permission issue

[jajapaja]

Hi,
unfortunately I'm still getting error 403
AssertionError: : Request failed with status code 403; {'error': {'code': 'AccessDenied', 'message': 'You cannot perform the requested operation, required scopes are missing in the token.', 'innerError': {'date': '2024-02-06T17:35:05', 'request-id': '35284efd-a0fd-4cf3-9249-0c39313edfe0', 'client-request-id': '35284efd-a0fd-4cf3-9249-0c39313edfe0'}}}
I tried all documented methods obtaining tokens (inc service principal assigned in Global Admin role) but error is still the same

[0x6f677548]

Hi @jajapaja ,
can you please clarify what action are you trying to perform and that raises that error?
This can be an expected error if you are trying to use an action with a token that has not the necessary scopes. If you tell me what action, I can help you the instructions to get a token using the --scope option in the acquire-token command.

thanks

[jajapaja]

Hi @0x6f677548 ,
I'm getting the error about missing scope for export-policies action (as I mentioned I tried all methods mentioned in your documentation inc authorization with service principal)
How can I define token scope in the query? All of identities was Global Admins

Many thanks

[0x6f677548]

This has nothing to do with the role of the identity being used. I recommend the reading of https://learn.microsoft.com/en-us/graph/auth/ namely https://learn.microsoft.com/en-us/graph/auth/auth-concepts

CA-PowerToys, by default, utilizes "14d82eec-204b-4c2f-b7e8-296a70dab67e" as the client_id, which is "Microsoft Graph Command Line Tools". This is done to circumvent the need to pre-register ca-powertoys in the target tenant as most of the times this app is registered. MS Graph Command Line tools has normally all delegated user permissions needed for most operations, but, your tenant may have been changed.

A scope can be defined using the --scope option in the acquire-token command.
As an example:
ca-pwt acquire-token --scope "Policy.Read.All" export-policies --output_file policies.json

You can check which scopes are needed in every api call on graph api documentation. Example for policies list:
https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0&tabs=http

If you use the service principal approach, the following are the permissions that need to be added:

hope it helps

[jajapaja]

Thank you so much. scope parameter of ca-pwt was the point. I'm familiar OFC with oath concept but I missed in your documentation info about utilizing Graph Commandlne Tools. I set all required API permissions and all work as expected.
btw: a new tenants is doesn't have consent for Graph Commandline Tools, so you need define it in a new scope

now I'm getting this for policy 105
ERROR:ca_pwt.commands:Error creating policy with display name 'CA105-Admins-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA': Request failed with status code 400; {'error': {'code': 'BadRequest', 'message': '1038: The policy you are trying to create or update contains preview features. Use the Beta endpoint to create or update this policy.', 'innerError': {'date': '2024-02-09T17:49:57', 'request-id': '

How can I please change to /beta GraphAPI endpoint in ca-pwt?
EDIT: I found it. :)

Many thanks

[0x6f677548]

sorry for the late reply

Yes, I might need to update the documentation for a new tenant. I will probably invest some time on a wiki moving forward. I am working on the support for other parts of the ZT vision, live intune device policies, hence some latency updating docs. Feel free to submit a PR for readme if you have any suggestion and thanks for using the tool.

For the beta api, you found it already, but that's on graph_api.py, on the init method of EntityAPI . You might also need to change the _get_entity_path of some entities - in your case PoliciesAPI (policies.py)

let me know anything that i can help, and if you like the tool, just spread the word :)

[0x6f677548]

btw, I haven't tested the tool with preview features - not sure about the result.