Access Denied when using Get-MgUserFollowedSite, despite having delegated access

[RudeDawgIT]

Describe the bug

Using a GA in Azure, I still get 403 Access Denied when trying to use Get-MgUserFollowedSite. I am able to access the sitelist of the signed in account but cannot get the list of other users.

Expected behavior

I would expect to get the list of sites followed by the user as I get with the currently logged in user.

How to reproduce

$user = Get-MgUser -UserId $username
$followedSites = Get-MgUserFollowedSite -UserId $User.Id

Get-MgUserFollowedSite_List: This operation is not supported with the provided permissions

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-04-30T13:15:10

Headers:
Cache-Control                 : no-store, no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : $REQUEST_GUID
client-request-id             : $RESPONSE_GUID
x-ms-ags-diagnostic           : $JSON_DIAGNOSTIC_INFO
Date                          : Tue, 30 Apr 2024 13:15:09 GMT

SDK Version

2.17.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

DEBUG: [CmdletBeginProcessing]: - Get-MgUserFollowedSite begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, BitlockerKey.Read.All, BitlockerKey.ReadBasic.All, DelegatedPermissionGrant.ReadWrite.All, Device.Read.All, DeviceManagementConfiguration.Read.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, MailboxSettings.ReadWrite, openid, Organization.Read.All, Policy.Read.All, Policy.ReadWrite.Authorization, Policy.ReadWrite.PermissionGrant, Presence.Read.All, PrivilegedAccess.ReadWrite.AzureAD, profile, RoleManagement.Read.Directory, Sites.ReadWrite.All, User.Read, User.Read.All, User.ReadBasic.All, User.ReadWrite.All, email, Files.Read.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/users/$USER_GUID/followedSites

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-US),PowerShell/2024.2.1
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.17.0
client-request-id             : $CLIENT_REQUEST_GUID

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-store, no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : $REQUEST_GUID
client-request-id             : $CLIENT_REQUEST_GUID
x-ms-ags-diagnostic           : $JSON_DIAGNOSTIC_INFO
Date                          : Tue, 30 Apr 2024 13:15:09 GMT

Body:
{
  "error": {
    "code": "accessDenied",
    "message": "This operation is not supported with the provided permissions",
    "innerError": {
      "date": "2024-04-30T13:15:10",
      "request-id": "$REQUEST_GUID",
      "client-request-id": "$CLIENT_REQUEST_GUID"
    }
  }
}


Get-MgUserFollowedSite_List: This operation is not supported with the provided permissions

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-04-30T13:15:10

Headers:
Cache-Control                 : no-store, no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : $REQUEST_GUID
client-request-id             : $RESPONSE_GUID
x-ms-ags-diagnostic           : $JSON_DIAGNOSTIC_INFO
Date                          : Tue, 30 Apr 2024 13:15:09 GMT

DEBUG: [CmdletEndProcessing]: - Get-MgUserFollowedSite end processing.

Configuration

• OS: Windows 11
• Architecture: x64

PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

• current MgGraph Scopes:
  (Get-MgContext).Scopes

Application.Read.All
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
BitlockerKey.Read.All
BitlockerKey.ReadBasic.All
DelegatedPermissionGrant.ReadWrite.All
Device.Read.All
DeviceManagementConfiguration.Read.All
Directory.Read.All
Directory.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
GroupMember.Read.All
MailboxSettings.ReadWrite
openid
Organization.Read.All
Policy.Read.All
Policy.ReadWrite.Authorization
Policy.ReadWrite.PermissionGrant
Presence.Read.All
PrivilegedAccess.ReadWrite.AzureAD
profile
RoleManagement.Read.Directory
Sites.ReadWrite.All
User.Read
User.Read.All
User.ReadBasic.All
User.ReadWrite.All
email
Files.Read.All

Other information

This is a very similar situation as Issue #2338 but this isn't related to OneDrive so I can't just add the GA account to the admin permissions of their personal site.

[petrhollayms]

Hi @RudeDawgIT ,

Can you reproduce the same error in Graph Explorer?

This appears to be an issue or limitation with the service APIs. Unfortunately, as the Microsoft Graph SDK team, we do not have ownership of the APIs that are causing you issues. We invite you to create a question about the service API to Microsoft Q&A and tagged with one of the [microsoft-graph-*] tags, that way it will get routed to the appropriate team for them to triage:

https://aka.ms/msgraphsupport or directly https://aka.ms/askgraph

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.