SOLVED

Calling principal does not have required MSGraph permissions AuditLog.Read.All

Brass Contributor

I have a Runbook (Automation Accounts) parsing AAD SignIn and Audit logs, however, when it executes Get-AzureADAuditSignInLogs I'm getting the following error:

Get-AzureADAuditSignInLogs : Error occurred while executing GetAuditSignInLogs Code: Authentication_MSGraphPermissionMissing Message: Calling principal does not have required MSGraph permissions AuditLog.Read.All

The Managed Identity I'm using in Runbook has Security Reader role, but it doesn't seem to be enough?

6 Replies
best response confirmed by Alex_Rechs (Brass Contributor)
Solution
It isn't, you should add/consent to the AuditLog.Read.All permission.

@Vasil Michev 
Can you please elaborate the answer ? the steps are not straightforward. I suppose this is involving the creation of a new app.

@Vasil Michev This is a terrible response and you get 'best answer' for this? Not helpful at all.

@Chris2705 I'm trying to work this out myself at the moment. There is a known bug documented at
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/108

I'll post an actual technical answer here when i find it :)

@roystonius 

I solved the issue giving the Graph permission without registering any app, and with a small powershell script.
Please follow this article and you'll be able to solve it as well.

https://gotoguy.blog/2022/03/15/add-graph-application-permissions-to-managed-identity-using-graph-ex...

Unfortunately graph api permissions are something different than Azure AD roles.

@Chris2705 

 

Good job calling this out, as I think lots of people tend to conflate the two, where, as you say, they're very different beasts.

 

Cheers,

Lain

1 best response

Accepted Solutions
best response confirmed by Alex_Rechs (Brass Contributor)
Solution
It isn't, you should add/consent to the AuditLog.Read.All permission.

View solution in original post