Export of 'privilegedAccess/azureResources/resources' fails: 400 Bad Request

[nextxpert]

When running -All -CloudOnly, we see the following error occur:

##[debug] GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=fIO1247ezEmz1lviT8FLJQ
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 7c5e8fb4-6e4d-43e5-9819-448fd17aee46
client-request-id: 1e4a4c8c-93bf-4607-8fa4-832c89993e18
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0001E78A"}}
Date: Wed, 03 Jan 2024 13:27:11 GMT
Content-Encoding: gzip
Content-Type: application/json

{"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-01-03T13:27:11","request-id":"7c5e8fb4-6e4d-43e5-9819-448fd17aee46","client-request-id":"1e4a4c8c-93bf-4607-8fa4-832c89993e18"}}}

[richardgarciajr]

I'm also getting the same error in powershell 7 and Azure DevOps Pipeline.
PowerShell 7.4.0
EntraExporter 2.0.7
Microsoft.Graph.Authentication 2.9.1

Command:
Export-Entra "$root\$BACKUP_FOLDER" -All -CloudUsersAndGroupsOnly

Output:

PrivilegedAccess/AzureResources/Resources
Export-Entra: GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=<REMOVED>
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: <REMOVED>
client-request-id: <REMOVED>
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"<REMOVED>","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"<REMOVED>"}}
Date: Thu, 04 Jan 2024 22:11:48 GMT
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"InvalidFilter","message":"The  filter is invalid.","innerError":{"date":"2024-01-04T22:11:49","request-id":"<REMOVED>","client-request-id":"<REMOVED>"}}}

[mrusso-virtos]

I'm afraid I'm getting a very similar error.
PowerShell 5
EntraExporter 2.0.7
Microsoft.Graph.Authentication 2.15.0

I have successfully run the following as an interactive user with Global Admin privilege:

Export-Entra -Path $outFile -All

But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources"

Export-Entra : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id: 7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}} Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23 b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}}

I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome!

[tld6764]

Hello, I think your issue is buried in your error message? *"error":{"code":"**AadPremiumLicenseRequired","**message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license."* It looks like the account doing the data retrieval will need an Entra P2 license to get said data.

…

On Wed, Mar 6, 2024 at 1:50 AM mrusso-virtos ***@***.***> wrote: I'm afraid I'm getting a very similar error. PowerShell 5 EntraExporter 2.0.7 Microsoft.Graph.Authentication 2.15.0 I have successfully run the following as an interactive user with Global Admin privilege: Export-Entra -Path $outFile -All But my Jenkins-powered Azure Application (without any assigned Azure Roles mind you) is getting the following fail when it tries to export at or after "PrivilegedAccess/AzureResources/Resources" Export-Entra : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: cdc3f015-61e0-4e50-9107-18dddb23b797 client-request-id: 7643a684-89fd-45cc-83df-6e320f608936 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SY3PEPF00009BFC"}} Cache-Control: private Date: Wed, 06 Mar 2024 07:36:44 GMT Content-Encoding: gzip Content-Type: application/json {"error":{"code":"AadPremiumLicenseRequired","message":"The tenant needs to have Microsoft Entra ID P2 or Microsoft Entra ID Governance license.","innerError":{"date":"2024-03-06T07:36:45","request-id":"cdc3f015-61e0-4e50-9107-18dddb23 b797","client-request-id":"7643a684-89fd-45cc-83df-6e320f608936"}}} I'm hesitant to allocate a Global Admin role to the application...... but not sure how to proceed. Suggestions would be very welcome! — Reply to this email directly, view it on GitHub <#62 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZFBPF3W5DUKLG2I3ESNKO3YW3DFRAVCNFSM6AAAAABBLOLNI6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBQGI3TENRWGA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[mrusso-virtos]

Hello tld6764,

The "account" is an App Registration. I'm connecting to MgGraph via a clientID and certificate. Are you saying I have to assign a license to an App Registration?! I'm not even sure how to look that up, and there doesn't appear to be anything in the Entra Licenses page that suggests that an App can have a license assigned. Hence my confusion about the error message.

[tld6764]

Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script.

[mrusso-virtos]

OK - I'll see about getting a P2 license - the part about the tenant having a license makes sense.
What is odd is that my other Global Admin account, in the same tenant, without a P2 license, can run the entire (-All) export without a problem, albeit interactively.

[SamErde]

When running -All -CloudOnly, we see the following error occur:

Are you using the -CloudUsersAndGroupsOnly parameter? I don't believe there is a -CloudOnly one.

[SamErde]

Well not the application specifically. However I think at least one user will need to have a P2. Its failing on Privileged Identity Management which requires a P2 license to use. That or just omit that part from the script.

This sounds like a good idea for a PR to check for P2 license and provide error handling for this case. See also #61.

[milapointe]

In my case, the error received is :

{"error":{"code":"InvalidFilter","message":"The filter is invalid."}}

[mrusso-virtos]

I'm using:
Export-Entra -Path $ExportLocation -All

My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account.

Thankyou.

[milapointe]

I'm using: Export-Entra -Path $ExportLocation -All

My problem was resolved the moment I added a P2 license to my tenant. I did not need to adjust permissions or assign the P2 license to either the application or a service account.

Thankyou.

Yeah I understood afterward that it was not the same mistake as me. We do have P2 licence in the tenant.

My problem is the same as OP.

[milapointe]

@nextxpert did you resolve it on your part?

Thanks