Description
Is your feature request related to a problem? Please describe.
It's difficult to harden your PowerShell code using the MSGraph cmdlets because it's not falling into any exception or throwing a command specific error code to handle when api returns other status codes than 200.
Example 1: If a 403 error code is returned by a MSGraph cmdlet like Get-MgUser, it's not running into the catch section by design. It's just printing out the error to the console.
try
{
Connect-MgGraph -NoWelcome
Get-MgUser -UserId "abc@def.com"
}
catch
{
Write-Host "Error occured"
}
Line |
X | Get-MgUserExtension -UserId "abc@def.com ...
| Access Denied Status: 403 (Forbidden) ErrorCode: AccessDenied...
Example 2: Trying to push the error into a separate variable doesn't work too because $retCode stays $null
try
{
Connect-MgGraph -NoWelcome
Get-MgUser -UserId "abc@def.com" -ErrorVariable $retCode -ErrorAction SilentlyContinue
if($retCode)
{
Write-Host "Error occured"
}
}
catch
{
Write-Host "Error occured"
}
Line |
X | Get-MgUserExtension -UserId "abc@def.com" -Error ...
| Access Denied Status: 403 (Forbidden) ErrorCode: AccessDenied...
Example 3: Comparing the results of Find-MgGraphCommand with the current scopes of the user works not for each request because some of the MSGraph cmdlets, like Get-MgUserExtension, are context based and don't offer permissions to compare with
Find-MgGraphCommand -Command Get-MgUserExtension
APIVersion: v1.0
Command Module Method URI OutputType Permissions Variants
------- ------ ------ --- ---------- ----------- --------
Get-MgUserExtension Users GET /users/{user-id}/extensions/{extension-id} {} {Get, GetViaIdentity}
Get-MgUserExtension Users GET /users/{user-id}/extensions IMicrosoftGraphExtension {} {List}
Find-MgGraphCommand -Uri "https://graph.microsoft.com/v1.0/users/{user-id}/extensions" -ApiVersion "V1.0"
APIVersion: v1.0
Command Module Method URI OutputType Permissions Variants
------- ------ ------ --- ---------- ----------- --------
Get-MgUserExtension Users GET /users/{user-id}/extensions IMicrosoftGraphExtension {} {List}
New-MgUserExtension Users POST /users/{user-id}/extensions {} {Create, CreateExpanded, CreateViaIdentity, CreateViaIde…
Describe the solution you'd like
Offering a clear error handling of MSGraph cmdlets in each situation of API calls. That's why seperate MSGraph cmdlets exist to make easier calls than with Invoke-MgGraphRequest or Invoke-WebRequest.
Describe alternatives you've considered
- exception handling in catch clause
- throwing error details into a custom error variable to handle in further code parts
- Find-MgGraphCommand allow using complete command statements in the -Command parameter
Additional context
...
Activity
SeniorConsulting commentedon Mar 12, 2024
Gidday,
For your first bit, you'll need to change the error action to stop, because PowerShell doesn't catch any non-terminating errors. The
-ErrorAction Stop
in the line tells PowerShell to consider any error to be a terminating error.i.e.
I reckon this is probably the best way to handle this. If you had to go for other methods of error handling like you were suggesting, you could look if a variable you were looking for is null, and the error generated relates to that query.
Something like:
I kinda feel that that's a bit gross though.
I can't help with the last one though, because as you've stated, the cmdlet does not return the properties for permissions (for Get-MgUserExtension) at all, so that you cannot compare to existing scopes with a Get-MgContext.
microsoft-github-policy-service commentedon Mar 19, 2024
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.