Azure PIM: Internal Server Error (500) using PIM Graph API


Azure Active Directory_COLOR

I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.

A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.

I tried to reach the following endpoints in Graph Explorer and even there I get an error:

Graph Explorer states the following error:

{
  "error": {
    "code": "UnknownError",
    "message": "{"message":"An error has occurred."}",
  "innerError": {
    "request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
    "date": "2018-11-12T12:40:15"
    }
  }
}

While PowerShell throws an Internal Server Error (500)

There is also a Github Issue related to that error:
https://github.com/MicrosoftDocs/feedback/issues/845

Strange thing was that while I get an error with Graph Explorer in my tenant, it worked well in the customer tenant, only PowerShell failed at customers tenant. hmmmmm.

Reason!

I talked to the product group and was told there where some changes to the PIM Graph API as they added a scope check against the token.

Resolution!

My script uses a Username/Password Flow to get a token from Azure AD so I used a generic (well-known) client_id (1950a258-227b-4e31-a9cf-717495945fc2) instead of an applicationId from a registered app in my tenant.

But the client_id used in my script needs to have the following permissions to Graph API:

  • Directory.AccessAsUser.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • PrivilegedAccess.ReadWrite.AzureAD (The new one for the scope check)

So the solution was the to do the following to get my script and therefore the MIM Connector back working:

  1. Create an app registration (Native Client) in Azure AD
  2. Set the permissions above for Microsoft Graph
    (don’t forget to hit the grant permission button)
  3. Use the applicationId as client_Id in my PowerShell script.

And the Connector starts working properly like before.

Currently at time of writing this blog post the official PIM Graph API documentation does not state anything about that.

 

 

Advertisements

Author: Peter Stapf

Senior Consultant Identity and Access

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.