Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When using in AzureChinaCloud environment, Find-MgGraphPermission changes MSGraph API endpoints from China to Global #2795

Closed
Ysuuuuuuuu opened this issue Jun 14, 2024 · 1 comment · Fixed by #2842
Closed

When using in AzureChinaCloud environment, Find-MgGraphPermission changes MSGraph API endpoints from China to Global #2795

Ysuuuuuuuu opened this issue Jun 14, 2024 · 1 comment · Fixed by #2842
Assignees
@timayabi2020
Labels
priority:p1 High priority/Major issue but not blocking or Big percentage of customers affected.Bug SLA <=7days type:bug A broken experience

Comments

@Ysuuuuuuuu
Copy link

Describe the bug

When using MSGraph Powershell calling AzureChinaCloud MSGraph APIs, right after calling Find-MgGraphPermission, the subsequent MSGraph calls will target https://graph.microsoft.com instead of https://microsoftgraph.chinacloudapi.cn.

Expected behavior

After calling Find-MgGraphPermission, the subsequent MSGraph calls still targets https://microsoftgraph.chinacloudapi.cn.

How to reproduce

  1. Connect to tenant in AzureChinaCloud:
    Connect-MgGraph -scopes ".default" -Environment China -TenantId $TenantID -AppId $ClientID -ContextScope Process

  2. Try any MSGraph call, it works : Get-MgApplication -Top 1 -Debug

  3. Run Find-MgGraphPermission "User.Read" -ExactMatch -PermissionType "Delegated" -Debug
    In this step, you can see it's targeting https://graph.microsoft.com

  4. Then run Get-MgApplication -Top 1 -Debug again. It fails with 401 as this time it targets https://graph.microsoft.com.

SDK Version

2.19.0

Latest version known to work for scenario above?

v2.8.0 has issue as well. Not test other versions

Known Workarounds

No workaround as of now.

Debug output

Click to expand log Find-MgGraphPermission "User.Read" -ExactMatch -PermissionType "Delegated" -Debug 

<Log output here>
DEBUG: GET /v1.0/servicePrincipals?$filter=appId%20eq%20'00000003-0000-0000-c000-000000000000' HTTP/1.1
HTTP: graph.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.2 Invoke-MgGraphRequest


DEBUG: GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId%20eq%20'00000003-0000-0000-c000-000000000000'
HTTP/2.0 401 Unauthorized
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 4d3ffd39-c3f6-480e-9425-3e4a98502772
client-request-id: 5a6d2536-ea72-4866-8f93-a41099b2f592
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF0000B1AB"}}
WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="xxxxxx"
Date: Fri, 14 Jun 2024 05:25:30 GMT
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"InvalidAuthenticationToken","message":"Signing key is invalid.","innerError":{"date":"2024-06-14T05:25:31","request-id":"4d3ffd39-c3f6-480e-9425-3e4a98502772","client-request-id":"5a6d2536-ea72-4866-8f93-a41099b2f592"}}}

   PermissionType: Delegated

Id                                   Consent Name      Description
--                                   ------- ----      -----------
e1fe6dd8-ba31-4d61-89e7-88639da4683d User    User.Read Allows you to sign in to the app with your organizational accou…

Configuration

Name Value

PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.22631
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Other information

No response
@Ysuuuuuuuu Ysuuuuuuuu added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Jun 14, 2024
@timayabi2020
Copy link
Contributor

@Ysuuuuuuuu thanks for reporting this issue. This is indeed a bug in the SDK since calling Find-MgGraphPermission command reinitializes the environment to its default Global environment which points to https://graph.microsoft.com instead of picking the environment that was initially set in the context.
As we work to resolve this issue, kindly use the Find-MgGraphCommand -Command <Your cmdlet> | Select-Object Permissions to get the permissions required. See screenshot below.
image

@timayabi2020 timayabi2020 added priority:p2 Medium. For a p2 bug, generally have a work-around. Bug SLA <=30 days priority:p1 High priority/Major issue but not blocking or Big percentage of customers affected.Bug SLA <=7days and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned priority:p2 Medium. For a p2 bug, generally have a work-around. Bug SLA <=30 days labels Jul 1, 2024
@timayabi2020 timayabi2020 self-assigned this Jul 10, 2024
@timayabi2020 timayabi2020 linked a pull request Jul 10, 2024 that will close this issue
Resets graph environment session to its original state. #2842
Merged
@timayabi2020 timayabi2020 mentioned this issue Jul 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timayabi2020 timayabi2020

Labels
priority:p1 High priority/Major issue but not blocking or Big percentage of customers affected.Bug SLA <=7days type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resets graph environment session to its original state. microsoftgraph/msgraph-sdk-powershell
2 participants
@timayabi2020 @Ysuuuuuuuu