Get-MgEntitlementManagementCatalog

[SuryenduB]

Describe the bug

Get-MgEntitlementManagementCatalog with DIsplayname giving error user is unauthorized. I have connected Entra ID as Global Admin.

To Reproduce
Steps to reproduce the behavior:

1. Get-MgEntitlementManagementCatalog -DisplayNameEQ "'$CatalogName'"
2. See error at ...

Expected behavior

Get the Entitlement Management Catalog

Debug Output

Run the problematic command with -Debug and paste the resulting debug stream below.
[CmdletBeginProcessing]: - Get-MgEntitlementManagementCatalog begin processing with parameterSet 'List'.
[Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
[Authentication]: - Scopes: [AdministrativeUnit.ReadWrite.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, CrossTenantInformation.ReadBasic.All, CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, DirectoryRecommendations.Read.All, email, EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All, Group.ReadWrite.All, openid, Organization.Read.All, Policy.Read.All, profile, RoleAssignmentSchedule.Read.Directory, RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory, Synchronization.Read.All, Synchronization.ReadWrite.All, User.Read, User.Read.All, User.ReadWrite.All, UserAuthenticationMethod.Read.All].
============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs?$filter=displayName eq %27%27Tier 0 Azure Role Catalog%27%27

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22000; en-US),PowerShell/2023.6.0
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.2.0
client-request-id : c1915a4e-4f30-41a1-98be-cbd15ec6dcf2

Body:

============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 191b1474-6514-4a51-b1c0-6e7855c9e82f
client-request-id : c1915a4e-4f30-41a1-98be-cbd15ec6dcf2
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"FR1PEPF00000AED"}}
Date : Tue, 08 Aug 2023 17:19:32 GMT

Body:
{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause: Syntax error at position 21 in 'displayName eq ''Tier 0 Azure Role Catalog'''.",
"innerError": {
"date": "2023-08-08T17:19:32",
"request-id": "191b1474-6514-4a51-b1c0-6e7855c9e82f",
"client-request-id": "c1915a4e-4f30-41a1-98be-cbd15ec6dcf2"
}
}
}

Get-MgEntitlementManagementCatalog_List: C:\Program Files\PowerShell\Modules\Microsoft.Graph.Identity.Governance\2.2.0\custom\Get-MgEntitlementManagementCatalog.ps1:158:5
Line |
158 | Microsoft.Graph.Identity.Governance.private\Get-MgEntitlementMana …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Invalid filter clause: Syntax error at position 21 in 'displayName eq ''Tier 0 Azure Role
| Catalog'''. Status: 400 (BadRequest) ErrorCode: BadRequest Date: 2023-08-08T17:19:32
| Headers: Transfer-Encoding : chunked Vary :
| Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id
| : 191b1474-6514-4a51-b1c0-6e7855c9e82f client-request-id :
| c1915a4e-4f30-41a1-98be-cbd15ec6dcf2 x-ms-ags-diagnostic :
| {"ServerInfo":{"DataCenter":"Germany West
| Central","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"FR1PEPF00000AED"}} Date
| : Tue, 08 Aug 2023 17:19:32 GMT

[CmdletEndProcessing]: - Get-MgEntitlementManagementCatalog end processing

Module Version

ModuleType Version PreRelease Name PSEdition ExportedCommands

---

Script 2.2.0 Microsoft.Graph.Identity.Directory… Core,Desk {Confirm-MgContactMe…
Script 2.2.0 Microsoft.Graph.Identity.Governance Core,Desk {Add-MgIdentityGover…
Script 2.2.0 Microsoft.Graph.Identity.Partner Core,Desk {Get-MgTenantRelatio…
Script 2.2.0 Microsoft.Graph.Identity.SignIns Core,Desk {Confirm-MgRiskyServ…

Environment Data
Name Value

---

PSVersion 7.3.6
PSEdition Core
GitCommitId 7.3.6
OS Microsoft Windows 10.0.22000
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

[SeniorConsulting]

Hi SuryenduB,

I was able to replicate your issue by using what you had typed:

$CatalogName = "General" 
Get-MgEntitlementManagementCatalog -DisplayNameEq "'$CatalogName'"

I was also able to replicate it using
Get-MgEntitlementManagementCatalog -DisplayNameEq "'General'"

It looks like the -DisplayNameEq parameter is a smart parameter which takes some of the pain from the Graph API's filter syntax for you, so I was able to resolve this problem by simply using:

$CatalogName = "General" 
Get-MgEntitlementManagementCatalog -DisplayNameEq $CatalogName

To elaborate, I removed both sets of quotes around the $CatalogName

I hope this helps.

[SuryenduB]

This is working.

[SuryenduB]

This issue is reappearing

I have signed in as Global Admin

Connect-MgGraph .

2023-08-12 14784425548699500622 PS C:\Users\14784425548699500622\Documents\Scripts> $CatalogName = "General"
2023-08-12 14784425548699500622 PS C:\Users\14784425548699500622\Documents\Scripts> Get-MgEntitlementManagementCatalog -DisplayNameEq $CatalogName
Get-MgEntitlementManagementCatalog_List: C:\Program Files\PowerShell\Modules\Microsoft.Graph.Identity.Governance\2.2.0\custom\Get-MgEntitlementManagementCatalog.ps1:158
Line |
158 | Microsoft.Graph.Identity.Governance.private\Get-MgEntitlementMana …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| User is not authorized to perform the operation. Reason: Unauthorized Status: 403 (Forbidden) ErrorCode:
| UnAuthorized Date: 2023-08-12T18:50:15 Headers: Transfer-Encoding : chunked Vary
| : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id :
| 78c8cbbe-8c50-47fc-9162-3572f3cfb1c5 client-request-id : 005996d1-9bb4-46a8-8f6d-0bbc1f163f47
| x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Germany West
| Central","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"FR1PEPF00000AEE"}} Date
| : Sat, 12 Aug 2023 18:50:15 GMT
2023-08-12 14784425548699500622 PS C:\Users\14784425548699500622\Documents\Scripts>

[SeniorConsulting]

Hi SuryenduB,

This is a different issue this time. Previously, the message you received was:
"message": "Invalid filter clause: Syntax error at position 21 in 'displayName eq ''Tier 0 Azure Role Catalog'''.",

This time, the message you're getting is:
User is not authorized to perform the operation. Reason: Unauthorized Status: 403 (Forbidden)

Are you using the same administrator account as last time? If you run Get-MgContext after signing in, do you see the following scopes:
EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All

Are you signed into the correct tenant?

[SuryenduB]

I have seen you need to sign out with disconnect-graph and then sign in again with connect-graph to work with entitlement management (identity governance) commandlet.

This is not the case with other MgGraph command.

[timayabi2020]

@SuryenduB I am closing this issue because the original issue was addressed by @SeniorConsulting (Thank you so much 😃), If you are still experiencing the auth problem, please open a new issue for that.