Comments (6)
Hi @jajapaja ,
can you please clarify what action are you trying to perform and that raises that error?
This can be an expected error if you are trying to use an action with a token that has not the necessary scopes. If you tell me what action, I can help you the instructions to get a token using the --scope option in the acquire-token command.
thanks
from zerotrust-ca-powertoys.
Hi @0x6f677548 ,
I'm getting the error about missing scope for export-policies action (as I mentioned I tried all methods mentioned in your documentation inc authorization with service principal)
How can I define token scope in the query? All of identities was Global Admins
Many thanks
from zerotrust-ca-powertoys.
This has nothing to do with the role of the identity being used. I recommend the reading of https://learn.microsoft.com/en-us/graph/auth/ namely https://learn.microsoft.com/en-us/graph/auth/auth-concepts
CA-PowerToys, by default, utilizes "14d82eec-204b-4c2f-b7e8-296a70dab67e" as the client_id, which is "Microsoft Graph Command Line Tools". This is done to circumvent the need to pre-register ca-powertoys in the target tenant as most of the times this app is registered. MS Graph Command Line tools has normally all delegated user permissions needed for most operations, but, your tenant may have been changed.
A scope can be defined using the --scope option in the acquire-token command.
As an example:
ca-pwt acquire-token --scope "Policy.Read.All" export-policies --output_file policies.json
You can check which scopes are needed in every api call on graph api documentation. Example for policies list:
https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0&tabs=http
If you use the service principal approach, the following are the permissions that need to be added:
hope it helps
from zerotrust-ca-powertoys.
Thank you so much. scope parameter of ca-pwt was the point. I'm familiar OFC with oath concept but I missed in your documentation info about utilizing Graph Commandlne Tools. I set all required API permissions and all work as expected.
btw: a new tenants is doesn't have consent for Graph Commandline Tools, so you need define it in a new scope
now I'm getting this for policy 105
ERROR:ca_pwt.commands:Error creating policy with display name 'CA105-Admins-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA': Request failed with status code 400; {'error': {'code': 'BadRequest', 'message': '1038: The policy you are trying to create or update contains preview features. Use the Beta endpoint to create or update this policy.', 'innerError': {'date': '2024-02-09T17:49:57', 'request-id': '
How can I please change to /beta GraphAPI endpoint in ca-pwt?
EDIT: I found it. :)
Many thanks
from zerotrust-ca-powertoys.
sorry for the late reply
Yes, I might need to update the documentation for a new tenant. I will probably invest some time on a wiki moving forward. I am working on the support for other parts of the ZT vision, live intune device policies, hence some latency updating docs. Feel free to submit a PR for readme if you have any suggestion and thanks for using the tool.
For the beta api, you found it already, but that's on graph_api.py, on the init method of EntityAPI . You might also need to change the _get_entity_path of some entities - in your case PoliciesAPI (policies.py)
let me know anything that i can help, and if you like the tool, just spread the word :)
from zerotrust-ca-powertoys.
btw, I haven't tested the tool with preview features - not sure about the result.
from zerotrust-ca-powertoys.
Related Issues (1)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zerotrust-ca-powertoys.