msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

Get-MgBetaNetworkAccessForwardingPolicyRule Returns 200 OK with Empty Value [] for Policies with Existing Rules

Open ggilmoreAtWork opened this issue 6 months ago • 1 comments

Describe the bug

When querying for the rules of a specific, valid forwarding policy ID using Get-MgBetaNetworkAccessForwardingPolicyRule, the Graph API successfully returns a 200 OK status code. However, the body of the response incorrectly contains an empty value array ("value": []), even when the policy has numerous rules (application segments) visible in the Microsoft Entra admin center.

This behavior makes it impossible to automate the enumeration of all FQDNs and IP ranges within Private Access, as the API is not returning the configured data.

Expected behavior

List the rules for the policy? Display the IP and FQDN, possibly the Ports and protocol.

How to reproduce

Connect-MgGraph -Scopes "NetworkAccess.Read.All"
# Get all policies and select one for testing
$policies = Get-MgBetaNetworkAccessForwardingPolicy | Where-Object { $_.TrafficForwardingType -eq 'private' }
$testPolicyId = $policies[0].Id
Get-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $testPolicyId

SDK Version

2.29.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

DEBUG: [CmdletBeginProcessing]: - Get-MgBetaNetworkAccessForwardingPolicyRule begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, Application.Read.All, AuditLog.Read.All, Calendars.Read, Calendars.Read.Shared, Channel.ReadBasic.All, ConsentRequest.Read.All, DelegatedPermissionGrant.Read.All, Device.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Domain.ReadWrite.All, email, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, GroupMember.ReadWrite.All, IdentityRiskyUser.ReadWrite.All, Mail.Read, NetworkAccess.Read.All, openid, profile, Team.ReadBasic.All, User.Read, User.Read.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/networkAccess/forwardingPolicies/88de4bbf-27fc-46b8-b926-87f7e4e896b7/policyRules

Headers:
FeatureFlag                   : 00000003
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-US),PowerShell/2025.2.0
SdkVersion                    : graph-powershell-beta/2.29.0
client-request-id             : 99b91890-3907-4b0f-ac87-9a80f4711f25
Accept-Encoding               : gzip,deflate,br

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Date                          : Thu, 10 Jul 2025 05:08:21 GMT
Transfer-Encoding             : chunked
Connection                    : keep-alive
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 972d1873-7839-4cfd-940d-b77f366ffd03
client-request-id             : 99b91890-3907-4b0f-ac87-9a80f4711f25
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"MWH0EPF0009A7D2"}}
OData-Version                 : 4.0
X-Cache                       : CONFIG_NOCACHE

Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#networkAccess/forwardingPolicies('88de4bbf-27fc-46b8-b926-87f7e4e896b7')/policyRules",
  "value": []
}


DEBUG: [CmdletEndProcessing]: - Get-MgBetaNetworkAccessForwardingPolicyRule end processing.

Configuration

  • OS: Windows 11 25H2 (OS Build 26200.5670)
  • x64
  • Powershell 7.5.2 and 5.1

Other information

Get-MgBetaNetworkAccessForwardingPolicy -Filter "TrafficForwardingType eq 'private'" | fl

Also reflects blank PolicyRules:

Description           : This policy represents application segment configuration on appId
                        ed26595d-2982-4862-99da-342c53a26a5e
Id                    : a56c642a-4811-4dda-a4ee-265866c048b8
Name                  : Private Access Policy for App ed26595d-2982-4862-99da-342c53a26a5e
PolicyRules           :
TrafficForwardingType : private
Version               : 1.0.0
AdditionalProperties  : {}

ggilmoreAtWork avatar Jul 10 '25 05:07 ggilmoreAtWork

@ggilmoreAtWork could you please provide a fresh debug output for this as it looks a lot like an issue with the underlying service. If we have a fresh debug output, then we can pass this along to the team that owns this API.

gavinbarron avatar Nov 10 '25 20:11 gavinbarron