Fetching the Access Package Resource Role Scopes yields the following error:

  Line |
 116 |  …  $results = Invoke-MgGraphRequest -Method GET -Uri $uriQueryEndpointF …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/f9cc86bc-de22-4fe2-b278-e34661ad711b?$expand=accessPackageResourceRoleScopes(%24$expand%3DaccessPackageResourc
     | Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: fc296106-87a4-40a6-8cc4-46ad60b1801e client-request-id: cee25f84-9ac2-4b5b-b688-ebe99f5hee
     | {"ServerInfo":{"DataCenter":"Sweden Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"GV2PEPF00002098"}} Date: Thu, 17 Aug 2023 07:30:30 GMT Content-Type: application/json Content-Encodin
     | {"error":{"code":"BadRequest","message":"Parsing OData Select and Expand failed: Term '($$expand=accessPackageResourceRole,accessPackageResourceScope)' is not valid in a $select or $expand
     | expression.","innerError":{"date":"2023-08-17T07:30:30","request-id":"fc296106-87a4-40a6-8cc4-46ad60b1801e","client-request-id":"cee25f84-9ac2-4b5b-b688-ebe99f5hee51"}}}

The issue seems to be that the inner '$expand' is prepended with an urlencoded '$' (%24). I'm not sure which component does this; perhaps the graph api library? Replacing the '$expand' with just 'expand' fixes the issue.

Hello,

I can execute the following PowerShell script in Windows 10 PC without error.

Write-Host 'Installing modules...'
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
Install-Module AzureADExporter -Scope CurrentUser -Force

Write-Host 'Connecting to AzureAD...'
Connect-AzureADExporter -TenantId $tenantId

Write-Host 'Starting backup...'
Export-AzureAD $tenantPath -All

But I encountered the following error in Linux:

 Organization/Settings.json
Export-AzureAD: GET https://graph.microsoft.com/beta/organization/dd9b9e36-a5e2-448f-bbfd-ca66896e065e/settings
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 39aaa35d-fcf8-4276-9f8a-486754d1fcf1
client-request-id: 39aaa35d-fcf8-4276-9f8a-486754d1fcf1
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Japan East","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"TY1PEPF0000355B"}}
Date: Mon, 20 Dec 2021 07:19:16 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"UnknownError","message":"{\r\n  \"errorCode\": \"ErrorAccessDeniedForUser\",\r\n  \"message\": \"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileUnauthorizedException' was thrown.\",\r\n  \"target\": null,\r\n  \"details\": null,\r\n  \"innerError\": null,\r\n  \"instanceAnnotations\": []\r\n}","innerError":{"date":"2021-12-20T07:19:16","request-id":"39aaa35d-fcf8-4276-9f8a-486754d1fcf1","client-request-id":"39aaa35d-fcf8-4276-9f8a-486754d1fcf1"}}}

 Policies/FeatureRolloutPolicies
Export-AzureAD: GET https://graph.microsoft.com/v1.0/policies/featureRolloutPolicies
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: cfe03996-e3bb-4460-82e4-f5ecbcf08040
client-request-id: cfe03996-e3bb-4460-82e4-f5ecbcf08040
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Japan East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"TYO1EPF00000B5A"}}
Date: Mon, 20 Dec 2021 07:48:09 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"InsufficientScope_UnauthorizedAccess","message":"User doesn't have sufficient scope to access resource.","innerError":{"date":"2021-12-20T07:48:10","request-id":"cfe03996-e3bb-4460-82e4-f5ecbcf08040","client-request-id":"cfe03996-e3bb-4460-82e4-f5ecbcf08040"}}}

May I know how to solve it? Many Thanks!

Hi

joust a small one, but in the example, you refer to:
Connect-AADExporter

Think it should be:
Connect-AzureADExporter

/Graves

Hi,

I try to export Users from AAD using this command: Export-AzureAD -Type Users -Path ./dump but after some time AccessToken expiring and I get the below error:

Export-AzureAD: /home/user/.local/share/powershell/Modules/AzureADExporter/1.0.957478/Export-AzureAD.ps1:140
Line |
 140 |  …             Export-AzureAD -Path $itemOutputFileName -Type $Type -Exp …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | GET https://graph.microsoft.com/beta/users/3e153173-****-****-****-a8e385cba89f/authentication/phoneMethods HTTP/1.1 401 Unauthorized Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security:
     | max-age=31536000 request-id: 44369f81-****-****-****-e9dd0946da6c client-request-id: 44369f81-****-****-****-e9dd0946da6c x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West
     | Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF0*******"}} WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
     | client_id="00000003-0000-0000-c000-000000000000" Date: Fri, 20 Jan 2023 13:29:42 GMT Content-Type: application/json Content-Encoding: gzip  {"error":{"code":"InvalidAuthenticationToken","message":"Access token has expired
     | or is not yet valid.","innerError":{"date":"2023-01-20T13:29:43","request-id":"44369f81-****-****-****-e9dd0946da6c","client-request-id":"44369f81-****-****-****-e9dd0946da6c"}}}
    3e153173-****-****-****-a8e385cba89f Authentication/EmailMethods

How to handle this case without rewriting your script? I cannot see any options in the documentation.

Best regards

Firstly, would like to say this is not really an issue with the exporter.

I am looking into building a product that takes periodical backups of the data from the Azure Active Directory. Is there a way we can take a consistent backup of the entire Azure Active Directory i.e a backup with the logical relationships snapshotted consistently at a point in time. The graph APIs only provides a way to get Users, groups, roles in separate Rest API calls which could lead to some inconsistency. Or is there a way to put the active directory in a maintenance mode for the period of the backup to not take any write requests ?

Trying to run this on a desktop, monitoring powershell process with process monitor, when running Export-AzureAD -Path "C:\test123" -Type "Users", the only activity that happens is in %userprofile%/.graph + TCP connections, but nothing is written to disk in the specified location despite getting some apparently pertinent console output.

PS C:\> Export-AzureAD -Path "C:\test123" -Type "Users"
 Users
PS C:\> cd test123
cd : Cannot find path 'C:\test123' because it does not exist.
At line:1 char:1
+ cd test123
+ ~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\test123:String) [Set-Location], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

I tried multiple paths (for example in temp or in documents) and only some specific type, but nothing would happen. I also enabled long filenames.

Overview

Export-Entra does not seem to support USGov endpoints, or other national cloud endpoints.

Connect-EntraExporter Approach

The Connect-EntraExporter -Environment USGov is successful, however when running the Export-Entra with the -Debug parameter, it appears the graph.microsoft.com endpoint is being used.

Connect-MgGraph Approach

I also tested with connecting to graph directly (with -Environment USGov there as well), but Export-Entra has the same result. It still attempts to use the .com endpoint.

Suggestion

With the new (Get-MgContext).Environment, this may be easier to handle this than it was in the past.

Does anyone know if it's possible to use the azureadexporter with an Azure Managed Identity? Ideally would like to set this tool up in an Azure Automation Account to run each day which can login to each B2C tenant and backup all of its settings into a storage account.
I can run the tool manually and get the JSON files out but want to look at automating this instead,

I have installed the AzureADExporter module and whenever I try to connect, I get the below response.

I have tried installign the Graph module seperately. I am not able to connect to MgGraph and consequently unable to run the export.

