Search code examples
c#azureazure-active-directorymicrosoft-graph-api

User is not in the allowed roles when pulling M365 signinactivity data

We have a few customers whom we need to pull in display name and signinactivity for:

Using the auditlog permission and directory.read.all I am attempting to test that I can pull in the signinactivity data using the graph Api explorer.

Keep in mind that we're using Microsoft Entra ID Premium.

However, I am getting this error:

"error": {
    "code": "Authentication_RequestFromUnsupportedUserRole",
    "message": "User is not in the allowed roles",

Also here is what my scope looks like in the token:

"scp": "APIConnectors.Read.All AuditLog.Read.All Directory.Read.All Directory.ReadWrite.All OnlineMeetingArtifact.Read.All OnlineMeetings.Read openid profile User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All email"

Any reason what the role needed for pulling the signinactivity is?

Here is the user roles: enter image description here

and app permissions: enter image description here

Solution

  • Note that: To fetch the sign-in activity of the user AuditLog.Read.All and Directory.Read.All API permissions are required. One of the role must be assigned to the user as per this MsDoc.

    I assigned the user Active assignment Global Reader role:

    enter image description here

    I consented the API permissions and able to successfully fetch the sign-in logs:

    https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq '[email protected]'

    enter image description here

    If you are making use of Azure AD Application, make sure to grant Admin consent to the API permissions:

    enter image description here

    For sample, I generated access token by using below parameters via Postman:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:https://graph.microsoft.com/.default 
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

    enter image description here

    By using the above access token, I am able to fetch the sign-in details of the user:

    https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq '[email protected]'

    enter image description here

    If still the issue persists, make sure you are using either work or school account or Service principal for authentication as personal Microsoft account is not supported.

    • Make sure that you are signing in with the user with required roles to perform the action.

    Reference:

    Permissions to extract SignInActivity from MS Graph - Microsoft Community Hub by Thomas Birk