microsoft / entraexporter Goto Github PK
View Code? Open in Web Editor NEWPowerShell module to export a local copy of an Entra (Azure AD) tenant configuration.
Home Page: https://aka.ms/EntraExporter
License: MIT License
PowerShell module to export a local copy of an Entra (Azure AD) tenant configuration.
Home Page: https://aka.ms/EntraExporter
License: MIT License
I try to use the tool but the export dir is just empty after each run.
I got some errors but it looks like it is running to completion.
`
PS C:\AzureADBackup> Export-AzureAD -Path 'C:\AzureADBackup' -All
Organization/Organization.json
Organization/Settings.json
Organization/Branding/Localizations.json
Organization/CertificateBasedAuthConfiguration.json
Domains
Identity/APIConnectors
Export-AzureAD : GET https://graph.microsoft.com/beta/identity/apiConnectors
HTTP/1.1 500 Internal Server Error
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 46d1a0a4-c748-4c6f-a0b4-0ad78b041176
client-request-id: 46d1a0a4-c748-4c6f-a0b4-0ad78b041176
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":
"AM4PEPF0000C4CC"}}
Date: Wed, 18 Aug 2021 14:10:33 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"InternalServerError","message":"Unable to find target address","innerError":{"date":"2021-08-18T14:10
:34","request-id":"46d1a0a4-c748-4c6f-a0b4-0ad78b041176","client-request-id":"46d1a0a4-c748-4c6f-a0b4-0ad78b041176"}}}
At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AzureAD
IdentityProviders
Identity/ContinuousAccessEvaluationPolicy
SubscribedSkus
DirectoryRoles
Identity/B2XUserFlows
Policies/IdentitySecurityDefaultsEnforcementPolicy
Policies/AuthorizationPolicy
Policies/FeatureRolloutPolicies
Policies/ActivityBasedTimeoutPolicy
Policies/HomeRealmDiscoveryPolicy
Policies/ClaimsMappingPolicy
Policies/TokenIssuancePolicy
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/Email.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/FIDO2.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/MicrosoftAuthenticator.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/SMS.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/TemporaryAccessPass.json
Policies/AdminConsentRequestPolicy
Policies/PermissionGrantPolicies
Identity/Conditional/AccessPolicies
Identity/Conditional/NamedLocations
IdentityGovernance\EntitlementManagement\AccessPackages
IdentityGovernance/AccessReviews
IdentityGovernance/TermsOfUse/Agreements
IdentityGovernance/EntitlementManagement/ConnectedOrganizations
IdentityGovernance/EntitlementManagement/Settings
AdministrativeUnits
PrivilegedAccess/AADRoles/Resources
PrivilegedAccess/AzureResources/Resources
Export-AzureAD : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources
HTTP/1.1 500 Internal Server Error
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: dc96cfdb-9380-4839-bc63-6860ac4cd350
client-request-id: dc96cfdb-9380-4839-bc63-6860ac4cd350
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":
"AM4PEPF0000DE2B"}}
Date: Wed, 18 Aug 2021 14:11:04 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"InternalServerError","message":"Unable to find target address","innerError":{"date":"2021-08-18T14:11
:04","request-id":"dc96cfdb-9380-4839-bc63-6860ac4cd350","client-request-id":"dc96cfdb-9380-4839-bc63-6860ac4cd350"}}}
At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AzureAD
OnPremisesPublishingProfiles/Provisioning.json
OnPremisesPublishingProfiles/Provisioning/PublishedResources
OnPremisesPublishingProfiles/Provisioning/AgentGroups
OnPremisesPublishingProfiles/Provisioning/Agents
OnPremisesPublishingProfiles/ApplicationProxy/Connectors
OnPremisesPublishingProfiles/ApplicationProxy/ConnectorGroups
Groups
GroupSettings
Applications
ServicePrincipals
Users
`
The following error is encountered recently - this wasn't occuring a couple of weeks ago, so permissions should be OK (I think). The target environment is my lab, so not many Azure AD configuration changes.
The export is running on PowerShell Core on Windows or macOS with AzureADExporter 1.0.957478
.
IdentityGovernance/EntitlementManagement/Settings
Export-AzureAD: /Users/aaron/projects/azuread-export/scripts/Export-AzureAD.ps1:16
Line |
16 | Export-AzureAD -Path "/Users/aaron/projects/azuread-export/azuread"
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/settings HTTP/1.1 409 Conflict
| Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id:
| 56214806-d0a8-4d7b-99f8-9b407f71d4df client-request-id: 56214806-d0a8-4d7b-99f8-9b407f71d4df x-ms-ags-diagnostic:
| {"ServerInfo":{"DataCenter":"Australia
| Southeast","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"ML1PEPF000058C8"}} Date: Mon, 01 Aug 2022 10:52:23 GMT
| Content-Type: application/json Content-Encoding: gzip {"error":{"code":"DuplicateKey","message":"There is already a
| duplicated
| entity.","innerError":{"date":"2022-08-01T10:52:24","request-id":"56214806-d0a8-4d7b-99f8-9b407f71d4df","client-request-id":"56214806-d0a8-4d7b-99f8-9b407f71d4df"}}}
This is the currently exported data at `IdentityGovernance/EntitlementManagement/Settings/singleton/singleton.json. Note that the result of this error is that this file is not exported:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/settings/$entity",
"daysUntilExternalUserDeletedAfterBlocked": 30,
"externalUserLifecycleAction": "BlockSignInAndDelete",
"id": "singleton"
}
Authn to Azure AD is via an app registration with the following permissions:
API / Permissions name | Type | Description |
---|---|---|
AccessReview.Read.All | Application | Read all access reviews |
AdministrativeUnit.Read.All | Application | Read all administrative units |
Agreement.Read.All | Application | Read all terms of use agreements |
APIConnectors.Read.All | Application | Read API connectors for authentication flows |
Directory.Read.All | Application | Read directory data |
EntitlementManagement.Read.All | Application | Read all entitlement management resources |
Group.Read.All | Application | Read all groups |
GroupMember.Read.All | Application | Read all group memberships |
IdentityProvider.Read.All | Application | Read identity providers |
IdentityUserFlow.Read.All | Application | Read all identity user flows |
Organization.Read.All | Application | Read organization information |
Policy.Read.All | Application | Read your organization's policies |
Policy.Read.PermissionGrant | Application | Read consent and permission grant policies |
PrivilegedAccess.Read.AzureAD | Application | Read privileged access to Azure AD roles |
PrivilegedAccess.Read.AzureResources | Application | Read privileged access to Azure resources |
RoleManagement.Read.Directory | Application | Read all directory RBAC settings |
User.Read | Delegated | Sign in and read user profile |
User.Read.All | Application | Read all users' full profiles |
UserAuthenticationMethod.Read.All | Application | Read all users' authentication methods |
Does anyone know if it's possible to use the azureadexporter with an Azure Managed Identity? Ideally would like to set this tool up in an Azure Automation Account to run each day which can login to each B2C tenant and backup all of its settings into a storage account.
I can run the tool manually and get the JSON files out but want to look at automating this instead,
Hi,
the latest mggraph release 2.11.0 breaks the Entra Export because of URL Encoding special characters:
microsoftgraph/msgraph-sdk-powershell#2455
You are encoding parts of the URI already. Because of this you are passing an URI string to Invoke-MgGraphRequest that contains a '%'.
As a temporary workaround I have pinned my Powershell Module for mggraph to 2.9.1 (I think also 2.10.0 should work) and this fixes the broken Entra export.
For our usecase it is not necessary to have the members for every dynamic group in the backup.
It might be relevant for others too.
The dynamic membership rule is enough to view as the dynamic members might change very frequently.
Perhaps it would be a good idea to enable a switch like "-ExcludeDynamicGroupMembers" where we only have the owners and group properties exported.
The possibility to leave the members out will also reduce the runtime of the script
Greetings!
Unfortunately, one of my two CA policies were missing in the export. I have a really small test environment for tests where I am looking into the azureadexporter.
I tried with -All as well as "-Type "ConditionalAccess" and default with same result.
Thanks for a cool and needed exporter!
I have installed the AzureADExporter module and whenever I try to connect, I get the below response.
I have tried installign the Graph module seperately. I am not able to connect to MgGraph and consequently unable to run the export.
Connect-MgGraph : The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
At C:\Users\CA-D-Win-Admin-17\Documents\WindowsPowerShell\Modules\AzureADExporter\1.0.908740\Connect-AzureADExporter.ps1:20 char:5
Connect-MgGraph -TenantId $TenantId -Scopes 'Directory.Read.All',
~~~~~~~~~~~~~~~
Get-MgContext : The term 'Get-MgContext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At C:\Users\CA-D-Win-Admin-17\Documents\WindowsPowerShell\Modules\AzureADExporter\1.0.908740\Connect-AzureADExporter.ps1:34 char:5
Get-MgContext
~~~~~~~~~~~~~
Get-MgContext : The term 'Get-MgContext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At C:\Users\CA-D-Win-Admin-17\Documents\WindowsPowerShell\Modules\AzureADExporter\1.0.908740\Connect-AzureADExporter.ps1:35 char:25
$global:TenantID = (Get-MgContext).TenantId
~~~~~~~~~~~~~
I tested Export-AzureAD -Path . -All
on Windows PowerShell 5.1 and on PowerShell 7.2.6 today. The full export was successful in Windows PowerShell. When using PowerShell 7, the export of Continuous Access Evaluation Policy failed with the following response:
Identity/ContinuousAccessEvaluationPolicy
Export-AzureAD: GET https://graph.microsoft.us/beta/identity/continuousAccessEvaluationPolicy
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: [REDACTED]
client-request-id: [REDACTED]
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"[REDACTED]"}}
Date: Mon, 22 Aug 2022 20:21:13 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"BadRequest","message":"Resource not found for the segment 'continuousAccessEvaluationPolicy'.","innerError":{"date":"2022-08-22T20:21:14","request-id":"[REDACTED]","client-request-id":"[REDACTED]"}}}
All other types were successful except for localizations.
I'm trying to automate the process via Azure DevOps, and I want to use a self-hosted agent but this one is behind a corporate proxy to navigate through internet, so I've been checking the automation from devops running the Entra-Exporter module and have been doing the tests, but the error I get is Unable to connect to the remote server, doing some troubleshooting is because the module is not pulling the traffic through the proxy, I was wondering if it is possible to somehow use Entra-Exporter via proxy. Otherwise I could not run it because it exceeds more than 60m export on an Azure agent and gives me timeout.
@merill there is any option to execute this with proxy?
When running -All -CloudOnly, we see the following error occur:
##[debug] GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=fIO1247ezEmz1lviT8FLJQ
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 7c5e8fb4-6e4d-43e5-9819-448fd17aee46
client-request-id: 1e4a4c8c-93bf-4607-8fa4-832c89993e18
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0001E78A"}}
Date: Wed, 03 Jan 2024 13:27:11 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-01-03T13:27:11","request-id":"7c5e8fb4-6e4d-43e5-9819-448fd17aee46","client-request-id":"1e4a4c8c-93bf-4607-8fa4-832c89993e18"}}}
@merill and folks, this is awesome. What is the easiest way to import / restore this back in to an Entra ID tenant?
I've created an Azure application, grant it a "Global reader" role + all graph permission needed.
If used in PowerShell 5.1 on my local computer like:
$ApplicationId = "appid"
$SecuredPassword = "password"
$tenantID = "tenant.onmicrosoft.com"
$SecuredPasswordPassword = ConvertTo-SecureString -String $SecuredPassword -AsPlainText -Force
$ClientSecretCredential = New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList $ApplicationId, $SecuredPasswordPassword
Connect-MgGraph -TenantId $tenantID -ClientSecretCredential $ClientSecretCredential -NoWelcome
Export-Entra "C:\prod-backup" -All
everything works fine and Azure settings are backed up. If the same code is called inside the Azure DevOps pipeline, it throws an error
Any ideas what is going on? The same Graph and EntraExported modules version are used.
Is it possible to show the option to remain signed in?
It is under Azure Active Directory -> Company Branding
When pulling Export-AzureAD -Path 'C:\AzureADBackup2\' -Type "Organization"
I receive branding information but Show option to remain signed in is not included.
Do you know how I can receive this information?
I tested Export-AzureAD -Path . -All
on Windows PowerShell 5.1 and on PowerShell 7.2.6 today. The full export was successful in Windows PowerShell. When using PowerShell 7, the export of Localizations failed with the following response:
Organization/Branding/Localizations.json
Export-AzureAD: GET https://graph.microsoft.us/v1.0/organization/[REDACTED]/branding/localizations
HTTP/1.1 404 Not Found
Cache-Control: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: [REDACTED]
client-request-id: [REDACTED]
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"[REDACTED]"}}
Date: Mon, 22 Aug 2022 20:21:08 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"Request_ResourceNotFound","message":"Empty segment encountered in request URL. Please make sure that a valid request URL is specified.","innerError":{"date":"2022-08-22T20:21:08","request-id":"[REDACTED]","client-request-id":"[REDACTED]"}}}
All other types were successful except for CAE Policy.
Trying to run this on a desktop, monitoring powershell process with process monitor, when running Export-AzureAD -Path "C:\test123" -Type "Users"
, the only activity that happens is in %userprofile%/.graph + TCP connections, but nothing is written to disk in the specified location despite getting some apparently pertinent console output.
PS C:\> Export-AzureAD -Path "C:\test123" -Type "Users"
Users
PS C:\> cd test123
cd : Cannot find path 'C:\test123' because it does not exist.
At line:1 char:1
+ cd test123
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\test123:String) [Set-Location], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
I tried multiple paths (for example in temp or in documents) and only some specific type, but nothing would happen. I also enabled long filenames.
Hi,
I try to export Users from AAD using this command: Export-AzureAD -Type Users -Path ./dump
but after some time AccessToken expiring and I get the below error:
Export-AzureAD: /home/user/.local/share/powershell/Modules/AzureADExporter/1.0.957478/Export-AzureAD.ps1:140
Line |
140 | … Export-AzureAD -Path $itemOutputFileName -Type $Type -Exp …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| GET https://graph.microsoft.com/beta/users/3e153173-****-****-****-a8e385cba89f/authentication/phoneMethods HTTP/1.1 401 Unauthorized Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security:
| max-age=31536000 request-id: 44369f81-****-****-****-e9dd0946da6c client-request-id: 44369f81-****-****-****-e9dd0946da6c x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West
| Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF0*******"}} WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
| client_id="00000003-0000-0000-c000-000000000000" Date: Fri, 20 Jan 2023 13:29:42 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"InvalidAuthenticationToken","message":"Access token has expired
| or is not yet valid.","innerError":{"date":"2023-01-20T13:29:43","request-id":"44369f81-****-****-****-e9dd0946da6c","client-request-id":"44369f81-****-****-****-e9dd0946da6c"}}}
3e153173-****-****-****-a8e385cba89f Authentication/EmailMethods
How to handle this case without rewriting your script? I cannot see any options in the documentation.
Best regards
Hi
joust a small one, but in the example, you refer to:
Connect-AADExporter
Think it should be:
Connect-AzureADExporter
/Graves
Hello,
after running the 'Export-AzureAD' command (without any issue) I am unable to open any of the .json output files. I tried opening it with the following editors:
The command has been run 2 times where each time a new and empty folder was used.
The error message is the following:
Best regards,
LJ
The export steps work fine until it gets to some DirectoryRoles.
I have run the Connect-AzureADExporter
command, I am running as a Global Administrator, and the user does not need MFA?
In this run it is the Attribute Assignment Reader role.
Invoke-MgGraphRequest : Code: generalException
Message: Unexpected exception returned from MSAL.
At C:\Program Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\internal\Invoke-Graph.ps1:116 char:48
+ ... $results = Invoke-MgGraphRequest -Method GET -Uri $uriQueryEndpointF ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-MgGraphRequest], AuthenticationException
+ FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
PS C:\> $Error[0] | Select-Object *
writeErrorStream : True
PSMessageDetails :
Exception : Microsoft.Graph.Auth.AuthenticationException: Code: generalException
Message: Unexpected exception returned from MSAL.
---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50196: The server terminated an
operation because it encountered a client request loop. Please contact your app vendor.
Trace ID: 4c78c73f-bb81-41f6-a2ba-7d0b2fd1a100
Correlation ID: aa47e6ed-c509-4025-a912-e486ee7d3029
Timestamp: 2022-07-22 14:11:17Z
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse
response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response,
RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<ExecuteRequestAsync>d__11`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at
Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__
11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at
Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__13.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.<ExecuteAsync>d__2.Mov
eNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at
Microsoft.Graph.Auth.InteractiveAuthenticationProvider.<GetNewAccessTokenAsync>d__18.MoveNext()
--- End of inner exception stack trace ---
at
Microsoft.Graph.Auth.InteractiveAuthenticationProvider.<GetNewAccessTokenAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Graph.Auth.InteractiveAuthenticationProvider.<AuthenticateRequestAsync>d__17.Mo
veNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Graph.AuthenticationHandler.<SendAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest.<GetResponseAsync>
d__105.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task)
at Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest.<ProcessRecordAsyn
c>d__120.MoveNext()
TargetObject :
CategoryInfo : NotSpecified: (:) [Invoke-MgGraphRequest], AuthenticationException
FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Invoke-Graph<Process>, C:\Program
Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\internal\Invoke-Graph.ps1: line 116
at Export-AzureAD, C:\Program
Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\Export-AzureAD.ps1: line 112
at Export-AzureAD, C:\Program
Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\Export-AzureAD.ps1: line 140
at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {0, 1}
I want to use this repository as a backup for my Azure AD configuration. Is there a way to restore an Azure AD with the export from this script?
Thanks!
Trying to connect to a USGov instance with the current Connect-AzureADExporter
results in an error.
Connect-MgGraph : Returned state(_____) from authorize endpoint is not the same as the one
sent(_____). See https://aka.ms/msal-statemismatcherror for more details.
At C:\Program Files\WindowsPowerShell\Modules\azureadexporter\1.0.908740\Connect-AzureADExporter.ps1:20 char:5
+ Connect-MgGraph -TenantId $TenantId -Scopes 'Directory.Read.All',
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-MgGraph], MsalClientException
+ FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
The property 'TenantId' cannot be found on this object. Verify that the property exists.
At C:\Program Files\WindowsPowerShell\Modules\azureadexporter\1.0.908740\Connect-AzureADExporter.ps1:35 char:5
+ $global:TenantID = (Get-MgContext).TenantId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
I'm not sure if you want to go down the route of supporting different instance logins with the Connect-AzureADExporter
module, or if you just want to direct people to manually connecting with Connect-MgGraph
if they use an instance other than Global.
PR #14 has been submitted with a simple change to allow the instance\environment name to be specified. I have tested this with a GCC-High instance successfully so far.
Thanks!
Sam
Fetching the Access Package Resource Role Scopes yields the following error:
Line |
116 | … $results = Invoke-MgGraphRequest -Method GET -Uri $uriQueryEndpointF …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/f9cc86bc-de22-4fe2-b278-e34661ad711b?$expand=accessPackageResourceRoleScopes(%24$expand%3DaccessPackageResourc
| Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: fc296106-87a4-40a6-8cc4-46ad60b1801e client-request-id: cee25f84-9ac2-4b5b-b688-ebe99f5hee
| {"ServerInfo":{"DataCenter":"Sweden Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"GV2PEPF00002098"}} Date: Thu, 17 Aug 2023 07:30:30 GMT Content-Type: application/json Content-Encodin
| {"error":{"code":"BadRequest","message":"Parsing OData Select and Expand failed: Term '($$expand=accessPackageResourceRole,accessPackageResourceScope)' is not valid in a $select or $expand
| expression.","innerError":{"date":"2023-08-17T07:30:30","request-id":"fc296106-87a4-40a6-8cc4-46ad60b1801e","client-request-id":"cee25f84-9ac2-4b5b-b688-ebe99f5hee51"}}}
The issue seems to be that the inner '$expand' is prepended with an urlencoded '$' (%24). I'm not sure which component does this; perhaps the graph api library? Replacing the '$expand' with just 'expand' fixes the issue.
The list of environment names used for tab autocomplete in Connect-AzureADExporter is currently "hard coded." It would be better to dynamically base it on Azure's current list.
Since this module uses the Graph API, Get-MgEnvironment is probably the best way to pull the reference list.
Firstly, would like to say this is not really an issue with the exporter.
I am looking into building a product that takes periodical backups of the data from the Azure Active Directory. Is there a way we can take a consistent backup of the entire Azure Active Directory i.e a backup with the logical relationships snapshotted consistently at a point in time. The graph APIs only provides a way to get Users, groups, roles in separate Rest API calls which could lead to some inconsistency. Or is there a way to put the active directory in a maintenance mode for the period of the backup to not take any write requests ?
Hi,
Can we add a statement to address if AADExporter will export any sensitive data out of AAD, such as password, secret, certificate, etc?
Thanks,
Neal
Hello Everyone
I set up the pipeline with a Service-Principal, for which all the relevant API-Permissions have been consented.
Additionally I use Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $clientSecretCredential
to be able to authenticate properly with clientid and clientsecret.
I made sure that the app has the sufficient privileges by running Get-MgContext | Select-Object -ExpandProperty Scopes
After that I run Export-Entra $path -All
, but receive the following output
Starting backup...
Organization/Organization.json
Organization/Settings.json
Response status code does not indicate success: Forbidden (Forbidden)
Long story short:
Is it possible to use this script with application-based permissions?
Currently the users manager is not included in the export. This is because the manager is not part of the default properties of a user object (see: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-beta#properties)
It would help to have to the users manager in the export to view hierarchical data.
Hi,
There is an endpoint that contains all configuration related to AD Sync - 'beta/directory/onPremisesSynchronization/{TenantID}' which should be easy to add and will add value to the exported configuration. Will you consider adding this?
Export-Entra
does not seem to support USGov endpoints, or other national cloud endpoints.
The Connect-EntraExporter -Environment USGov
is successful, however when running the Export-Entra
with the -Debug
parameter, it appears the graph.microsoft.com
endpoint is being used.
I also tested with connecting to graph directly (with -Environment USGov
there as well), but Export-Entra
has the same result. It still attempts to use the .com endpoint.
With the new (Get-MgContext).Environment
, this may be easier to handle this than it was in the past.
You may receive the following error[s] when exported JSON file paths are longer than 260 characters:
New-Item : Could not find a part of the path 'C:\Users\UserFolder\Repos\AADExporter\[ I Used My Tenant GUID ]\
OnPremisesPublishingProfiles\ApplicationProxy\ConnectorGroups\[GUID]\Applications\[GUID]\[GUID].json'.
At C:\Program Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\Export-AzureAD.ps1:136 char:101
+ ... 00 | Out-File (New-Item -Path "$($parentOutputFileName).json" -Force)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (C:\Users\...\....json:String) [New-Item], DirectoryNotFoundExce
ption
+ FullyQualifiedErrorId : NewItemIOError,Microsoft.PowerShell.Commands.NewItemCommand
A workaround to this is to enable long paths via the Windows registry or a GPO setting. Run the following from an elevated PowerShell session and then close PowerShell before trying your export again:
New-ItemProperty `
-Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" `
-Name "LongPathsEnabled" `
-Value 1 `
-PropertyType DWORD `
-Force
Credit: @shaunluttin via https://bigfont.ca/enable-long-paths-in-windows-with-powershell/ and https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=powershell.
It might be worth adding this info to the README.
Hello,
I can execute the following PowerShell script in Windows 10 PC without error.
Write-Host 'Installing modules...'
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
Install-Module AzureADExporter -Scope CurrentUser -Force
Write-Host 'Connecting to AzureAD...'
Connect-AzureADExporter -TenantId $tenantId
Write-Host 'Starting backup...'
Export-AzureAD $tenantPath -All
But I encountered the following error in Linux:
Organization/Settings.json
Export-AzureAD: GET https://graph.microsoft.com/beta/organization/dd9b9e36-a5e2-448f-bbfd-ca66896e065e/settings
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 39aaa35d-fcf8-4276-9f8a-486754d1fcf1
client-request-id: 39aaa35d-fcf8-4276-9f8a-486754d1fcf1
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Japan East","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"TY1PEPF0000355B"}}
Date: Mon, 20 Dec 2021 07:19:16 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"UnknownError","message":"{\r\n \"errorCode\": \"ErrorAccessDeniedForUser\",\r\n \"message\": \"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileUnauthorizedException' was thrown.\",\r\n \"target\": null,\r\n \"details\": null,\r\n \"innerError\": null,\r\n \"instanceAnnotations\": []\r\n}","innerError":{"date":"2021-12-20T07:19:16","request-id":"39aaa35d-fcf8-4276-9f8a-486754d1fcf1","client-request-id":"39aaa35d-fcf8-4276-9f8a-486754d1fcf1"}}}
Policies/FeatureRolloutPolicies
Export-AzureAD: GET https://graph.microsoft.com/v1.0/policies/featureRolloutPolicies
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: cfe03996-e3bb-4460-82e4-f5ecbcf08040
client-request-id: cfe03996-e3bb-4460-82e4-f5ecbcf08040
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Japan East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"TYO1EPF00000B5A"}}
Date: Mon, 20 Dec 2021 07:48:09 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"InsufficientScope_UnauthorizedAccess","message":"User doesn't have sufficient scope to access resource.","innerError":{"date":"2021-12-20T07:48:10","request-id":"cfe03996-e3bb-4460-82e4-f5ecbcf08040","client-request-id":"cfe03996-e3bb-4460-82e4-f5ecbcf08040"}}}
May I know how to solve it? Many Thanks!
Hello I'm having issue with exporting B2C configuration. I'm Using PS v.7+
If I run:
Export-Entra $tenantPath -Type "B2C"
It exports only: Identity/UserFlowAttributes
The other two:
According to my research on the problem, I think that the reason is the last two are not present in Graph "v1.0" and only in Graph "beta" version.
Maybe if the schema is modified to include "ApiVersion = 'beta'" for these properties it will work...?
Hi all,
When we are using the exporter to export conditional access policies, the grant controls are null values when multiple values are selected in the portal.
So when we select two grant controls, for example:
the value of the variable "builtInControls" in the JSON equals 'null'.
Is there a way to obtain both controls?
Thanks in advance.
In Get-EEDefaultSchema.ps1 'privilegedAccess/azureResources/resources', the IgnoreError string is set to: 'The tenant has not onboarded to PIM.'
When running the export with -All, I see the export fail on this endpoint with an error of: 'The tenant needs an AAD Premium 2 license.'
By changing the ignoreError string in this file, I can get the export to complete successfully.
If both error strings are possible under different conditions (e.g. a P1 license vs. a P2 license), perhaps in Export-Entra.ps1, the check against ignoreError could use a -match to allow use of a regex, and then ignore errors for this endpoint could be:
(The tenant has not onboarded to PIM.|The tenant needs an AAD Premium 2 license.)
Hello,
i encountered the following error during a full export:
Export-AzureAD -Path 'C:\AzureADBackup' -all
Application was consented with all permissions and i got the error during the AccessReview Export.
IdentityGovernance/AccessReviews
842169fe-e1b7-4ce9-98b6-6a9db02eec6b
Invoke-MgGraphRequest : GET https://graph.microsoft.com/beta/accessReviews?$filter=(businessFlowTemplateId+eq+%27842169
fe-e1b7-4ce9-98b6-6a9db02eec6b%27)
HTTP/1.1 403 Forbidden
Workaround:
After some reverse Engineering, i found that my user account needs to have Identity Governance Administrator to be able to successfully export the access Reviews.
Hello Team,
do you have plans to work on updating AzureAD B2C endpoints?
We used to use your great tool for documenting B2C but seems like it doesn't work anymore (because of the recent endpoint change).
I am trying to figure out whether it is possible to use "workload identity federation service connection" to authenticate instead of providing secret/certificate?
Does anyone have any experience with this topic?
The requests for accessReviews started returning an error:
Line |
116 | … $results = Invoke-MgGraphRequest -Method GET -Uri $uriQueryEndpointF …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| GET https://graph.microsoft.com/beta/accessReviews?$filter=(businessFlowTemplateId+eq+%27832169fe-e1b7-4ce9-98b6-6a8db52eec6b%27) HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000
| request-id: ff479254-14a6-4c3c-9788-9cf650faedad client-request-id: 0caa3695-534d-4433-bb78-5a34fc5cd217 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Sweden Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"GV2PEPF00000EB1"}} Date: Thu,
| 17 Aug 2023 08:09:37 GMT Content-Type: application/json Content-Encoding: gzip {"error":{"code":"","message":"Attempted to perform an unauthorized
| operation.","innerError":{"date":"2023-08-17T08:09:38","request-id":"ff479254-14a6-4c3c-9788-9cf650faedad","client-request-id":0caa3695-534d-4433-bb78-5a34fc5cd217"}}}
7fbc901b-efe1-4c72-8ae6-99cb80b582de
The reason seems to be that this endpoint is deprecated and a replacement exists:
This version of the access review API is deprecated and will stop returning data on May 19, 2023. Please use access reviews API.
We are seeing errors at different points when exporting users and only the following information is provided:
Error exporting Users: The property 'Message' cannot be found on this object. Verify that the property exists.
This error seems to originate here. I think the error handling code might need to be more defensive in order to expose the relevant issue.
Could you please publish a new version to PS Gallery from the tip of the main branch?
https://www.powershellgallery.com/packages/AzureADExporter
This is great. However, it would be even more awesome if it exported some type of csv report that includes all data that was exported in an easy-to-read format.
Hi,
I exported the settings, changed a few settings, but how can I import the changes back to Azure AD?
Hi,
For these that are not master in power shell, please add instructions of how to use the git sources and not download the module from the microsoft repository.
I had to fix the scripts, and invested long time in trying to figure how to do this and failed...
BTW: If I find this usable, for sure I will not use power shell and convert everything to python... there is no single advantage to implement something that performs standard RestAPI in power shell.
Thanks,
Hello everyone,
I have a question regarding this project. Once I have exported the Azure AD objects, is there a way to restore or deploy them in the event of a disaster?
Thank you in advance.
Where can we find a listing of the valid filter values?
I'm curious about the step on line 191 of the readme that removes all items in the target export folder:
$tenantPath = './<tenant export path>'
$tenantId = '<tenant id>'
Write-Host 'git checkout main...'
git config --global core.longpaths true #needed for Windows
git checkout main
Write-Host 'Clean git folder...'
Remove-Item $tenantPath -Force -Recurse
Is the purpose of this to start with a clean slate, or is it required to prevent issues with git?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.