDate -format s) [array]$AuditQueryOperations = "CopilotInteraction" $AuditQueryParameters = @{} #$AuditQueryParameters.Add("@odata.type","#microsoft.graph.security.auditLogQuery") $AuditQueryParameters.Add("displayName", $AuditQueryName) $AuditQueryParameters.Add("OperationFilters", $AuditQueryOperations) $AuditQueryParameters.Add("filterStartDateTime", $AuditQueryStart) $AuditQueryParameters.Add("filterEndDateTime", $AuditQueryEnd)

Submit the audit query

$AuditJob = New-MgBetaSecurityAuditLogQuery -BodyParameter $AuditQueryParameters

To reproduce, submit a job and let it run. Wait an hour to make sure that the existing access token has expired. Try and submit an audit job again. It fails...

I suspect that the same problem exists with the other cmdlets that interact with the AuditLogQuery API like Get-MgBetaSecurityAuditLogQueryRecord and Get-MgBetaSecurityAuditLogQuery

SDK Version

V2.26.1

Latest version known to work for scenario above?

I noticed this in previous versions but didn't report it

Known Workarounds

run Disconnect-MgGraph, then Connect-MgGraph, and the cmdlet will work.

Debug output

Are you sure you want to perform this action? Performing the operation "New-MgBetaSecurityAuditLogQuery_Create" on target "Call remote 'POST /security/auditLog/queries' operation". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y DEBUG: [CmdletException]: Received exception with message 'UriFormatException - Invalid URI: The format of the URI could not be determined. : at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions) at System.Uri..ctor(String uriString) at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.GetInteractiveBrowserCredentialAsync(IAuthContext authContext, CancellationToken cancellationToken) at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.GetTokenCredentialAsync(IAuthContext authContext, CancellationToken cancellationToken) at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.GetAuthenticationProviderAsync(IAuthContext authContext) at Microsoft.Graph.PowerShell.Authentication.Helpers.HttpHelpers.GetGraphHttpClient() at Microsoft.Graph.Beta.PowerShell.Module.BeforeCreatePipeline(InvocationInfo invocationInfo, HttpPipeline& pipeline) at Microsoft.Graph.Beta.PowerShell.Module.CreatePipeline(InvocationInfo invocationInfo, String parameterSetName) at Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaSecurityAuditLogQuery_Create.ProcessRecordAsync()' New-MgBetaSecurityAuditLogQuery_Create: Invalid URI: The format of the URI could not be determined. DEBUG: [CmdletEndProcessing]: - New-MgBetaSecurityAuditLogQuery end processing.

Configuration

Name Value

PSVersion 7.5.0 PSEdition Core GitCommitId 7.5.0 OS Microsoft Windows 10.0.26100 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Other information

No response

12Knocksinna avatar Feb 28 '25 17:02 12Knocksinna

To be specific, Connect-MgGraph must go through the authentication process (sign in) before the cmdlet is happy. If Disconnect-MgGraph/Connect-MgGraph run without authenticating, the cmdlet fails.

12Knocksinna avatar Mar 01 '25 11:03 12Knocksinna

@12Knocksinna sorry for the experience, this issue has already been reported here #3197. I will therefore close this as a duplicate, kindly let us track it from there.

timayabi2020 avatar Mar 03 '25 10:03 timayabi2020

It's a different bug that is specific to the cmdlets for the AuditQueryLog API that existed prior to V2.26 (I just didn't get around to reporting it). Other cmdlets work fine. Please don't close this bug.

From: Tim @.> Sent: Monday, March 3, 2025 10:08 AM To: microsoftgraph/msgraph-sdk-powershell @.> Cc: 12 Knocksinna (Gmail) @.>; Mention @.> Subject: Re: [microsoftgraph/msgraph-sdk-powershell] New-MgBetaSecurityAuditLogQuery seems to drop authentication (Issue #3199)

@12Knocksinnahttps://github.com/12Knocksinna sorry for the experience, this issue has already been reported here #3197https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3197. I will therefore close this as a duplicate, kindly let us track it from there.

Reply to this email directly, view it on GitHubhttps://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3199#issuecomment-2693859322, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AK45CIXJFCLOU5V3XZ3IW2T2SQSWLAVCNFSM6AAAAABYC2Q4CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJTHA2TSMZSGI. You are receiving this because you were mentioned.Message ID: @.@.>> [timayabi2020]timayabi2020 left a comment (microsoftgraph/msgraph-sdk-powershell#3199)https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3199#issuecomment-2693859322

@12Knocksinnahttps://github.com/12Knocksinna sorry for the experience, this issue has already been reported here #3197https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3197. I will therefore close this as a duplicate, kindly let us track it from there.

Reply to this email directly, view it on GitHubhttps://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3199#issuecomment-2693859322, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AK45CIXJFCLOU5V3XZ3IW2T2SQSWLAVCNFSM6AAAAABYC2Q4CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJTHA2TSMZSGI. You are receiving this because you were mentioned.Message ID: @.@.>>

12Knocksinna avatar Mar 03 '25 10:03 12Knocksinna

I've confirmed that the problem is with the underying Graph APIs as well. Using Invoke-MgGraphRequest doesn't work if the access token needs to be renewed. For instance, this will fail:

$Uri = $Uri = "https://graph.microsoft.com/beta/security/auditLog/queries" $AuditJob = Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $AuditQueryParameters

Errors like Invalid URI: The format of the URI could not be determined. or The pipeline has been stopped. aren't very helpful.

The problem is a horrible one because everything seems to be working as normal and then it suddenly fails.

12Knocksinna avatar Mar 05 '25 16:03 12Knocksinna

@timayabi2020 any update here?

myfope avatar Jun 26 '25 11:06 myfope