Internal Server Error (500) using PIM Graph API – JustIDM - The Legend of Hanuman
azure active directory color

Internal Server Error (500) using PIM Graph API – JustIDM

by


Azure Active Directory_COLOR

I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.

A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.

I tried to reach the following endpoints in Graph Explorer and even there I get an error:

Graph Explorer states the following error:

{
  "error": {
    "code": "UnknownError",
    "message": "{"message":"An error has occurred."}",
  "innerError": {
    "request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
    "date": "2018-11-12T12:40:15"
    }
  }
}

While PowerShell throws an Internal Server Error (500)

There is also a Github Issue related to that error:
https://github.com/MicrosoftDocs/feedback/issues/845

Strange thing was that while I get an error with Graph Explorer in my tenant, it worked well in the customer tenant, only PowerShell failed at customers tenant. hmmmmm.

Reason!

I talked to the product group and was told there where some changes to the PIM Graph API as they added a scope check against the token.

Resolution!

My script uses a Username/Password Flow to get a token from Azure AD so I used a generic (well-known) client_id (1950a258-227b-4e31-a9cf-717495945fc2) instead of an applicationId from a registered app in my tenant.

But the client_id used in my script needs to have the following permissions to Graph API:

  • Directory.AccessAsUser.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • PrivilegedAccess.ReadWrite.AzureAD (The new one for the scope check)

So the solution was the to do the following to get my script and therefore the MIM Connector back working:

  1. Create an app registration (Native Client) in Azure AD
  2. Set the permissions above for Microsoft Graph
    (don’t forget to hit the grant permission button)
  3. Use the applicationId as client_Id in my PowerShell script.

And the Connector starts working properly like before.

Currently at time of writing this blog post the official PIM Graph API documentation does not state anything about that.

 

 

bba02e4f4e3e4df3797d8ccb9c1436842b9cd6096f44637a67de9a7c68d16898?s=42&d=https%3A%2F%2F2.gravatar


Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment