Graph API permissions for rolemanagement/cloudPC/roleDefinitions

[jrlane]

I have EntraExporter setup in an Azure DevOps pipeline with a Workload Identity. I applied all permissions in the readme to the workload app but I'm getting this error:

WARNING: Skipping as it doesn't support 'ApplicationPermission'
WARNING: Processing parent '' (IAM)
WARNING: Processing parent '' (AccessPolicies)
WARNING: Processing 26 v1.0 API requests
WARNING: Processing 32 beta API requests
##[error]
Failed batch request:
 - Id: 'D:/a/1/s/prod-backup/RoleManagement/CloudPC/RoleDefinitions%%%1607974367%%%'
 - Url: 'rolemanagement/cloudPC/roleDefinitions'
 - StatusCode: '403'
 - Error: 'Access is denied to the requested resource.'

I have tried adding these additional api permissions but the result is the same: RoleManagement.Read.CloudPC, DeviceManagementConfiguration.Read.All

Here are the reported roles and uri requested in the MicrosoftGraphActivityLogs

RoleEligibilitySchedule.Read.Directory UserAuthenticationMethod.Read.All OnPremDirectorySynchronization.Read.All Policy.Read.PermissionGrant SharePointTenantSettings.Read.All PrivilegedAccess.Read.AzureAD EntitlementManagement.Read.All IdentityUserFlow.Read.All Directory.Read.All RoleManagement.Read.All PrivilegedAccess.Read.AzureResources User.Read.All TeamworkAppSettings.Read.All Agreement.Read.All RoleManagement.Read.CloudPC DeviceManagementConfiguration.Read.All APIConnectors.Read.All IdentityProvider.Read.All AccessReview.Read.All Organization.Read.All Teamwork.Read.All AuditLog.Read.All Policy.Read.All PrivilegedEligibilitySchedule.Read.AzureADGroup Application.Read.All Reports.Read.All

https://graph.microsoft.com/beta/rolemanagement/cloudPC/roleDefinitions

Any ideas?

[ramuvr]

Yes, having same issue. Tried adding

RoleManagement.ReadWrite.CloudPC
CloudPC.ReadWrite.All

but didn't work.

in my case from pipeline: change d:

Export-Entra "$root$(BACKUP_FOLDER)" -All

to

Export-Entra "$root$(BACKUP_FOLDER)" -Type 'Config','AccessReviews','ConditionalAccess','Users','Groups','Applications','ServicePrincipals','B2C','B2B','AppProxy','Organization','Domains','EntitlementManagement','Policies','AdministrativeUnits','SKUs','Identity','Roles','Governance','Devices','Teams','Sharepoint','RoleManagement','DirectoryRoles','ExchangeRoles','IntuneRoles','EntitlementManagementRoles','Reports','UsersRegisteredByFeatureReport','IAM','AccessPolicies','PIM','PIMDirectoryRoles','PIMResources','PIMGroups'

But that still causes the error.

[jrlane]

Yea I found that as well. And it's because all these types also include the offending api calls: 'All', 'Config', 'RoleManagement', 'CloudPCRoles'

I removed the cloudpc apis by editing the schema in the module and that fixes it as expected.

My best guess is it's due to our tenants not having cloudpc setup and the apis behaving as if access is denied but it's really because they are disabled.

[ramuvr]

Thanks, how did you manage to cloudpc apis by editing the schema - I am on DevOps pipeline run.

[jrlane]

I copied the EntraExporter as a new repo in my devops project and edited it.

Then removed this from Get-EEDefaultSchema

        # RoleManagement - CloudPC Role Definitions
        @{
            GraphUri = 'roleManagement/cloudPC/roleDefinitions'
            Path = 'RoleManagement/CloudPC/RoleDefinitions'
            ApiVersion = 'beta'
            Tag = @('All', 'Config', 'RoleManagement', 'CloudPCRoles')
            DelegatedPermission = 'RoleManagement.Read.All'
            ApplicationPermission = 'RoleManagement.Read.All'
        },
        # RoleManagement - CloudPC Role Assignments
        @{
            GraphUri = 'roleManagement/cloudPC/roleAssignments'
            Path = 'RoleManagement/CloudPC/RoleAssignments'
            QueryParameters = @{ expand = 'principals' }
            ApiVersion = 'beta'
            Tag = @('All', 'Config', 'RoleManagement', 'CloudPCRoles')
            DelegatedPermission = 'DeviceManagementRBAC.Read.All'
            ApplicationPermission = 'DeviceManagementRBAC.Read.All'
        }

Then I added a resource to the pipeline

resources:
  repositories:
    - repository: EntraExporterFixed
      type: git
      name: entra-config/EntraExporterFixed
      ref: main

And then added checkout to the job

    steps:
      - checkout: EntraExporterFixed
        clean: true
        path: EntraExporterFixed

Then finally load the module

            $modulePath = "$(Pipeline.Workspace)\EntraExporterFixed"
            Write-Host "Module path: $modulePath"
            Get-ChildItem $modulePath   # proves it really cloned

            Import-Module "$modulePath\src\EntraExporter.psd1" -Force

[ramuvr]

Thank you, i haven't had time to test this further, but will get to this later this week. Appreciate time taken to explain.

[ramuvr]

Apologies for the long delay.

I did manage to get this working; I had to switch to a hosted agent due to timeout but that came with its own set of challenges.

---

    # dot-source schema (defines Get-EEDefaultSchema)
    $mod = Get-Module EntraExporter -ListAvailable | Select-Object -First 1
    $schemaFile = Join-Path $mod.ModuleBase 'Get-EEDefaultSchema.ps1'
    if (Test-Path $schemaFile) { . $schemaFile } else { throw "Get-EEDefaultSchema.ps1 not found: $schemaFile" }
    
    # build filtered schema: remove CloudPC entries
    $__original = Get-EEDefaultSchema
    $__filtered = $__original | Where-Object {
      ($_. 'GraphUri' -notlike 'roleManagement/cloudPC/*') -and
      ($_. 'Path'     -notlike 'RoleManagement/CloudPC/*') -and
      (-not ($_.Tag -contains 'CloudPCRoles'))
    }
    Write-Host ("Original schema entries: {0}" -f $__original.Count)
    Write-Host ("Filtered schema entries: {0}" -f $__filtered.Count)
    
    # guard: ensure no CloudPC entries remain
    $cloudPcEntries = $__filtered | Where-Object { $_.GraphUri -like 'roleManagement/cloudPC/*' -or $_.Path -like 'RoleManagement/CloudPC/*' -or ($_.Tag -contains 'CloudPCRoles') }
    if ($cloudPcEntries) { throw "CloudPC entries still present in filtered schema." }

---