msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

Access Denied when using Get-MgUserFollowedSite, despite having delegated access

Open RudeDawgIT opened this issue 1 year ago • 0 comments

Describe the bug

Using a GA in Azure, I still get 403 Access Denied when trying to use Get-MgUserFollowedSite. I am able to access the sitelist of the signed in account but cannot get the list of other users.

Expected behavior

I would expect to get the list of sites followed by the user as I get with the currently logged in user.

How to reproduce

$user = Get-MgUser -UserId $username
$followedSites = Get-MgUserFollowedSite -UserId $User.Id

Get-MgUserFollowedSite_List: This operation is not supported with the provided permissions

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-04-30T13:15:10

Headers:
Cache-Control                 : no-store, no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : $REQUEST_GUID
client-request-id             : $RESPONSE_GUID
x-ms-ags-diagnostic           : $JSON_DIAGNOSTIC_INFO
Date                          : Tue, 30 Apr 2024 13:15:09 GMT

SDK Version

2.17.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

DEBUG: [CmdletBeginProcessing]: - Get-MgUserFollowedSite begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, BitlockerKey.Read.All, BitlockerKey.ReadBasic.All, DelegatedPermissionGrant.ReadWrite.All, Device.Read.All, DeviceManagementConfiguration.Read.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, MailboxSettings.ReadWrite, openid, Organization.Read.All, Policy.Read.All, Policy.ReadWrite.Authorization, Policy.ReadWrite.PermissionGrant, Presence.Read.All, PrivilegedAccess.ReadWrite.AzureAD, profile, RoleManagement.Read.Directory, Sites.ReadWrite.All, User.Read, User.Read.All, User.ReadBasic.All, User.ReadWrite.All, email, Files.Read.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/users/$USER_GUID/followedSites

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-US),PowerShell/2024.2.1
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.17.0
client-request-id             : $CLIENT_REQUEST_GUID

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-store, no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : $REQUEST_GUID
client-request-id             : $CLIENT_REQUEST_GUID
x-ms-ags-diagnostic           : $JSON_DIAGNOSTIC_INFO
Date                          : Tue, 30 Apr 2024 13:15:09 GMT

Body:
{
  "error": {
    "code": "accessDenied",
    "message": "This operation is not supported with the provided permissions",
    "innerError": {
      "date": "2024-04-30T13:15:10",
      "request-id": "$REQUEST_GUID",
      "client-request-id": "$CLIENT_REQUEST_GUID"
    }
  }
}


Get-MgUserFollowedSite_List: This operation is not supported with the provided permissions

Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-04-30T13:15:10

Headers:
Cache-Control                 : no-store, no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : $REQUEST_GUID
client-request-id             : $RESPONSE_GUID
x-ms-ags-diagnostic           : $JSON_DIAGNOSTIC_INFO
Date                          : Tue, 30 Apr 2024 13:15:09 GMT

DEBUG: [CmdletEndProcessing]: - Get-MgUserFollowedSite end processing.

Configuration

  • OS: Windows 11
  • Architecture: x64

PSVersion 7.4.2 PSEdition Core GitCommitId 7.4.2 OS Microsoft Windows 10.0.22621 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

  • current MgGraph Scopes: (Get-MgContext).Scopes

Application.Read.All Application.ReadWrite.All AppRoleAssignment.ReadWrite.All BitlockerKey.Read.All BitlockerKey.ReadBasic.All DelegatedPermissionGrant.ReadWrite.All Device.Read.All DeviceManagementConfiguration.Read.All Directory.Read.All Directory.ReadWrite.All Group.Read.All Group.ReadWrite.All GroupMember.Read.All MailboxSettings.ReadWrite openid Organization.Read.All Policy.Read.All Policy.ReadWrite.Authorization Policy.ReadWrite.PermissionGrant Presence.Read.All PrivilegedAccess.ReadWrite.AzureAD profile RoleManagement.Read.Directory Sites.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite.All email Files.Read.All

Other information

This is a very similar situation as Issue #2338 but this isn't related to OneDrive so I can't just add the GA account to the admin permissions of their personal site.

RudeDawgIT avatar Apr 30 '24 13:04 RudeDawgIT