Authentication via Application-Permission about entraexporter HOT 7 OPEN

Hello,
In case it helps you: I gave the enterprise application the "Global Reader" role and was then able to export all the elements.
Of course, that's far too many permissions, but only read and you can secure the company application accordingly. This works fine for my automated Backup.

Best Regards

from entraexporter.

By playing around with the type-parameter, I was possible to export a few entities.
So it seems that not every Type is supported by an Application-Based Permission.

I do like the idea of this script a lot. It would be great to have those enhancements in the feature or at least some kind of a table in the readme.md, which is illustrates something like this:

An additional suggestion would be to give the user a better hint by proper error-handling. My pipeline just stopped with e.g.:

Response status code does not indicate success: InternalServerError (Internal Server Error).
Response status code does not indicate success: Forbidden (Forbidden).
Response status code does not indicate success: BadRequest (Bad Request).

from entraexporter.

I've been using this module with application permissions and it works flawlessly.
Here is a screenshot of the needed permissions:

Here is a snippet to configure the permissions:

# Use application ObjectId rather than clientID
$applicationObjectId = '....'
$requiredPermissionsNames = @(
	'AccessReview.Read.All',
        'Agreement.Read.All',
        'APIConnectors.Read.All',
        'Application.Read.All',
        'Directory.Read.All',
        'EntitlementManagement.Read.All',
        'IdentityProvider.Read.All',
        'IdentityUserFlow.Read.All',
        'Organization.Read.All',
        'Policy.Read.All',
        'Policy.Read.PermissionGrant',
        'PrivilegedAccess.Read.AzureAD',
        'PrivilegedAccess.Read.AzureResources',
        'User.Read.All',
        'UserAuthenticationMethod.Read.All'
)
# get service principal app roles for MS Graph
$sps = Get-MgServicePrincipalByAppId  -AppId "00000003-0000-0000-c000-000000000000"

# Get list of permissions with the id
$requiredAppRoles = $sps.AppRoles  | where {$_.value -in $requiredPermissionsNames}

# update the registered application. 
Update-MgApplication -ApplicationId $applicationObjectId -RequiredResourceAccess (@{
	ResourceAppId = '00000003-0000-0000-c000-000000000000'
	resourceAccess = $requiredAppRoles | foreach {@{Id =$_.id; Type='Role'} }
})

from entraexporter.

@israem what version of powershell are you running this in?

from entraexporter.

I ran the module in both PS7 (up tp 7.2.14) and PS5 successfully. I ran the snippet of code I shared in PS7 but there is no reason it wouldn't work in PS5 if you have all the modules installed.

from entraexporter.

I see. I've been messing with it all week. Finally figured out that it gives me errors (same as in original post on this issue) in 7.X, but works fine in 5.1.

from entraexporter.

Seems like same issue I encountered too #57

from entraexporter.