Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication Methods - Incorrect Required Permissions from Find-MgGraphCommand #2631

Closed
tbisque opened this issue Mar 12, 2024 · 6 comments
Closed

Authentication Methods - Incorrect Required Permissions from Find-MgGraphCommand #2631

tbisque opened this issue Mar 12, 2024 · 6 comments
Labels
no-recent-activity Service issue

Comments

@tbisque
Copy link

tbisque commented Mar 12, 2024
edited
Loading

Describe the bug

Get-MgPolicyAuthenticationMethodPolicy & Get-MgBetaPolicyAuthenticationMethodPolicy both show only Policy.ReadWrite.AuthenticationMethod as the required permission. In reality, UserAuthenticationMethod.Read.All will also allow the ability to execute these cmdlets.

To Reproduce
Steps to reproduce the behavior:

  1. Execute Find-MgGraphCommand -Uri "/policies/authenticationMethodsPolicy" -Method GET
  2. Observe the Permissions property returned containing only Policy.ReadWrite.AuthenticationMethod
  3. Execute Connect-MgGraph -Scopes UserAuthenticationMethod.Read.All
  4. Confirm ability to still execute Get-MgPolicyAuthenticationMethodPolicy & Get-MgBetaPolicyAuthenticationMethodPolicy with this more restrictive scope

Expected behavior

Find-MgGraphCommand & learn articles should reflect the ability to use this scope with more restrictive API permissions.

Debug Output

N/A

Module Version

Please run Get-Module Microsoft.Graph* after cmdlet execution and paste the output below.
2.15.0

Environment Data

Name Value
PSVersion 7.4.1
PSEdition Core
GitCommitId 7.4.1
OS Microsoft Windows 10.0.22631
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Screenshots

Additional context
@SeniorConsulting
Copy link

Curious. The API documentation doesn't list this as you've described:
https://learn.microsoft.com/en-us/graph/api/authenticationmethodspolicy-get?view=graph-rest-1.0&tabs=http

I also wasn't able to replicate what you were describing (and got a 403).
image

If you run (Get-MgContext).Scopes, check that it hasn't already retained your previous scopes (including Policy.ReadWrite.AuthenticationMethod).

@tbisque
Copy link
Author

tbisque commented Mar 17, 2024

@SeniorConsulting, worth noting that I was using an Azure (US) Gov tenant for the testing above. That's a good idea though. I will confirm the scopes were cleared with a Disconnect-MgGraph!

@timayabi2020
Copy link
Contributor

@tbisque, I also checked the permissions defined in the API reference doc for that path. They are the same as what is returned by Find-MgGraphCommand
image

@tbisque
Copy link
Author

tbisque commented Mar 22, 2024

@timayabi2020, what I'm trying to say is that both are missing UserAuthenticationMethod.Read.All

@timayabi2020
Copy link
Contributor

Hi @tbisque apologies for misinterpreting the issue. For the missing scope, kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-recent-activity Service issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timayabi2020 @tbisque @SeniorConsulting