Get-MgDrive and Get-MgSiteDefaultDrive Don't work with MFA Authentication Context #3060
Description
Describe the bug
I am trying to get the list of drives in a site that is assigned a sensitivity label that uses an authentication context with MFA to restict access to the site (see picture). The Graph Explorer is able to return details, but running the cmdlet cannot, probably because the additional authentication requirement cannot be met.
Expected behavior
I expect Get-MgSiteDrive and Get-MgSiteDefaultDrive to both work.
$Uri = 'https://redmondassociates.sharepoint.com/sites/aircraftwaterchers'
$Global:Site = Get-MgSite -Search $Uri
Get-MgSiteDrive -SiteId $Site.Id
Get-MgSiteDrive_List: Access denied
Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-12-23T15:09:39
Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 26b4436a-ed72-42c5-98d1-080fdce6b64f
client-request-id : 71a791a6-f477-45d7-bf1e-6b5541cadc23
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF0000B5DA"}}
Date : Mon, 23 Dec 2024 15:09:39 GMT
Get-MgSiteDefaultDrive -SiteId $Site.id
Get-MgSiteDefaultDrive_Get: Access denied
Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-12-23T15:14:05
Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 6612f91c-3871-4240-a77f-caff957b486b
client-request-id : 32e516a7-d391-4420-9a41-44db00081f99
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF000158AA"}}
Date : Mon, 23 Dec 2024 15:14:04 GMT
Here's what happens with the Graph Explorer
How to reproduce
- Create a sensitivity label that requires an MFA authentication context. Publish the label to SharePoint and wait for replication.
- Apply the label to a site.
- Attempt to use Get-MgSiteDrive and Get-MgSiteDefaultDrive to retrieve drive information. The attempts should fail.
- Change the label for the site (or remove it)
- Run the cmdlets again. They will work.
SDK Version
2.25
Latest version known to work for scenario above?
None
Known Workarounds
None. The Graph API request fails too.
Debug output
Click to expand log
``` Get-MgSiteDefaultDrive -SiteId $Site.id -debug DEBUG: [CmdletBeginProcessing]: - Get-MgSiteDefaultDrive begin processing with parameterSet 'Get'. DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, Agreement.Read.All, Analytics.Read, APIConnectors.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, AuditLogsQuery.Read.All, BackupRestore-Control.Read.All, Calendars.Read, Calendars.ReadWrite, Channel.ReadBasic.All, ChannelMessage.Read.All, ChannelMessage.ReadWrite, ChannelMessage.Send, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Chat.Create, Chat.ManageDeletion.All, Chat.ReadWrite, Community.ReadWrite.All, Contacts.ReadWrite, CopilotSettings-LimitedMode.ReadWrite, CrossTenantUserProfileSharing.Read, CrossTenantUserProfileSharing.Read.All, DelegatedPermissionGrant.ReadWrite.All, DeviceManagementManagedDevices.Read.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, DirectoryRecommendations.Read.All, Domain.Read.All, eDiscovery.Read.All, email, EntitlementManagement.Read.All, Files.Read, Files.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, GroupMember.ReadWrite.All, IdentityProvider.Read.All, IdentityProvider.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.Read.All, IdentityRiskyUser.ReadWrite.All, IdentityUserFlow.Read.All, InformationProtectionPolicy.Read, Mail.Read, Mail.ReadWrite, Mail.Send, Mail.Send.Shared, MailboxSettings.ReadWrite, Notes.Create, OnlineMeetingArtifact.Read.All, OnlineMeetings.Read, OnPremDirectorySynchronization.ReadWrite.All, openid, Organization.Read.All, PeopleSettings.Read.All, PeopleSettings.ReadWrite.All, Place.Read.All, Policy.Read.All, Policy.Read.ConditionalAccess, Policy.Read.PermissionGrant, Policy.ReadWrite.ApplicationConfiguration, Policy.ReadWrite.AuthenticationMethod, Policy.ReadWrite.ConditionalAccess, POP.AccessAsUser.All, PrivilegedAccess.Read.AzureAD, PrivilegedAccess.Read.AzureResources, profile, RecordsManagement.Read.All, Reports.Read.All, ReportSettings.ReadWrite.All, RoleAssignmentSchedule.Read.Directory, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.Read.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleEligibilitySchedule.Remove.Directory, RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, SecurityActions.ReadWrite.All, SecurityEvents.Read.All, SecurityEvents.ReadWrite.All, ServiceHealth.Read.All, ServiceMessage.Read.All, SharePointTenantSettings.ReadWrite.All, Sites.FullControl.All, Sites.Manage.All, Sites.Read.All, Sites.ReadWrite.All, Tasks.Read, Tasks.ReadWrite, Team.ReadBasic.All, TeamMember.Read.All, TeamSettings.Read.All, TeamsTab.Read.All, TeamworkTag.ReadWrite, User.Read, User.Read.All, User.ReadBasic.All, User.ReadWrite, User.ReadWrite.All, UserActivity.ReadWrite.CreatedByApp, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All, User-ConvertToInternal.ReadWrite.All, VirtualEvent.Read, WindowsUpdates.Read.All]. DEBUG: ============================ HTTP REQUEST ============================HTTP Method:
GET
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-IE),PowerShell/7.4.6
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : be07a3b6-638c-463f-b3bb-df9fde5120a4
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 28eb1bbc-a01d-4f78-ba39-11427a3fa823
client-request-id : be07a3b6-638c-463f-b3bb-df9fde5120a4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF000158A7"}}
Date : Mon, 23 Dec 2024 15:17:35 GMT
Body:
{
"error": {
"code": "accessDenied",
"message": "Access denied",
"innerError": {
"date": "2024-12-23T15:17:36",
"request-id": "28eb1bbc-a01d-4f78-ba39-11427a3fa823",
"client-request-id": "be07a3b6-638c-463f-b3bb-df9fde5120a4"
}
}
}
Get-MgSiteDefaultDrive_Get: Access denied
Status: 403 (Forbidden)
ErrorCode: accessDenied
Date: 2024-12-23T15:17:36
Headers:
Cache-Control : max-age=0, private
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 28eb1bbc-a01d-4f78-ba39-11427a3fa823
client-request-id : be07a3b6-638c-463f-b3bb-df9fde5120a4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"007","RoleInstance":"DU6PEPF000158A7"}}
Date : Mon, 23 Dec 2024 15:17:35 GMT
DEBUG: [CmdletEndProcessing]: - Get-MgSiteDefaultDrive end processing.
Configuration
Name Value
PSVersion 7.4.6
PSEdition Core
GitCommitId 7.4.6
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Other information
No response