Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-MgUserMailboxSetting Access Denied with Delegated Scopes #2966

Closed
ross-r opened this issue Sep 21, 2024 · 6 comments
Closed

Get-MgUserMailboxSetting Access Denied with Delegated Scopes #2966

ross-r opened this issue Sep 21, 2024 · 6 comments
Labels
Service issue

Comments

@ross-r
Copy link

ross-r commented Sep 21, 2024
edited
Loading

Describe the bug

I'm trying to use the powershell cmdlet Get-MgUserMailboxSetting and Update-MgUserMailboxSetting to automate work flow in my organization, however, I'm receiving access denied errors despite granting the correct permissions and consenting on behalf of my organization.

I've attempted to use Graph Explorer and unfortunately the same issue occurs there too.

Upon checking the permission details for Get-MgUserMailboxSetting, I'm led to believe this is unintended behavior:
image

The permissions descriptions for MailboxSettings.Read and MailboxSettings.ReadWrite explicitly state access to all users, however, it's only working on the user which had authenticated the application to begin with.

Reading around, I've came across multiple others experiencing this issue and other GitHub issues within this repo. The general consensus is that you need to register an application and authenticate with application permissions as opposed to delegated permissions, but again, the permission descriptions imply otherwise.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
https://stackoverflow.com/questions/54767695/error-access-denied-on-mailboxsettings-for-users
MartinM85/graph-mailbox-user-purpose#1
#2120

Here's an example of the powershell code I am running:

$scopes = @(
    "Chat.ReadWrite.All"
    "Directory.Read.All"
    "Group.Read.All"
    "Mail.ReadWrite"
    "People.Read.All"
    "Sites.Manage.All"
    "User.Read.All"
    "User.ReadWrite.All",
    "MailboxSettings.ReadWrite"
)

Connect-MgGraph -Scopes $scopes
$UserId = "[email protected]"
Get-MgUserMailboxSetting -UserId $UserId

The sign in / authentication process:
image

I am authenticating with a Global Administrator account and attempting to access the mailbox settings of a regular licensed user.

Error:

Get-MgUserMailboxSetting : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 00c23911-9b70-4660-a58e-dcd1600c71d3
client-request-id             : 57dbe463-3d02-448d-9cce-446e76efb0af
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"ML1PEPF00004AFC"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 12:19:54 GMT
At <>
+ Get-MgUserMailboxSetting -UserId $UserId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ UserId = djon... , Headers =  }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception
    + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get

As I mentioned earlier, I've done the exact same process using Graph Explorer, even consenting to the application on behalf of my organization within Entra

Expected behavior

I should, according to the permission descriptions for MailboxSettings.ReadWrite, be able to read and write mailbox settings for all users within an organization with delegated scopes.

How to reproduce

Execute:

$scopes = @(
    "Chat.ReadWrite.All"
    "Directory.Read.All"
    "Group.Read.All"
    "Mail.ReadWrite"
    "People.Read.All"
    "Sites.Manage.All"
    "User.Read.All"
    "User.ReadWrite.All",
    "MailboxSettings.ReadWrite"
)

Connect-MgGraph -Scopes $scopes
$UserId = "[email protected]"
Get-MgUserMailboxSetting -UserId $UserId

Authenticate with a Global Administrator account and select "Consent on behalf of your organization"

SDK Version

2.23.0

Latest version known to work for scenario above?

Unknown, appears to be a long term issue with many reports and no official solution besides application permissions which again, the permission description implies is not needed

Known Workarounds

Unconfirmed, however, other users have reported this working with application permissions as opposed to delegated scope permissions.

Debug output

Click to expand log 
DEBUG: [CmdletBeginProcessing]: - Get-MgUserMailboxSetting begin processing with parameterSet 'Get'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: [Authentication]: - Scopes: [Chat.ReadWrite.All, Directory.Read.All, Group.Read.All, Mail.ReadWrite, MailboxSettings.ReadWrite, openid, People.Read.All, profile, Sites.Manage.All, User.Read.All, User.ReadWrite.All, email].

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/users/[redacted]@[redacted].onmicrosoft.com/mailboxSettings

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-AU),PowerShell/2024.2.2
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.23.0
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4

Body:



Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 13:47:03 GMT

Body:
{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again."
  }
}


Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A

Confirm
Access is denied. Check credentials and try again.

Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 13:47:03 GMT

[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
SkuId                                Name
-----                                ----
3b555118-da6a-4418-894f-7df1e2096870 Microsoft 365 Business Basic
Get-MgUserMailboxSetting : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 13:47:03 GMT
At <>
+ Get-MgUserMailboxSetting -UserId $UserId -Debug
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ UserId = djon... , Headers =  }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception
    + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get
DEBUG: [CmdletEndProcessing]: - Get-MgUserMailboxSetting end processing.

Configuration

PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Other information

No response
@ross-r ross-r added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Sep 21, 2024
@timayabi2020 timayabi2020 added Status: Needs Investigation and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned labels Sep 23, 2024
@supajo
Copy link

supajo commented Oct 1, 2024

I can confirm the exact same issue on my side.
Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity

@ross-r
Copy link
Author

ross-r commented Oct 1, 2024

I can confirm the exact same issue on my side. Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity

Yep, this seems to be a long running issue since MailSettings was added to Microsoft Graph which is disappointing. I'd love to spend the time transitioning to Graph but until these issues are fixed, better yet, even acknowledged seriously, I don't see a point.

Creating an application within Entra for this specific thing is not a solution as delegation for the same tasks has worked fine in past APIs from Microsoft, nor is it a solution at a enterprise level for MSPs supporting many organizations.

@weyCC81
Copy link

weyCC81 commented Jan 12, 2025
edited
Loading

This is still to be fixed (Permission: MailboxSettings.Read):
image

@timayabi2020
Copy link
Contributor

@ross-r apologies for the late reply. The service is giving a false response indicating that the required scopes have not been provided yet they have been provided. With such a scenario, we may not be best placed to give an answer/solution. I therefore advise that you kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

@worldsdream
Copy link

Confirmed that it's still the case.

@weyCC81
Copy link

weyCC81 commented Jan 24, 2025
edited
Loading

Created a case Graph MailboxSetting Access Denied with Delegated‎ (#‎2501241410003136‎), please #reopen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Service issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@timayabi2020 @worldsdream @weyCC81 @supajo @ross-r