Connect-MgGraph : The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
At C:\Users\CA-D-Win-Admin-17\Documents\WindowsPowerShell\Modules\AzureADExporter\1.0.908740\Connect-AzureADExporter.ps1:20 char:5

• Connect-MgGraph -TenantId $TenantId -Scopes 'Directory.Read.All',
  

• ~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Connect-MgGraph:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Get-MgContext : The term 'Get-MgContext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At C:\Users\CA-D-Win-Admin-17\Documents\WindowsPowerShell\Modules\AzureADExporter\1.0.908740\Connect-AzureADExporter.ps1:34 char:5

• Get-MgContext
  

• ~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Get-MgContext:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Get-MgContext : The term 'Get-MgContext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At C:\Users\CA-D-Win-Admin-17\Documents\WindowsPowerShell\Modules\AzureADExporter\1.0.908740\Connect-AzureADExporter.ps1:35 char:25

• $global:TenantID = (Get-MgContext).TenantId
  

•                     ~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Get-MgContext:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Hi all,

When we are using the exporter to export conditional access policies, the grant controls are null values when multiple values are selected in the portal.

So when we select two grant controls, for example:

1. Require device to be marked as compliant
2. Require approved client app

the value of the variable "builtInControls" in the JSON equals 'null'.

Is there a way to obtain both controls?

Thanks in advance.

Hi,

I exported the settings, changed a few settings, but how can I import the changes back to Azure AD?

Hello everyone,
I have a question regarding this project. Once I have exported the Azure AD objects, is there a way to restore or deploy them in the event of a disaster?

Thank you in advance.

I am trying to figure out whether it is possible to use "workload identity federation service connection" to authenticate instead of providing secret/certificate?

Does anyone have any experience with this topic?

Is it normal that each and every export steps prompts for authentication, even though I have run the Connect-AzureADExporter command, I am running as a Global Administrator, and the user does not need MFA?

Hi,

the latest mggraph release 2.11.0 breaks the Entra Export because of URL Encoding special characters:

microsoftgraph/msgraph-sdk-powershell#2455

You are encoding parts of the URI already. Because of this you are passing an URI string to Invoke-MgGraphRequest that contains a '%'.

As a temporary workaround I have pinned my Powershell Module for mggraph to 2.9.1 (I think also 2.10.0 should work) and this fixes the broken Entra export.

I tested Export-AzureAD -Path . -All on Windows PowerShell 5.1 and on PowerShell 7.2.6 today. The full export was successful in Windows PowerShell. When using PowerShell 7, the export of Localizations failed with the following response:

 Organization/Branding/Localizations.json
Export-AzureAD: GET https://graph.microsoft.us/v1.0/organization/[REDACTED]/branding/localizations
HTTP/1.1 404 Not Found
Cache-Control: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: [REDACTED]
client-request-id: [REDACTED]
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"[REDACTED]"}}
Date: Mon, 22 Aug 2022 20:21:08 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"Request_ResourceNotFound","message":"Empty segment encountered in request URL. Please make sure that a valid request URL is specified.","innerError":{"date":"2022-08-22T20:21:08","request-id":"[REDACTED]","client-request-id":"[REDACTED]"}}}

All other types were successful except for CAE Policy.

Hello,

i encountered the following error during a full export:

Export-AzureAD -Path 'C:\AzureADBackup' -all

Application was consented with all permissions and i got the error during the AccessReview Export.

 IdentityGovernance/AccessReviews
    842169fe-e1b7-4ce9-98b6-6a9db02eec6b
Invoke-MgGraphRequest : GET https://graph.microsoft.com/beta/accessReviews?$filter=(businessFlowTemplateId+eq+%27842169
fe-e1b7-4ce9-98b6-6a9db02eec6b%27)
HTTP/1.1 403 Forbidden

Workaround:

After some reverse Engineering, i found that my user account needs to have Identity Governance Administrator to be able to successfully export the access Reviews.

The export steps work fine until it gets to some DirectoryRoles.
I have run the Connect-AzureADExporter command, I am running as a Global Administrator, and the user does not need MFA?

In this run it is the Attribute Assignment Reader role.

Invoke-MgGraphRequest : Code: generalException
Message: Unexpected exception returned from MSAL.
At C:\Program Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\internal\Invoke-Graph.ps1:116 char:48
+ ...  $results = Invoke-MgGraphRequest -Method GET -Uri $uriQueryEndpointF ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-MgGraphRequest], AuthenticationException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest

PS C:\> $Error[0] | Select-Object *


writeErrorStream      : True
PSMessageDetails      :
Exception             : Microsoft.Graph.Auth.AuthenticationException: Code: generalException
                        Message: Unexpected exception returned from MSAL.
                         ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50196: The server terminated an
                        operation because it encountered a client request loop. Please contact your app vendor.
                        Trace ID: 4c78c73f-bb81-41f6-a2ba-7d0b2fd1a100
                        Correlation ID: aa47e6ed-c509-4025-a912-e486ee7d3029
                        Timestamp: 2022-07-22 14:11:17Z
                           at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse
                        response, RequestContext requestContext)
                           at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response,
                        RequestContext requestContext)
                           at Microsoft.Identity.Client.OAuth2.OAuth2Client.<ExecuteRequestAsync>d__11`1.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at
                        Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at
                        Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__
                        11.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at
                        Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__8.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__13.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.<ExecuteAsync>d__2.Mov
                        eNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at
                        Microsoft.Graph.Auth.InteractiveAuthenticationProvider.<GetNewAccessTokenAsync>d__18.MoveNext()
                           --- End of inner exception stack trace ---
                           at
                        Microsoft.Graph.Auth.InteractiveAuthenticationProvider.<GetNewAccessTokenAsync>d__18.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Graph.Auth.InteractiveAuthenticationProvider.<AuthenticateRequestAsync>d__17.Mo
                        veNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Graph.AuthenticationHandler.<SendAsync>d__16.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest.<GetResponseAsync>
                        d__105.MoveNext()
                        --- End of stack trace from previous location where exception was thrown ---
                           at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                           at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
                        task)
                           at Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest.<ProcessRecordAsyn
                        c>d__120.MoveNext()
TargetObject          :
CategoryInfo          : NotSpecified: (:) [Invoke-MgGraphRequest], AuthenticationException
FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at Invoke-Graph<Process>, C:\Program
                        Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\internal\Invoke-Graph.ps1: line 116
                        at Export-AzureAD, C:\Program
                        Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\Export-AzureAD.ps1: line 112
                        at Export-AzureAD, C:\Program
                        Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\Export-AzureAD.ps1: line 140
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {0, 1}

Is it possible to show the option to remain signed in?

It is under Azure Active Directory -> Company Branding

When pulling Export-AzureAD -Path 'C:\AzureADBackup2\' -Type "Organization" I receive branding information but Show option to remain signed in is not included.

Do you know how I can receive this information?

Thanks

Hello,

after running the 'Export-AzureAD' command (without any issue) I am unable to open any of the .json output files. I tried opening it with the following editors:

• Notepad (native Windows)
• Notepad++
• Visual Studio Code

The command has been run 2 times where each time a new and empty folder was used.

The error message is the following:

Best regards,
LJ

The following error is encountered recently - this wasn't occuring a couple of weeks ago, so permissions should be OK (I think). The target environment is my lab, so not many Azure AD configuration changes.

The export is running on PowerShell Core on Windows or macOS with AzureADExporter 1.0.957478.

IdentityGovernance/EntitlementManagement/Settings
Export-AzureAD: /Users/aaron/projects/azuread-export/scripts/Export-AzureAD.ps1:16
Line |
  16 |  Export-AzureAD -Path "/Users/aaron/projects/azuread-export/azuread"
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/settings HTTP/1.1 409 Conflict
     | Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id:
     | 56214806-d0a8-4d7b-99f8-9b407f71d4df client-request-id: 56214806-d0a8-4d7b-99f8-9b407f71d4df x-ms-ags-diagnostic:
     | {"ServerInfo":{"DataCenter":"Australia
     | Southeast","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"ML1PEPF000058C8"}} Date: Mon, 01 Aug 2022 10:52:23 GMT
     | Content-Type: application/json Content-Encoding: gzip  {"error":{"code":"DuplicateKey","message":"There is already a
     | duplicated
     | entity.","innerError":{"date":"2022-08-01T10:52:24","request-id":"56214806-d0a8-4d7b-99f8-9b407f71d4df","client-request-id":"56214806-d0a8-4d7b-99f8-9b407f71d4df"}}}

