Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

contexthas issue? #11

Open
i-windows opened this issue Jun 27, 2022 · 12 comments
Open

contexthas issue? #11

i-windows opened this issue Jun 27, 2022 · 12 comments

Comments

@i-windows
Copy link

i-windows commented Jun 27, 2022
edited
Loading

steps to produce error :
ggu -userid user@somwhere -teams
ggg somegroup

error reported (user)
WARNING: Only the -Drive, -Calendars and -Notebooks options work when you are logged in with this kind of account.

error reported (groups)
WARNING: This requires a work or school account.

running environment
install on windows 11
version 1.5.3
graph version : latest
auth: app auth via cert.

Comments
ggu -userid user@somwhere -groups will work and return groups as expected,

I'm guessing ContextHas isnt working as expected.
@i-windows i-windows changed the title WARNING: Only the -Drive, -Calendars and -Notebooks .... contexthas issue? Jun 27, 2022
@jhoneill
Copy link
Owner

Thanks I'll investigate.

@jhoneill
Copy link
Owner

OK. It seems to ignore what ContextHas says if you specify -groups but not -teams. I need to check if Groups work with a non-work-or-school account - possibly it just returns an empty set.

The ContextHas function checks

[Microsoft.Graph.PowerShell.Authentication.GraphSession]::instance.AuthContext

and in this case it is only told to look at .WorkOrSchool

My AuthContext looks like this

TenantName            : Mobula Consulting
WorkOrSchool          : True
UserDisplayName       : James O'Neill (ADMIN)
UserID                : blah-blah-blah-blah-blah
RefreshTokenPresent   : False
TokenAutoRefresh      : False
ClientId              : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId              : blah-blah-blah-blah-blah
CertificateThumbprint :
Scopes                : {AppCatalog.Read.All, AuditLog.Read.All, Calendars.ReadWrite, Calendars.ReadWrite.Shared…}
AuthType              : Delegated
AuthProviderType      : InteractiveAuthenticationProvider
CertificateName       :
Account               : [email protected]
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :
PSHostVersion         : 2022.6.1
ClientTimeout         : 00:05:00

Are you using an Azure AD account? What does ...AuthContext show ?

@i-windows
Copy link
Author

so we only use AppOnly authentication and not delegated which I don't think will return either work or school, you can see the auth context below.

ClientId : xxxxxx-x
TenantId : xxxxxx-x
CertificateThumbprint : xxxx
Scopes : {DeviceManagementManagedDevices.Read.All, Device.Read.All, UserAuthenticationMethod.Read.All, AuthenticationContext.Read.All…}
AuthType : AppOnly
AuthProviderType : ClientCredentialProvider
CertificateName :
Account :
AppName : ESO-MSGraphPowershell
ContextScope : Process
Certificate :
PSHostVersion : 2022.6.1
ClientTimeout : 00:05:00

If we bypass the ContextHas then we have no issues returning the data we are interested in.

@jhoneill
Copy link
Owner

I have just checked some code into the the repo which should set WorkOrSchool correctly, would you like to try it before I push it to the gallery ?

@i-windows
Copy link
Author

sure I can try it out if it helps you - prob have some time tomorrow.

@RyanVanCleave
Copy link

RyanVanCleave commented Jul 14, 2022
edited
Loading

I can confirm that I am having the same issue, using Azure AD accounts, in both my lab tenant and production tenants.

Trying:

Get-GraphUser polly -MemberOf
WARNING: Only the -Drive, -Calendars and -Notebooks options work when you are logged in with this kind of account.

My AuthContext:

ClientId              : gibber-jabber
TenantId              : gibber-jabber
CertificateThumbprint : 
Scopes                : {AppCatalog.Read.All, AuditLog.Read.All, Calendars.ReadWrite, Calendars.ReadWrite.Shared…}
AuthType              : Delegated
AuthProviderType      : InteractiveAuthenticationProvider
CertificateName       :
Account               : [email protected]
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :
PSHostVersion         : 7.2.5
ClientTimeout         : 00:05:00

@jhoneill
Copy link
Owner

jhoneill commented Jul 14, 2022
edited
Loading

@gingerXpat How are you logging on ?
If you use the connect-graph which is part of PlusPlus it adds a bunch of properties to the auth context object
If you don't have any of

TenantName            :
WorkOrSchool          :
UserDisplayName       :
UserID                :
RefreshTokenPresent   :
TokenAutoRefresh      :

I'm guessing you're logging on and then loading plusplus ? You should also get a greeting of

Welcome To Microsoft Graph++, name@domain .

When you connect

@RyanVanCleave
Copy link

You are correct. I have been using Connect-MgGraph. I'm on the road now, but will try this and get back to you by tomorrow morning. Thanks for the quick response.

@RyanVanCleave
Copy link

Okay, I did try this and ran into the following problem, which reminds me why I was using Connect-MgGraph instead of Connect-Graph.

Connect-Graph
Get-Command: C:\myfolder\Documents\PowerShell\Modules\Microsoft.Graph.PlusPlus\1.5.3\Authentication.ps1:298
Line |
 298 |          if (Get-Command az) {
     |              ~~~~~~~~~~~~~~
     | The term 'az' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
     | again.

I am still able to authenticate and connect to the Graph. However, the additional properties are still not present when I check my AuthContext with the following:
[Microsoft.Graph.PowerShell.Authentication.GraphSession]::instance.AuthContext

In the case there is a dependency on the Az module:

Get-InstalledModule az

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
8.1.0                Az                                  PSGallery

I hope this helps. Perhaps I'm overlooking something on my end.

@jhoneill
Copy link
Owner

That's a problem which I thought I had fixed - basically I added something to allow people with the Az cli to get an access token with that if it was present, and I missed an -ErrorAction Silentlycontinue. I thought that was in the version on the gallery but your error says you're running the newest version so I will investigate and ensure the fix is in place.

https://github.com/jhoneill/MsftGraph/blob/PlusPlus/Authentication.ps1 shows the line has moved down the file and does have the silently continue in it so I need to figure out why that isn't in the gallery.

@jhoneill
Copy link
Owner

Loud "Doh" noises and face-palm sounds - it looks like I had V1.5.4 all set to go to the gallery but never hit publish.

@RyanVanCleave
Copy link

Ok, just updated to 1.5.4. Much better!

 Get-Module Microsoft.Graph.PlusPlus

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     1.5.4                 Microsoft.Graph.PlusPlus

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@i-windows @jhoneill @RyanVanCleave