403 on Invoke-WebRequest

Question

403 on Invoke-WebRequest

hyde311 opened this issue 3 years ago · 6 comments

hyde311 commented 3 years ago

Good Evening,

I am getting a 403 on Invoke-WebRequest. I have given the app the following permissions:

sites.readwrite.all
user.read
user.read.all

Any suggestions or assistance would be appreciated.

Thank you,
Hyde

Answer 1 · 2022-02-04T07:10:28.000Z

Which script is that, ODFB shared files one? And which line/function for the error? Line 266 gets a list of all domains, for that you need Directory.Read.All permissions. If you don't want to use that, comment the line and enter the list manually.

Answer 2 · 2022-02-04T14:29:10.000Z

Thank you for the reply! I am using the Graph_ODFB_shared_files.ps1 script. The issue is on line 223:

try { $result = Invoke-WebRequest -Headers $AuthHeader -Uri $uri -Verbose:$VerbosePreference -ErrorAction Stop }

Since my post I have added the following permissions to the app:

Directory.Read.All -Delegated

Files.Read.All-Delegated

Group.Read.All-Delegated

IdentityRiskEvent.Read.All-Delegated

Sites.ReadWrite.All-Delegated

User.Read-Delegated

User.Read.All-Delegated

Thanks again!
Hyde

Answer 3 · 2022-02-05T07:25:09.000Z

That doesn't narrow it down, it's the wrapper "do a Graph request" function. Try running with the -Verbose switch/preference, see what the last request before throwing this error is.

Keep in mind that if you are running the script with Delegate permissions, your user needs to have access to each individual ODFB site, the Graph permissions themselves are not sufficient. Also make sure to replace the corresponding auth block, as the example I'm using is via client secret/application permissions.

Answer 4 · 2022-02-05T14:02:40.000Z

Ahh maybe is is the delegate permissions; though I am running as a GA account. I will try the verbose switch and change the permissions from delegate to app and see what happens. I changed the auth block to my values, but I am also using client secret/app permissions.

UPDATE
Yup, it was the delegated permissions; works fine now. Thank you for your assistance!

Answer 5 · 2022-02-06T08:13:49.000Z

GA doesn't have access to user's ODFB out of the box, so if you want to run with delegate permissions you have to address that. Anyway, glad it works for you now.

Answer 6 · 2022-05-12T12:03:34.000Z

Good day,

I am getting the same error as Hyde but only when i use depth 1/2. running the code blank runs fine however we are not catching lot of data with top level. Can you please assist?
Thank you