-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permission issue #8
Comments
Hi @jajapaja , thanks |
Hi @0x6f677548 , Many thanks |
This has nothing to do with the role of the identity being used. I recommend the reading of https://learn.microsoft.com/en-us/graph/auth/ namely https://learn.microsoft.com/en-us/graph/auth/auth-concepts CA-PowerToys, by default, utilizes "14d82eec-204b-4c2f-b7e8-296a70dab67e" as the client_id, which is "Microsoft Graph Command Line Tools". This is done to circumvent the need to pre-register ca-powertoys in the target tenant as most of the times this app is registered. MS Graph Command Line tools has normally all delegated user permissions needed for most operations, but, your tenant may have been changed. A scope can be defined using the --scope option in the acquire-token command. You can check which scopes are needed in every api call on graph api documentation. Example for policies list: If you use the service principal approach, the following are the permissions that need to be added: hope it helps |
Thank you so much. scope parameter of ca-pwt was the point. I'm familiar OFC with oath concept but I missed in your documentation info about utilizing Graph Commandlne Tools. I set all required API permissions and all work as expected. now I'm getting this for policy 105 How can I please change to /beta GraphAPI endpoint in ca-pwt? Many thanks |
sorry for the late reply Yes, I might need to update the documentation for a new tenant. I will probably invest some time on a wiki moving forward. I am working on the support for other parts of the ZT vision, live intune device policies, hence some latency updating docs. Feel free to submit a PR for readme if you have any suggestion and thanks for using the tool. For the beta api, you found it already, but that's on graph_api.py, on the init method of EntityAPI . You might also need to change the _get_entity_path of some entities - in your case PoliciesAPI (policies.py) let me know anything that i can help, and if you like the tool, just spread the word :) |
btw, I haven't tested the tool with preview features - not sure about the result. |
Hi,
unfortunately I'm still getting error 403
AssertionError: : Request failed with status code 403; {'error': {'code': 'AccessDenied', 'message': 'You cannot perform the requested operation, required scopes are missing in the token.', 'innerError': {'date': '2024-02-06T17:35:05', 'request-id': '35284efd-a0fd-4cf3-9249-0c39313edfe0', 'client-request-id': '35284efd-a0fd-4cf3-9249-0c39313edfe0'}}}
I tried all documented methods obtaining tokens (inc service principal assigned in Global Admin role) but error is still the same
The text was updated successfully, but these errors were encountered: