Graph authorization error

Reinout Dorreboom 96 Reputation points
2021-10-11T13:33:07.503+00:00

I want to add a Trusted location in the Azure Conditional policies with MS Graph.

I have the next powerrshell script. The $body is converted to JSON, and the converted JSON works just fine in the MS Graph explorer, just as expected. 

$body = @{
    "@odata.type"       = "#microsoft.graph.countryNamedLocation"
    countriesAndRegions = @(
        $ExcludedCountryCode 
    )
    countryLookupMethod = "clientIpAddress"
    displayName         = $ExcludedCountryDisplayName   
}| ConvertTo-Json

$NamedLocationURI = "https://graph.microsoft.com/beta/conditionalAccess/namedLocations"
$NamedLocation = Invoke-RestMethod -Uri $NamedLocationURI -Headers $authToken -body $Body -Method POST -ContentType "application/json"
logwrite -logfile $Logfile -type Informational -logstring "De named location `"$ExcludedCountryDisplayName`" is aangemaakt!"

However when i run it in my script I get an error: The remote server returned an error: (403) Forbidden. Of course this probably has something to do with the bearer token, however if a run another JSON - one to create a new Azure AD group - that runs without any problems with the same token... 

 $Body = @{
                description     = $Description
                displayName     = $DisplayName
                mailEnabled     = $false
                mailNickname    = ($DisplayName + "-" + (get-random -Minimum 100000 -Maximum 999999))
                securityEnabled = $true
            }|ConvertTo-Json
            $Group = Invoke-RestMethod -Uri $BaseUrl -Headers $authToken -body $Body -Method POST -ContentType "application/json"
            logwrite -logfile $Logfile -type Informational -logstring "De security groep $DisplayName is aangemaakt..."

I use the same (global admin) account both scripts and also in the Graph explorer. It is strange, since i can use the authentication token for creating all policies we need, except the policies created under Conditional access: https://graph.microsoft.com/beta/identity/conditionalAccess all of them gave me problems with authentication. (in the scripts, not in graph, not manual on the site with the same accounts).

I got my header via: 

$AccessToken = Connect-MSGraph -ForceInteractive -PassThru

$AuthToken = @{
    Authorization = "Bearer $AccessToken"
}

I have no idea anymore... Does anyone have an idea?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,521 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,305 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lu Dai-MSFT 28,341 Reputation points
    2021-10-12T02:16:41.237+00:00

    @Reinout Dorreboom Thanks for posting in our Q&A.

    For this error message, it seems that we don't have enough permissions. It is suggested to enter F12 to get the detailed token information and try to use it. For example:
    139672-image.png

    Then please make sure that we have the "Policy.Read.All" permission in Graph Explorer.

    If this issue still exists, please understand that conditional access works with Azure AD resources in Microsoft Graph, so it is suggested to contact Azure AD support to get more accurate help. Here is the support link:
    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto

    Hope it will help

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Reinout Dorreboom 96 Reputation points
    2021-10-13T08:31:42.927+00:00

    Thank you for you answer Lu Dai!

    I will wait for an answer and in mean time i will try to get some info with the MS Graph Intune SDK team

    Thank you for your valuable time!