This is the currently exported data at `IdentityGovernance/EntitlementManagement/Settings/singleton/singleton.json. Note that the result of this error is that this file is not exported:

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/settings/$entity",
  "daysUntilExternalUserDeletedAfterBlocked": 30,
  "externalUserLifecycleAction": "BlockSignInAndDelete",
  "id": "singleton"
}

Authn to Azure AD is via an app registration with the following permissions:

Currently the users manager is not included in the export. This is because the manager is not part of the default properties of a user object (see: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-beta#properties)

It would help to have to the users manager in the export to view hierarchical data.

Could you please publish a new version to PS Gallery from the tip of the main branch?
https://www.powershellgallery.com/packages/AzureADExporter

You may receive the following error[s] when exported JSON file paths are longer than 260 characters:

New-Item : Could not find a part of the path 'C:\Users\UserFolder\Repos\AADExporter\[ I Used My Tenant GUID ]\
OnPremisesPublishingProfiles\ApplicationProxy\ConnectorGroups\[GUID]\Applications\[GUID]\[GUID].json'.
At C:\Program Files\WindowsPowerShell\Modules\AzureADExporter\1.0.957478\Export-AzureAD.ps1:136 char:101
+ ... 00 | Out-File (New-Item -Path "$($parentOutputFileName).json" -Force)
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (C:\Users\...\....json:String) [New-Item], DirectoryNotFoundExce
   ption
    + FullyQualifiedErrorId : NewItemIOError,Microsoft.PowerShell.Commands.NewItemCommand

A workaround to this is to enable long paths via the Windows registry or a GPO setting. Run the following from an elevated PowerShell session and then close PowerShell before trying your export again:

New-ItemProperty `
    -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" `
    -Name "LongPathsEnabled" `
    -Value 1 `
    -PropertyType DWORD `
    -Force

Credit: @shaunluttin via https://bigfont.ca/enable-long-paths-in-windows-with-powershell/ and https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=powershell.

It might be worth adding this info to the README.

Is It possible to pull the value of LinkedIn account connections?

You can find it under Azure Active Directory -> Users -> Manage -> User settings.

We are seeing errors at different points when exporting users and only the following information is provided:

Error exporting Users: The property 'Message' cannot be found on this object. Verify that the property exists.

This error seems to originate here. I think the error handling code might need to be more defensive in order to expose the relevant issue.

In Get-EEDefaultSchema.ps1 'privilegedAccess/azureResources/resources', the IgnoreError string is set to: 'The tenant has not onboarded to PIM.'

When running the export with -All, I see the export fail on this endpoint with an error of: 'The tenant needs an AAD Premium 2 license.'

By changing the ignoreError string in this file, I can get the export to complete successfully.

If both error strings are possible under different conditions (e.g. a P1 license vs. a P2 license), perhaps in Export-Entra.ps1, the check against ignoreError could use a -match to allow use of a regex, and then ignore errors for this endpoint could be:
(The tenant has not onboarded to PIM.|The tenant needs an AAD Premium 2 license.)

Hello I'm having issue with exporting B2C configuration. I'm Using PS v.7+

If I run:
Export-Entra $tenantPath -Type "B2C"

It exports only: Identity/UserFlowAttributes

The other two:

• identity/userFlows
• identity/b2cUserFlows
  are failing with an error:
  BadRequest","message":"Resource not found for the segment 'b2cUserFlows'/'userFlows'

According to my research on the problem, I think that the reason is the last two are not present in Graph "v1.0" and only in Graph "beta" version.

Maybe if the schema is modified to include "ApiVersion = 'beta'" for these properties it will work...?

For our usecase it is not necessary to have the members for every dynamic group in the backup.
It might be relevant for others too.
The dynamic membership rule is enough to view as the dynamic members might change very frequently.

Perhaps it would be a good idea to enable a switch like "-ExcludeDynamicGroupMembers" where we only have the owners and group properties exported.

The possibility to leave the members out will also reduce the runtime of the script

Where can we find a listing of the valid filter values?

The requests for accessReviews started returning an error:

Line |
 116 |  …  $results = Invoke-MgGraphRequest -Method GET -Uri $uriQueryEndpointF …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | GET https://graph.microsoft.com/beta/accessReviews?$filter=(businessFlowTemplateId+eq+%27832169fe-e1b7-4ce9-98b6-6a8db52eec6b%27) HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000
     | request-id: ff479254-14a6-4c3c-9788-9cf650faedad client-request-id: 0caa3695-534d-4433-bb78-5a34fc5cd217 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Sweden Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"GV2PEPF00000EB1"}} Date: Thu,
     | 17 Aug 2023 08:09:37 GMT Content-Type: application/json Content-Encoding: gzip  {"error":{"code":"","message":"Attempted to perform an unauthorized
     | operation.","innerError":{"date":"2023-08-17T08:09:38","request-id":"ff479254-14a6-4c3c-9788-9cf650faedad","client-request-id":0caa3695-534d-4433-bb78-5a34fc5cd217"}}}
    7fbc901b-efe1-4c72-8ae6-99cb80b582de

The reason seems to be that this endpoint is deprecated and a replacement exists:

This version of the access review API is deprecated and will stop returning data on May 19, 2023. Please use access reviews API.

https://learn.microsoft.com/en-us/graph/api/accessreview-list?view=graph-rest-beta&tabs=http#code-try-1

I tested Export-AzureAD -Path . -All on Windows PowerShell 5.1 and on PowerShell 7.2.6 today. The full export was successful in Windows PowerShell. When using PowerShell 7, the export of Continuous Access Evaluation Policy failed with the following response:

 Identity/ContinuousAccessEvaluationPolicy
Export-AzureAD: GET https://graph.microsoft.us/beta/identity/continuousAccessEvaluationPolicy
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: [REDACTED]
client-request-id: [REDACTED]
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"[REDACTED]"}}
Date: Mon, 22 Aug 2022 20:21:13 GMT
Content-Type: application/json
Content-Encoding: gzip
{"error":{"code":"BadRequest","message":"Resource not found for the segment 'continuousAccessEvaluationPolicy'.","innerError":{"date":"2022-08-22T20:21:14","request-id":"[REDACTED]","client-request-id":"[REDACTED]"}}}

All other types were successful except for localizations.

The list of environment names used for tab autocomplete in Connect-AzureADExporter is currently "hard coded." It would be better to dynamically base it on Azure's current list.

https://github.com/microsoft/azureadexporter/blob/b3f888856ae92ca18fd5d505666428b50d5d559f/src/Connect-AzureADExporter.ps1#L20

Since this module uses the Graph API, Get-MgEnvironment is probably the best way to pull the reference list.

I've created an Azure application, grant it a "Global reader" role + all graph permission needed.

If used in PowerShell 5.1 on my local computer like:

$ApplicationId = "appid"
$SecuredPassword = "password"
$tenantID = "tenant.onmicrosoft.com"

$SecuredPasswordPassword = ConvertTo-SecureString -String $SecuredPassword -AsPlainText -Force
$ClientSecretCredential = New-Object `
    -TypeName System.Management.Automation.PSCredential `
    -ArgumentList $ApplicationId, $SecuredPasswordPassword

Connect-MgGraph -TenantId $tenantID -ClientSecretCredential $ClientSecretCredential -NoWelcome

Export-Entra "C:\prod-backup" -All

everything works fine and Azure settings are backed up. If the same code is called inside the Azure DevOps pipeline, it throws an error

Any ideas what is going on? The same Graph and EntraExported modules version are used.

Trying to connect to a USGov instance with the current Connect-AzureADExporter results in an error.

