entra-powershell icon indicating copy to clipboard operation
entra-powershell copied to clipboard
verified publisher icon microsoftgraph

Authorization error should provide a link to doc, or the expected scope

Open kayasax opened this issue 2 years ago • 3 comments

It would be nice if the error would report necessary scope or a link to the documentaation image

kayasax avatar Jan 26 '24 19:01 kayasax

If this is over complicated to implement I would suggest to update each cmdlet helpfile and provide a link to the underlying graph endpoint documentation. For instance in get-help Get-EntraBetaDomainFederationSettings there should be a reference to https://learn.microsoft.com/en-us/graph/api/domain-list-federationconfiguration?view=graph-rest-beta&tabs=http#permissions.
I think this will prevent a lot of support case being raised.

kayasax avatar Feb 06 '24 16:02 kayasax

The Graph Explorer is usually good at pointing out "you need to grant permission x" or something along those lines so it seems this would be available in some form. (And yes, a generic request denied is hard to figure out.)

ahelland avatar Feb 07 '24 13:02 ahelland

Update:

Short term:

We are already working on adding permissions/scopes in our documentation (inline help + public docs). Work is already inflight on this. For inline help, Get-Help will have a link to the permissions details and the public docs will have the permissions table included. Additionally, we will be adding more examples, which will include connection details (including required scopes).

Long term:

We will add the capability to get 'advisory' on the permissions needed. For instance, cmdlets failing with 403 should not just return Insufficient Permissions leaving the customer to go figure out the scope of permission that are needed to make the cmdlet run but, the cmdlet should also return the permission scopes needed to make the cmdlet work. This will allow the customer to quickly recover by running Connect-Entra -Scope "{listed permissions}".

cc: @kayasax, @ahelland.

SteveMutungi254 avatar Feb 07 '24 14:02 SteveMutungi254

All examples have the required scopes

Image

Most of our cmdlets check the Context and provide appropriate message with correct scopes https://github.com/microsoftgraph/entra-powershell/blob/3fa0e2762e30ccba1abb7aba2a2ff680c3f1bcb5/module/Entra/Microsoft.Entra/CertificateBasedAuthentication/Get-EntraUserCBAAuthorizationInfo.ps1#L27-#L31

KenitoInc avatar Aug 04 '25 09:08 KenitoInc

I've added changes to the commands which will throw if Connect-Entra has not been called with the correct permissions. This will now indicate the correct scopes you require to run each cmdlet.

All help files and online docs include examples with the correct scopes as well.

givinalis avatar Sep 16 '25 09:09 givinalis