Hi, unfortunately, I'm running into a new issue after I've migrated both the Intune- and Entra-Backup from Service Principals to Workload Federating Identities. The Intune-backup works fine, but Entra backup always stops at a certain point:
Removing existing backup directory
04:01 (UTC) Creating Azure config backup Organization/Organization.json Organization/Branding/Localizations.json Organization/CertificateBasedAuthConfiguration.json Directory/OnPremisesSynchronization.json Export-Entra: /home/it/myagent/_work/_temp/eeb6d2b1-b111-46fb-a950-1dca2d9b13d4.ps1:36 Line | 36 | Export-Entra "$root\prod-backup" -CloudUsersAndGroupsOnly | ~~~~~~~~~~~~~ | GET | graph.microsoft.com/v1.0/directory/onPremisesSync…redacted HTTP/2.0 403 Forbidden Cache-Control: no-cache Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd client-request-id: ff9e6948-885b-4121-8fbe-82290ca98e3c x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"FR2PEPF00000553"}} x-ms-resource-unit: 1 Date: Wed, 23 Oct 2024 02:01:26 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-10-23T02:01:26","request-id":"4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd","client-request-id":"ff9e6948-885b-4121-8fbe-82290ca98e3c"}}}
##[error]PowerShell exited with code '1'.
##[error]PowerShell wrote one or more lines to the standard error stream.
##[error]Export-Entra: /home/it/myagent/_work/_temp/eeb6d2b1-b111-46fb-a950-1dca2d9b13d4.ps1:36 Line | 36 | Export-Entra "$root\prod-backup" -CloudUsersAndGroupsOnly | ~~~~~~~~~~~~~ | GET | graph.microsoft.com/v1.0/directory/onPremisesSync…redacted HTTP/2.0 403 Forbidden Cache-Control: no-cache Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: 4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd client-request-id: ff9e6948-885b-4121-8fbe-82290ca98e3c x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"FR2PEPF00000553"}} x-ms-resource-unit: 1 Date: Wed, 23 Oct 2024 02:01:26 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-10-23T02:01:26","request-id":"4e2a5260-a2d9-4e2c-80c4-c6dfe9bc89cd","client-request-id":"ff9e6948-885b-4121-8fbe-82290ca98e3c"}}}
The API permissions are exactly the same as the ones previously used for the service principal, which were working fine :-( Looking at a previously successful pipeline-run, I can see that it probably fails trying to collect the Domain-infos at that point, although the app has the Domain.read.all API-permissions.
EDIT: using Graph-explorer, I found that the request for graph.microsoft.com/v1.0/directory/onPremisesSync… also requires the permission "OnPremDirectorySynchronization.Read.All".
However, after granting that API-permission it still spits out exactly the same error :-/