Skip to content

Invoke-MgGraphRequest gives 403 forbidden for /beta/admin/sharepoint/settings endpoint with scope SharePointTenantSettings.ReadWrite.All #2826

New issue
New issue
Closed
Closed
Invoke-MgGraphRequest gives 403 forbidden for /beta/admin/sharepoint/settings endpoint with scope SharePointTenantSettings.ReadWrite.All#2826
Labels
Needs: Attention 👋no-recent-activity
@AlyaKoni

Description

@AlyaKoni
AlyaKoni
opened on Jul 4, 2024

Describe the bug

Invoke-MgGraphRequest gives 403 forbidden for /beta/admin/sharepoint/settings endpoint with scope SharePointTenantSettings.ReadWrite.All

Invoke-MgGraphRequest: GET https://graph.microsoft.com/beta/admin/sharepoint/settings
HTTP/2.0 403 Forbidden
Cache-Control: no-store, no-cache
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: e3a1b7ae-3cde-483d-bff7-153adfb5f607
client-request-id: 1859889c-9d81-437c-b7c7-7e6e1cc6ae4e
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"ZRH2EPF000000E6"}}
Date: Thu, 04 Jul 2024 18:48:32 GMT
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"accessDenied","message":"Access denied","innerError":{"date":"2024-07-04T18:48:32","request-id":"e3a1b7ae-3cde-483d-bff7-153adfb5f607","client-request-id":"1859889c-9d81-437c-b7c7-7e6e1cc6ae4e"}}}

Expected behavior

Login should work as last several years

How to reproduce

Connect-MGGraph -Scopes "SharePointTenantSettings.ReadWrite.All"
Invoke-MgGraphRequest -Method "Get" -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings"

SDK Version

2.19.0

Latest version known to work for scenario above?

No response

Known Workarounds

None

Debug output

PS C:\Alya\Repos\AHPDO-ADM-CloudConfiguration> Connect-MGGraph -Scopes "SharePointTenantSettings.ReadWrite.All" -Debug
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ SharePointTenantSettings.ReadWrite.All ] ParentRequestId:
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] MSAL MSAL.NetCore with assembly version '4.60.1.0'. CorrelationId(850b426f-93fc-426d-9d51-8f46d2a7a40d)
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] LoginHint provided: False
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] Account provided: True
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] ForceRefresh: False
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d]
=== Request Data ===
Authority Provided? - True
Scopes - SharePointTenantSettings.ReadWrite.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 850b426f-93fc-426d-9d51-8f46d2a7a40d
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] === Token Acquisition (SilentRequest) started:
Scopes: SharePointTenantSettings.ReadWrite.All
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] Access token is not expired. Returning the found cache entry. [Current time (07/04/2024 18:47:17) - Expiration Time (07/04/2024 20:09:36 +00:00) - Extended Expiration Time (07/04/2024 20:09:36 +00:00)]
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.60.1.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.22631 [2024-07-04 18:47:17Z - 850b426f-93fc-426d-9d51-8f46d2a7a40d] AT expiration time: 04.07.2024 20:09:36 +00:00, scopes: Application.ReadWrite.All AppRoleAssignment.ReadWrite.All AuditLog.Read.All ChannelMessage.Send Contacts.Read CrossTenantInformation.ReadBasic.All DelegatedPermissionGrant.ReadWrite.All DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Domain.ReadWrite.All email Group.ReadWrite.All GroupMember.ReadWrite.All openid Organization.ReadWrite.All OrganizationalBranding.ReadWrite.All Policy.Read.All Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.CrossTenantAccess Policy.ReadWrite.DeviceConfiguration Policy.ReadWrite.PermissionGrant profile RoleAssignmentSchedule.ReadWrite.Directory RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.All RoleManagement.ReadWrite.Directory SharePointTenantSettings.ReadWrite.All TeamMember.ReadWrite.All TeamsApp.ReadWrite.All TeamsAppInstallation.ReadWriteForTeam TeamsAppInstallation.ReadWriteSelfForTeam TeamSettings.ReadWrite.All TeamsTab.ReadWrite.All User.Read.All User.ReadWrite.All UserAuthenticationMethod.Read.All UserAuthenticationMethod.ReadWrite.All WindowsUpdates.ReadWrite.All. source: Cache
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ SharePointTenantSettings.ReadWrite.All ] ParentRequestId: ExpiresOn: 2024-07-04T20:09:36.0000000+00:00
Welcome to Microsoft Graph!

Connected via delegated access using 14d82eec-204b-4c2f-b7e8-296a70dab67e
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

Configuration

Name Value

PSVersion 7.4.3
PSEdition Core
GitCommitId 7.4.3
OS Microsoft Windows 10.0.22631
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Attention 👋no-recent-activity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions