Permissions to extract SignInActivity from MS Graph

%3CLINGO-SUB%20id%3D%22lingo-sub-2193636%22%20slang%3D%22en-US%22%3EPermissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193636%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20extract%26nbsp%3BSignInActivity%20from%20MS%20Graph%20but%20am%20receiving%20an%20error.%3CBR%20%2F%3E%3CBR%20%2F%3EQuery%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%2CSignInActivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%2CSignInActivity%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EGenerates%20error%3A%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20%22Authentication_RequestFromUnsupportedUserRole%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22User%20is%20not%20in%20the%20allowed%20roles%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22date%22%3A%20%222021-03-08T15%3A00%3A42%22%2C%3CBR%20%2F%3E%22request-id%22%3A%20%22%5Bhidden%5D%22%2C%3CBR%20%2F%3E%22client-request-id%22%3A%20%22%5Bhidden%5D%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3EBTW%2C%20this%20works%20(excluding%26nbsp%3BSignInActivity)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%2CSignInActivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPermissions%20consented%20(among%20others)%3A%3CBR%20%2F%3EAuditLog.Read.All%3CBR%20%2F%3EDirectory.AccessAsUser.All%3CBR%20%2F%3EDirectory.Read.All%3CBR%20%2F%3EOrganization.Read.All%3CBR%20%2F%3EUser.Read%3CBR%20%2F%3EUser.Read.All%3CBR%20%2F%3EUser.ReadBasic.All%3CBR%20%2F%3EUser.ReadWrite%3CBR%20%2F%3EUser.ReadWrite.All%3CBR%20%2F%3E%3CBR%20%2F%3EWhich%20permission%2Frole%20is%20missing%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EThomas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2193636%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi,

 

I'm trying to extract SignInActivity from MS Graph but am receiving an error.

Query:
https://graph.microsoft.com/beta/users?$select=UserType,UserPrincipalName,DisplayName,SignInActivity

Generates error:
{
"error": {
"code": "Authentication_RequestFromUnsupportedUserRole",
"message": "User is not in the allowed roles",
"innerError": {
"date": "2021-03-08T15:00:42",
"request-id": "[hidden]",
"client-request-id": "[hidden]"
}
}
}

BTW, this works (excluding SignInActivity)
https://graph.microsoft.com/beta/users?$select=UserType,UserPrincipalName,DisplayName

Permissions consented (among others):
AuditLog.Read.All
Directory.AccessAsUser.All
Directory.Read.All
Organization.Read.All
User.Read
User.Read.All
User.ReadBasic.All
User.ReadWrite
User.ReadWrite.All

Which permission/role is missing?

Thanks,
Thomas

2 Replies
Hi

AuditLog.Read.All should be the permission needed for SigninActivity.
But the error states unsupported user role, what role does the user account you are trying with have? The documentation states you don't need a specific role, but that's the first thing I would try...
For anyone interested, here's the solution.
Adding the "Global reader" role did the job (in addition I have the "User administrator" role).