Skip to content

Status error handling in MGGraph cmdlets (e.g. 403) #2630

Closed
@djjeff80

Description

@djjeff80

Is your feature request related to a problem? Please describe.
It's difficult to harden your PowerShell code using the MSGraph cmdlets because it's not falling into any exception or throwing a command specific error code to handle when api returns other status codes than 200.

Example 1: If a 403 error code is returned by a MSGraph cmdlet like Get-MgUser, it's not running into the catch section by design. It's just printing out the error to the console.

try 
{
    Connect-MgGraph -NoWelcome
    Get-MgUser -UserId "abc@def.com"
} 
catch 
{
    Write-Host "Error occured"
}

Line |
   X |      Get-MgUserExtension -UserId "abc@def.com ...
     | Access Denied  Status: 403 (Forbidden) ErrorCode: AccessDenied...

Example 2: Trying to push the error into a separate variable doesn't work too because $retCode stays $null

try 
{
    Connect-MgGraph -NoWelcome
    Get-MgUser -UserId "abc@def.com"  -ErrorVariable $retCode -ErrorAction SilentlyContinue

    if($retCode)
    {
        Write-Host "Error occured"
    }
} 
catch 
{
    Write-Host "Error occured"
}

Line |
   X |      Get-MgUserExtension -UserId "abc@def.com" -Error ...
     | Access Denied  Status: 403 (Forbidden) ErrorCode: AccessDenied...

Example 3: Comparing the results of Find-MgGraphCommand with the current scopes of the user works not for each request because some of the MSGraph cmdlets, like Get-MgUserExtension, are context based and don't offer permissions to compare with

Find-MgGraphCommand -Command Get-MgUserExtension
   APIVersion: v1.0

Command             Module Method URI                                        OutputType               Permissions Variants
-------             ------ ------ ---                                        ----------               ----------- --------
Get-MgUserExtension Users  GET    /users/{user-id}/extensions/{extension-id}                          {}          {Get, GetViaIdentity}
Get-MgUserExtension Users  GET    /users/{user-id}/extensions                IMicrosoftGraphExtension {}          {List}

Find-MgGraphCommand -Uri "https://graph.microsoft.com/v1.0/users/{user-id}/extensions" -ApiVersion "V1.0"

   APIVersion: v1.0

Command             Module Method URI                         OutputType               Permissions Variants
-------             ------ ------ ---                         ----------               ----------- --------
Get-MgUserExtension Users  GET    /users/{user-id}/extensions IMicrosoftGraphExtension {}          {List}
New-MgUserExtension Users  POST   /users/{user-id}/extensions                          {}          {Create, CreateExpanded, CreateViaIdentity, CreateViaIde… 

Describe the solution you'd like
Offering a clear error handling of MSGraph cmdlets in each situation of API calls. That's why seperate MSGraph cmdlets exist to make easier calls than with Invoke-MgGraphRequest or Invoke-WebRequest.

Describe alternatives you've considered

  • exception handling in catch clause
  • throwing error details into a custom error variable to handle in further code parts
  • Find-MgGraphCommand allow using complete command statements in the -Command parameter

Additional context
...

Activity

SeniorConsulting

SeniorConsulting commented on Mar 12, 2024

@SeniorConsulting

Gidday,

For your first bit, you'll need to change the error action to stop, because PowerShell doesn't catch any non-terminating errors. The -ErrorAction Stop in the line tells PowerShell to consider any error to be a terminating error.

i.e.

try 
{
    Connect-MgGraph -NoWelcome
    Get-MgUser -UserId "abc@def.com" -ErrorAction Stop
} 
catch 
{
    Write-Host "Error occured"
}

image

I reckon this is probably the best way to handle this. If you had to go for other methods of error handling like you were suggesting, you could look if a variable you were looking for is null, and the error generated relates to that query.

Something like:

try 
{
    Connect-MgGraph -NoWelcome
    $Username = "abc@def.com"
    $User = Get-MgUser -UserId $Username -ErrorAction SilentlyContinue

    if ((!($User)) -AND ($error[0].targetobject.userid -eq $Username))
    {
        Write-Host "Error occured"
    }
} 
catch 
{
    Write-Host "Error occured"
}

I kinda feel that that's a bit gross though.

I can't help with the last one though, because as you've stated, the cmdlet does not return the properties for permissions (for Get-MgUserExtension) at all, so that you cannot compare to existing scopes with a Get-MgContext.

microsoft-github-policy-service

microsoft-github-policy-service commented on Mar 19, 2024

@microsoft-github-policy-service
Contributor

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @timayabi2020@djjeff80@SeniorConsulting

        Issue actions

          Status error handling in MGGraph cmdlets (e.g. 403) · Issue #2630 · microsoftgraph/msgraph-sdk-powershell