Permissions to extract SignInActivity from MS Graph

%3CLINGO-SUB%20id%3D%22lingo-sub-2193636%22%20slang%3D%22en-US%22%3EPermissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193636%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20extract%26nbsp%3BSignInActivity%20from%20MS%20Graph%20but%20am%20receiving%20an%20error.%3CBR%20%2F%3E%3CBR%20%2F%3EQuery%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%2CSignInActivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%2CSignInActivity%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EGenerates%20error%3A%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20%22Authentication_RequestFromUnsupportedUserRole%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22User%20is%20not%20in%20the%20allowed%20roles%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22date%22%3A%20%222021-03-08T15%3A00%3A42%22%2C%3CBR%20%2F%3E%22request-id%22%3A%20%22%5Bhidden%5D%22%2C%3CBR%20%2F%3E%22client-request-id%22%3A%20%22%5Bhidden%5D%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3EBTW%2C%20this%20works%20(excluding%26nbsp%3BSignInActivity)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%2CSignInActivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DUserType%2CUserPrincipalName%2CDisplayName%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPermissions%20consented%20(among%20others)%3A%3CBR%20%2F%3EAuditLog.Read.All%3CBR%20%2F%3EDirectory.AccessAsUser.All%3CBR%20%2F%3EDirectory.Read.All%3CBR%20%2F%3EOrganization.Read.All%3CBR%20%2F%3EUser.Read%3CBR%20%2F%3EUser.Read.All%3CBR%20%2F%3EUser.ReadBasic.All%3CBR%20%2F%3EUser.ReadWrite%3CBR%20%2F%3EUser.ReadWrite.All%3CBR%20%2F%3E%3CBR%20%2F%3EWhich%20permission%2Frole%20is%20missing%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EThomas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2193636%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194194%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194194%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EAuditLog.Read.All%20should%20be%20the%20permission%20needed%20for%20SigninActivity.%3CBR%20%2F%3EBut%20the%20error%20states%20unsupported%20user%20role%2C%20what%20role%20does%20the%20user%20account%20you%20are%20trying%20with%20have%3F%20The%20documentation%20states%20you%20don't%20need%20a%20specific%20role%2C%20but%20that's%20the%20first%20thing%20I%20would%20try...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2204497%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2204497%22%20slang%3D%22en-US%22%3EFor%20anyone%20interested%2C%20here's%20the%20solution.%3CBR%20%2F%3EAdding%20the%20%22Global%20reader%22%20role%20did%20the%20job%20(in%20addition%20I%20have%20the%20%22User%20administrator%22%20role).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2671695%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2671695%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ESignInActivity%20is%20not%20working%20even%20though%20we%20have%20Azure%20Premium%202%20in%20our%20tenant.%20I%20have%20%22AuditLog.Read.All%22%20and%20uisng%20application%20permissions%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%3F%24select%3DdisplayName%2CuserPrincipalName%2CsignInActivity%22%20rel%3D%22noreferrer%20noopener%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fusers%3F%24select%3DdisplayName%2CuserPrincipalName%2CsignInActivity%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20do%20you%20think%20i%20am%20missing%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F990709%22%20target%3D%22_blank%22%3E%40ThomasBirk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2686800%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686800%22%20slang%3D%22en-US%22%3EYou%20need%20to%20add%20the%20Directory.Read.All%20to%20the%20app%20as%20well%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2709258%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20to%20extract%20SignInActivity%20from%20MS%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2709258%22%20slang%3D%22en-US%22%3Ecorrect%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I'm trying to extract SignInActivity from MS Graph but am receiving an error.

Query:
https://graph.microsoft.com/beta/users?$select=UserType,UserPrincipalName,DisplayName,SignInActivity

Generates error:
{
"error": {
"code": "Authentication_RequestFromUnsupportedUserRole",
"message": "User is not in the allowed roles",
"innerError": {
"date": "2021-03-08T15:00:42",
"request-id": "[hidden]",
"client-request-id": "[hidden]"
}
}
}

BTW, this works (excluding SignInActivity)
https://graph.microsoft.com/beta/users?$select=UserType,UserPrincipalName,DisplayName

Permissions consented (among others):
AuditLog.Read.All
Directory.AccessAsUser.All
Directory.Read.All
Organization.Read.All
User.Read
User.Read.All
User.ReadBasic.All
User.ReadWrite
User.ReadWrite.All

Which permission/role is missing?

Thanks,
Thomas

5 Replies
Hi

AuditLog.Read.All should be the permission needed for SigninActivity.
But the error states unsupported user role, what role does the user account you are trying with have? The documentation states you don't need a specific role, but that's the first thing I would try...
For anyone interested, here's the solution.
Adding the "Global reader" role did the job (in addition I have the "User administrator" role).

SignInActivity is not working even though we have Azure Premium 2 in our tenant. I have "AuditLog.Read.All" and uisng application permissions https://graph.microsoft.com/beta/users?$select=displayName,userPrincipalName,signInActivity

 

What do you think i am missing

 

 

@ThomasBirk 

You need to add the Directory.Read.All to the app as well