Connect-MgGraph : Returned state(_____) from authorize endpoint is not the same as the one
sent(_____). See https://aka.ms/msal-statemismatcherror for more details.
At C:\Program Files\WindowsPowerShell\Modules\azureadexporter\1.0.908740\Connect-AzureADExporter.ps1:20 char:5
+     Connect-MgGraph -TenantId $TenantId -Scopes 'Directory.Read.All',
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-MgGraph], MsalClientException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

The property 'TenantId' cannot be found on this object. Verify that the property exists.
At C:\Program Files\WindowsPowerShell\Modules\azureadexporter\1.0.908740\Connect-AzureADExporter.ps1:35 char:5
+     $global:TenantID = (Get-MgContext).TenantId
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

I'm not sure if you want to go down the route of supporting different instance logins with the Connect-AzureADExporter module, or if you just want to direct people to manually connecting with Connect-MgGraph if they use an instance other than Global.

PR #14 has been submitted with a simple change to allow the instance\environment name to be specified. I have tested this with a GCC-High instance successfully so far.

Thanks!
Sam

When running -All -CloudOnly, we see the following error occur:

##[debug] GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$skiptoken=fIO1247ezEmz1lviT8FLJQ
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 7c5e8fb4-6e4d-43e5-9819-448fd17aee46
client-request-id: 1e4a4c8c-93bf-4607-8fa4-832c89993e18
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0001E78A"}}
Date: Wed, 03 Jan 2024 13:27:11 GMT
Content-Encoding: gzip
Content-Type: application/json

{"error":{"code":"InvalidFilter","message":"The filter is invalid.","innerError":{"date":"2024-01-03T13:27:11","request-id":"7c5e8fb4-6e4d-43e5-9819-448fd17aee46","client-request-id":"1e4a4c8c-93bf-4607-8fa4-832c89993e18"}}}

Hi,

There is an endpoint that contains all configuration related to AD Sync - 'beta/directory/onPremisesSynchronization/{TenantID}' which should be easy to add and will add value to the exported configuration. Will you consider adding this?

Hello Team,

do you have plans to work on updating AzureAD B2C endpoints?
We used to use your great tool for documenting B2C but seems like it doesn't work anymore (because of the recent endpoint change).

This is great. However, it would be even more awesome if it exported some type of csv report that includes all data that was exported in an easy-to-read format.

I want to use this repository as a backup for my Azure AD configuration. Is there a way to restore an Azure AD with the export from this script?

Thanks!

Hello Everyone
I set up the pipeline with a Service-Principal, for which all the relevant API-Permissions have been consented.

Additionally I use Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $clientSecretCredential to be able to authenticate properly with clientid and clientsecret.
I made sure that the app has the sufficient privileges by running Get-MgContext | Select-Object -ExpandProperty Scopes

After that I run Export-Entra $path -All, but receive the following output

Starting backup...
 Organization/Organization.json
 Organization/Settings.json
Response status code does not indicate success: Forbidden (Forbidden)

Long story short:
Is it possible to use this script with application-based permissions?

Hi,

For these that are not master in power shell, please add instructions of how to use the git sources and not download the module from the microsoft repository.

I had to fix the scripts, and invested long time in trying to figure how to do this and failed...

BTW: If I find this usable, for sure I will not use power shell and convert everything to python... there is no single advantage to implement something that performs standard RestAPI in power shell.

Thanks,

Greetings!

Unfortunately, one of my two CA policies were missing in the export. I have a really small test environment for tests where I am looking into the azureadexporter.

I tried with -All as well as "-Type "ConditionalAccess" and default with same result.

Thanks for a cool and needed exporter!

Hi,

Can we add a statement to address if AADExporter will export any sensitive data out of AAD, such as password, secret, certificate, etc?

Thanks,
Neal

I try to use the tool but the export dir is just empty after each run.
I got some errors but it looks like it is running to completion.

