Feed
Hi, unfortunately, I'm running into a new issue after I've migrated both the Intune- and Entra-Backup from Service Principals to Workload Federating Identities. The Intune-backup works fine, but Entra backup always stops at a certain point:
Removing existing backup directory
04:01 (UTC) Creating Azure config backup Organization/Organization.json Organization/Branding/Localizations.json Organization/CertificateBasedAuthConfiguration.json Directory/OnPremisesSynchronization.json Export-Entra: /home/it/myagent/_work/_temp/eeb6d2b1-b111-46fb-a950-1dca2d9b13d4.ps1:36 Line | 36 | Export-Entra "$root\prod-backup" -CloudUsersAndGroupsOnly | ~~~~~~~~~~~~~ | GET | graph.microsoft.com/v1.0/directory/onPremisesSync…redacted HTTP/2.0 403 Forbidden Cache-Control: no-cache Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd client-request-id: ff9e6948-885b-4121-8fbe-82290ca98e3c x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"FR2PEPF00000553"}} x-ms-resource-unit: 1 Date: Wed, 23 Oct 2024 02:01:26 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-10-23T02:01:26","request-id":"4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd","client-request-id":"ff9e6948-885b-4121-8fbe-82290ca98e3c"}}}
##[error]PowerShell exited with code '1'.
##[error]PowerShell wrote one or more lines to the standard error stream.
##[error]Export-Entra: /home/it/myagent/_work/_temp/eeb6d2b1-b111-46fb-a950-1dca2d9b13d4.ps1:36 Line | 36 | Export-Entra "$root\prod-backup" -CloudUsersAndGroupsOnly | ~~~~~~~~~~~~~ | GET | graph.microsoft.com/v1.0/directory/onPremisesSync…redacted HTTP/2.0 403 Forbidden Cache-Control: no-cache Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd client-request-id: ff9e6948-885b-4121-8fbe-82290ca98e3c x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"FR2PEPF00000553"}} x-ms-resource-unit: 1 Date: Wed, 23 Oct 2024 02:01:26 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-10-23T02:01:26","request-id":"4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd","client-request-id":"ff9e6948-885b-4121-8fbe-82290ca98e3c"}}}
The API permissions are exactly the same as the ones previously used for the service principal, which were working fine :-( Looking at a previously successful pipeline-run, I can see that it probably fails trying to collect the Domain-infos at that point, although the app has the Domain.read.all API-permissions.
EDIT: using Graph-explorer, I found that the request for graph.microsoft.com/v1.0/directory/onPremisesSync… also requires the permission "OnPremDirectorySynchronization.Read.All".
However, after granting that API-permission it still spits out exactly the same error :-/
Can you please help on this error message. If you want I will share the full log details.
github.com/ztrhgf/DevOps_Pipelines/blob/main/azur…
I have replaced the following value mentioned in the above YML file based on our requirement.
SERVICE_CONNECTION_NAME USER_EMAIL USER_NAME
2024-07-22T11:27:30.8857016Z PrivilegedAccess/AzureResources/Resources
2024-07-22T11:27:33.0971646Z ##[error]Export-Entra : GET graph.microsoft.com/beta/privilegedAccess/azureRe… HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 1b1bda25-0619-4098-9dd4-77d26bbe46f2 client-request-id: c6876129-2b01-4bb4-9e1a-dd26165addbf x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"DB1PEPF0005EB8C"}} Date: Mon, 22 Jul 2024 11:27:32 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-07-22T11:27:32","reques t-id":"1b1bda25-0619-4098-9dd4-77d26bbe46f2","client-request-id":"c6876129-2b01-4bb4-9e1a-dd26165addbf"}}} At D:\a_temp\f54b1a51-ab43-4728-afd9-654a06a97a24.ps1:37 char:1
I am trying to export users using pipeline. Pipeline is running fine but I cant see any files to output folder. And if I export users locally it is running fine.
Running this I get the an error. Could you please advise on how to best solve this? It works if I run the Export-command locally on a server towards the same Entra ID, but not through Azure Devops using your code. Thanks.
PrivilegedAccess/AzureResources/Resources
##[error]Export-Entra : GET XXXXgraph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=XXXXX HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: XXXX client-request-id: XXXX x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"008","RoleInstance":"XXXX"}} Date: Fri, 05 Apr 2024 07:55:28 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-04-05T07:55:29","reques t-id":"XXX","client-request-id":"XXX"}}} At D:\a_temp\32f8a8a7-ae2d-4a87-859d-eafcc7051148.ps1:37 char:1
Thank you for the great article and also for providing the solution to the community - very much appreciated! :-) Unfortunately, I ran into a problem where the process always keeps timing out on the same commit message: "Creating commit '2024.03.08_12.19 ...." (content redacted ;D) The first few pipeline-runs completed without any problems, but it suddenly stopped working one day and will not continue with a certain commit and just seems to time out at a certain point. The commit message subject is always the same, so it's probably something. related to the processed data, but I'm currently out of ideas what the underlying issue might be, and I'd be very glad to get some tips on how I might debug that!
Thank your for the great article. Just a small advise, to keep with current terms, please refrain from using the word "Azure" when you you actually mean Entra (which includes Entra ID). Azure = IaaS/PaaS cloud computing platform and even has its own RBAC outside of Entra ID so using the word Azure instead of Entra is quite confusing.
Hello. Whole pipeline and jobs goes well without errors but I don't see files in Azure Repos like you. In my repos are only YAML file and readme. What I'm doing wrong?
Ok, found the culprit in MS Graph PS SDK 2.11.0: Invoke-MgGraphRequest Broken
Thank you for the write up! Do you have a clue why the pipeline keeps skipping users (and groups) while it has all necessary permissions and the correct parameter. Running it manually using an admin account does retrieve groups and accounts.
cmusselman
Thank you for so quickly fixing the authentication problem. I was troubleshooting and thought I'd check your github to see if you had seen the problem and it was already fixed!