Forum Discussion
Permissions to extract SignInActivity from MS Graph
Hi,
I'm trying to extract SignInActivity from MS Graph but am receiving an error.
Query:
https://graph.microsoft.com/beta/users?$select=UserType,UserPrincipalName,DisplayName,SignInActivity
Generates error:
{
"error": {
"code": "Authentication_RequestFromUnsupportedUserRole",
"message": "User is not in the allowed roles",
"innerError": {
"date": "2021-03-08T15:00:42",
"request-id": "[hidden]",
"client-request-id": "[hidden]"
}
}
}
BTW, this works (excluding SignInActivity)
https://graph.microsoft.com/beta/users?$select=UserType,UserPrincipalName,DisplayName
Permissions consented (among others):
AuditLog.Read.All
Directory.AccessAsUser.All
Directory.Read.All
Organization.Read.All
User.Read
User.Read.All
User.ReadBasic.All
User.ReadWrite
User.ReadWrite.All
Which permission/role is missing?
Thanks,
Thomas
- Thijs LecomteBronze ContributorHi
AuditLog.Read.All should be the permission needed for SigninActivity.
But the error states unsupported user role, what role does the user account you are trying with have? The documentation states you don't need a specific role, but that's the first thing I would try... - ThomasBirkCopper ContributorFor anyone interested, here's the solution.
Adding the "Global reader" role did the job (in addition I have the "User administrator" role). - damyou06Brass Contributor
SignInActivity is not working even though we have Azure Premium 2 in our tenant. I have "AuditLog.Read.All" and uisng application permissions https://graph.microsoft.com/beta/users?$select=displayName,userPrincipalName,signInActivity
What do you think i am missing
- Thijs LecomteBronze ContributorYou need to add the Directory.Read.All to the app as well
- damyou06Brass Contributorcorrect