`
PS C:\AzureADBackup> Export-AzureAD -Path 'C:\AzureADBackup' -All
Organization/Organization.json
Organization/Settings.json
Organization/Branding/Localizations.json
Organization/CertificateBasedAuthConfiguration.json
Domains
Identity/APIConnectors
Export-AzureAD : GET https://graph.microsoft.com/beta/identity/apiConnectors
HTTP/1.1 500 Internal Server Error
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 46d1a0a4-c748-4c6f-a0b4-0ad78b041176
client-request-id: 46d1a0a4-c748-4c6f-a0b4-0ad78b041176
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":
"AM4PEPF0000C4CC"}}
Date: Wed, 18 Aug 2021 14:10:33 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"InternalServerError","message":"Unable to find target address","innerError":{"date":"2021-08-18T14:10
:34","request-id":"46d1a0a4-c748-4c6f-a0b4-0ad78b041176","client-request-id":"46d1a0a4-c748-4c6f-a0b4-0ad78b041176"}}}
At line:1 char:1

• Export-AzureAD -Path 'C:\AzureADBackup' -All

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AzureAD
  
  

IdentityProviders
Identity/ContinuousAccessEvaluationPolicy
SubscribedSkus
DirectoryRoles
Identity/B2XUserFlows
Policies/IdentitySecurityDefaultsEnforcementPolicy
Policies/AuthorizationPolicy
Policies/FeatureRolloutPolicies
Policies/ActivityBasedTimeoutPolicy
Policies/HomeRealmDiscoveryPolicy
Policies/ClaimsMappingPolicy
Policies/TokenIssuancePolicy
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/Email.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/FIDO2.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/MicrosoftAuthenticator.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/SMS.json
Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/TemporaryAccessPass.json
Policies/AdminConsentRequestPolicy
Policies/PermissionGrantPolicies
Identity/Conditional/AccessPolicies
Identity/Conditional/NamedLocations
IdentityGovernance\EntitlementManagement\AccessPackages
IdentityGovernance/AccessReviews
IdentityGovernance/TermsOfUse/Agreements
IdentityGovernance/EntitlementManagement/ConnectedOrganizations
IdentityGovernance/EntitlementManagement/Settings
AdministrativeUnits
PrivilegedAccess/AADRoles/Resources
PrivilegedAccess/AzureResources/Resources
Export-AzureAD : GET https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources
HTTP/1.1 500 Internal Server Error
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: dc96cfdb-9380-4839-bc63-6860ac4cd350
client-request-id: dc96cfdb-9380-4839-bc63-6860ac4cd350
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":
"AM4PEPF0000DE2B"}}
Date: Wed, 18 Aug 2021 14:11:04 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"InternalServerError","message":"Unable to find target address","innerError":{"date":"2021-08-18T14:11
:04","request-id":"dc96cfdb-9380-4839-bc63-6860ac4cd350","client-request-id":"dc96cfdb-9380-4839-bc63-6860ac4cd350"}}}
At line:1 char:1

• Export-AzureAD -Path 'C:\AzureADBackup' -All

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AzureAD
  
  

OnPremisesPublishingProfiles/Provisioning.json
OnPremisesPublishingProfiles/Provisioning/PublishedResources
OnPremisesPublishingProfiles/Provisioning/AgentGroups
OnPremisesPublishingProfiles/Provisioning/Agents
OnPremisesPublishingProfiles/ApplicationProxy/Connectors
OnPremisesPublishingProfiles/ApplicationProxy/ConnectorGroups
Groups
GroupSettings
Applications
ServicePrincipals
Users
`

@merill and folks, this is awesome. What is the easiest way to import / restore this back in to an Entra ID tenant?

I'm curious about the step on line 191 of the readme that removes all items in the target export folder:

$tenantPath = './<tenant export path>'
$tenantId = '<tenant id>'
Write-Host 'git checkout main...'
git config --global core.longpaths true #needed for Windows
git checkout main

Write-Host 'Clean git folder...'
Remove-Item $tenantPath -Force -Recurse

Is the purpose of this to start with a clean slate, or is it required to prevent issues with git?