Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Status error handling in MGGraph cmdlets (e.g. 403) #2630

Closed
djjeff80 opened this issue Mar 12, 2024 · 2 comments
Closed

Status error handling in MGGraph cmdlets (e.g. 403) #2630

djjeff80 opened this issue Mar 12, 2024 · 2 comments
Labels
no-recent-activity

Comments

@djjeff80
Copy link

Is your feature request related to a problem? Please describe.
It's difficult to harden your PowerShell code using the MSGraph cmdlets because it's not falling into any exception or throwing a command specific error code to handle when api returns other status codes than 200.

Example 1: If a 403 error code is returned by a MSGraph cmdlet like Get-MgUser, it's not running into the catch section by design. It's just printing out the error to the console.

try 
{
    Connect-MgGraph -NoWelcome
    Get-MgUser -UserId "abc@def.com"
} 
catch 
{
    Write-Host "Error occured"
}

Line |
   X |      Get-MgUserExtension -UserId "abc@def.com ...
     | Access Denied  Status: 403 (Forbidden) ErrorCode: AccessDenied...

Example 2: Trying to push the error into a separate variable doesn't work too because $retCode stays $null

try 
{
    Connect-MgGraph -NoWelcome
    Get-MgUser -UserId "abc@def.com"  -ErrorVariable $retCode -ErrorAction SilentlyContinue

    if($retCode)
    {
        Write-Host "Error occured"
    }
} 
catch 
{
    Write-Host "Error occured"
}

Line |
   X |      Get-MgUserExtension -UserId "abc@def.com" -Error ...
     | Access Denied  Status: 403 (Forbidden) ErrorCode: AccessDenied...

Example 3: Comparing the results of Find-MgGraphCommand with the current scopes of the user works not for each request because some of the MSGraph cmdlets, like Get-MgUserExtension, are context based and don't offer permissions to compare with

Find-MgGraphCommand -Command Get-MgUserExtension
   APIVersion: v1.0

Command             Module Method URI                                        OutputType               Permissions Variants
-------             ------ ------ ---                                        ----------               ----------- --------
Get-MgUserExtension Users  GET    /users/{user-id}/extensions/{extension-id}                          {}          {Get, GetViaIdentity}
Get-MgUserExtension Users  GET    /users/{user-id}/extensions                IMicrosoftGraphExtension {}          {List}

Find-MgGraphCommand -Uri "https://graph.microsoft.com/v1.0/users/{user-id}/extensions" -ApiVersion "V1.0"

   APIVersion: v1.0

Command             Module Method URI                         OutputType               Permissions Variants
-------             ------ ------ ---                         ----------               ----------- --------
Get-MgUserExtension Users  GET    /users/{user-id}/extensions IMicrosoftGraphExtension {}          {List}
New-MgUserExtension Users  POST   /users/{user-id}/extensions                          {}          {Create, CreateExpanded, CreateViaIdentity, CreateViaIde…

Describe the solution you'd like
Offering a clear error handling of MSGraph cmdlets in each situation of API calls. That's why seperate MSGraph cmdlets exist to make easier calls than with Invoke-MgGraphRequest or Invoke-WebRequest.

Describe alternatives you've considered

  • exception handling in catch clause
  • throwing error details into a custom error variable to handle in further code parts
  • Find-MgGraphCommand allow using complete command statements in the -Command parameter

Additional context
...
@SeniorConsulting
Copy link

Gidday,

For your first bit, you'll need to change the error action to stop, because PowerShell doesn't catch any non-terminating errors. The -ErrorAction Stop in the line tells PowerShell to consider any error to be a terminating error.

i.e.

try 
{
    Connect-MgGraph -NoWelcome
    Get-MgUser -UserId "abc@def.com" -ErrorAction Stop
} 
catch 
{
    Write-Host "Error occured"
}

image

I reckon this is probably the best way to handle this. If you had to go for other methods of error handling like you were suggesting, you could look if a variable you were looking for is null, and the error generated relates to that query.

Something like:

try 
{
    Connect-MgGraph -NoWelcome
    $Username = "abc@def.com"
    $User = Get-MgUser -UserId $Username -ErrorAction SilentlyContinue

    if ((!($User)) -AND ($error[0].targetobject.userid -eq $Username))
    {
        Write-Host "Error occured"
    }
} 
catch 
{
    Write-Host "Error occured"
}

I kinda feel that that's a bit gross though.

I can't help with the last one though, because as you've stated, the cmdlet does not return the properties for permissions (for Get-MgUserExtension) at all, so that you cannot compare to existing scopes with a Get-MgContext.

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-recent-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timayabi2020 @djjeff80 @SeniorConsulting