Using service pricipal not working

Question

Using service pricipal not working

atiedemann opened this issue 2 years ago · 8 comments

Hello together,
I try to run the assessment with an service principal and setup delegated graph permission for Directory.Read.All and Policy.Read.All but I get the errors below.

I think we mss some permissions in ms graph.

Catch-MsGraphError : Applications without a signed-in user are not allowed access to this report or data.
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.3.7\internal\Get-MsGraphResults.ps1:372 char:33
+                                 Catch-MsGraphError $_
+                                 ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Write-Error], WebException
    + FullyQualifiedErrorId : AccessDenied,Catch-MsGraphError

When it is not allowed to use service principals, for what is the option to Connect-AADAssessment -Certificate ...

Can someone help me?
Thanks
Arne

Answer 1 · 2022-11-04T07:44:24.000Z

Why do you use Delgated and not Application Permissions, as designed?

https://github.com/AzureAD/AzureADAssessment#install-from-the-powershell-gallery

Answer 2 · 2022-11-06T04:15:32.000Z

Can you share the full Connect-AADAssessment command you are running?

Answer 3 · 2022-11-08T00:09:33.000Z

@atiedemann I suspect you need to add "Directory.Read.All" and "Policy.Read.All" application permissions to your app registration and then do admin consent. Could you validate your app registration looks like this?

Answer 4 · 2022-11-08T09:15:39.000Z

I'll try it again tomorrow and give you feedback.
Thanks for your response.

Answer 5 · 2022-11-08T09:17:00.000Z

@HWf7iz3HuBNbQ8 This was because I do not find the permission at application level. :-(

Answer 6 · 2022-11-09T08:17:31.000Z

Good morning, so I tested it again with Application permission and I update the module to the latest version, now it is working.
Thanks a lot
Arne

Answer 7 · 2022-11-09T11:21:56.000Z

What I now get ist that the AuditLog.Read.All permission are missing and I get the following error:

Catch-MsGraphError : Calling principal does not have required MSGraph permissions AuditLog.Read.All
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.3.11\internal\Get-MsGraphResults.ps1:372 char:33

So I think that these permission must be added to the application.
After I add the permission, the error is gone.

Answer 8 · 2022-11-11T18:29:46.000Z

@atiedemann Thanks for the update. And also, thanks for calling out AuditLog.Read.All.