Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] STAT V2 AAD Risk Module 403 Forbidden #436

Open
KSJHASJBX opened this issue Sep 30, 2023 · 2 comments
Open

[QUESTION] STAT V2 AAD Risk Module 403 Forbidden #436

KSJHASJBX opened this issue Sep 30, 2023 · 2 comments
Assignees
@briandelmsft
Labels
question Further information is requested

Comments

@KSJHASJBX
Copy link

Hi,

Hope you are doing well. I have deployed stat V2 according to the docs and ran the grantpermissions.ps1 script. It seems to work but I keep on receiving an 403 forbidden error in the AAD risk module. This is the output:

{
"statusCode": 400,
"headers": {
"Transfer-Encoding": "chunked",
"Date": "Fri, 29 Sep 2023 13:52:50 GMT",
"Content-Type": "application/json",
"Content-Length": "1258"
},
"body": {
"Error": "The API call to msgraph with path /v1.0/identityProtection/riskyUsers/21b3b6da-20e4-4751-ba82-7b268d028fb5 failed with status 403",
"InvocationId": "57658876-e69d-42c7-8bba-aea7185450bd",
"SourceError": {
"status_code": 403,
"reason": "Forbidden"
},
"Traceback": [
"Traceback (most recent call last):\n",
" File "/home/site/wwwroot/modules/init.py", line 19, in main\n return_data = coordinator.initiate_module(module_name=module_name, req_body=req_body)\n",
" File "/home/site/wwwroot/shared/coordinator.py", line 27, in initiate_module\n return_data = aadrisks.execute_aadrisks_module(req_body)\n",
" File "/home/site/wwwroot/modules/aadrisks.py", line 28, in execute_aadrisks_module\n user_risk_level = json.loads(rest.rest_call_get(base_object, api='msgraph', path=path).content)['riskLevel']\n",
" File "/home/site/wwwroot/shared/rest.py", line 109, in rest_call_get\n raise STATError(f'The API call to {api} with path {path} failed with status {response.status_code}', source_error={'status_code': int(response.status_code), 'reason': str(response.reason)})\n",
"classes.STATError: The API call to msgraph with path /v1.0/identityProtection/riskyUsers/21b3b6da-20e4-4751-ba82-7b268d028fb5 failed with status 403\n"
]
}
}

The tenant only has a Microsoft 365 Business Premium license. Does this hinder calling the Graph API for the AAD risks module?
@KSJHASJBX KSJHASJBX added the question Further information is requested label Sep 30, 2023
@briandelmsft briandelmsft self-assigned this Oct 2, 2023
@briandelmsft
Copy link
Owner

Hi @KSJHASJBX unfortunately it does appear to be a license issue.

According to the docs for the risky users API, you need an AAD P2 license to call it and from what I see M365 Business Premium comes with P1, not P2.

https://learn.microsoft.com/en-us/graph/api/resources/riskyuser?view=graph-rest-beta

@piaudonn
Copy link
Collaborator

piaudonn commented Oct 5, 2023
edited

@briandelmsft I will update the doc to make sure it reflects this, just to make sure.

The v-2 version should also make this a non-terminating error. Or at least mention overwrite the error message when status_code is 403 to include it might be a license thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@briandelmsft briandelmsft

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@piaudonn @briandelmsft @KSJHASJBX