Differences in data returned from Get-MgOauth2PermissionGrant vs Get-AzureADOAuth2PermissionGrant

[robinmalik]

Describe the bug

I'm attempting to migrate code to the Microsoft Graph and have noticed differences between Get-MgOauth2PermissionGrant and Get-AzureADOAuth2PermissionGrant. Specifically, that the Graph calls are missing data.

To use one example, Adobe Acrobat, that has been granted access to 3 resources (by a number of users):

• Microsoft Graph: User.Read
• Office 365 SharePoint Online: MyFiles.Write
• Windows Azure Active Directory: Directory.AccessAsUser.All

The data returned by Get-MgOauth2PermissionGrant shows grants for only 1 of these (Windows Azure Active Directory: Directory.AccessAsUser.All) but Get-AzureADOAuth2PermissionGrant shows all 3.

To Reproduce

C:\> (Get-MgOauth2PermissionGrant -All).count
1559
C:\> (Get-AzureADOAuth2PermissionGrant -All:$true).count
2694

Expected behavior

• Returned permission grants count is equal.

Debug Output

DEBUG: [CmdletBeginProcessing]: - Get-MgOauth2PermissionGrant begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, AuditLog.Read.All, Chat.Create, Chat.ReadWrite, Directory.Read.All, email, Group.Read.All, Group.ReadWrite.All, Mail.ReadWrite,
 openid, Organization.Read.All, People.Read, Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration, profile, Sites.Manage.All, Tasks.ReadWrite, Team.ReadBasic.All, TeamworkTag.Read,
User.Read, User.Read.All, User.ReadBasic.All, User.ReadWrite.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/oauth2PermissionGrants

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22635; en-GB),PowerShell/5.1.22621.2706
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.10.0
client-request-id             : aa83b73e-9978-4683-9f84-c82708fc8bd3

... a bunch of grant objects returned as debug and stdout, and this repeats until paging for all results is complete ...

DEBUG: [CmdletEndProcessing]: - Get-MgOauth2PermissionGrant end processing.

Module Version

All Graph modules are 2.10.0.

Environment Data

Name                           Value
----                           -----
PSVersion                      7.4.0
PSEdition                      Core
GitCommitId                    7.4.0
OS                             Microsoft Windows 10.0.22635
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

also


Name                           Value                                                                                                                                                             
----                           -----                                                                                                                                                             
PSVersion                      5.1.22621.2706
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2706
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

[robinmalik]

To add: Both using the beta version of the module, and running a GET /oauth2PermissionGrants via the Graph Explorer (with ConsistencyLevel: Eventual as a header) and extracting the paged results, results in the same count (1559).

[timayabi2020]

@robinmalik you can now able to pass custom headers with the current SDK version (2.15.0).
(Get-MgOauth2PermissionGrant -All -Headers @{ 'ConsistencyLevel' = 'eventual' }).count

Please let us know if that will help.

[commakoerschgen]

If I additionally use the -CountVariable parameter, this gives me seemingly correct results.

[MikeGitUser]

Hi,

I'm seeing the same issue. It seems to be missing many of the Delegated permissions/scopes for one specific App. All the other App Delegated authenticated permissions seem to be returned.

The interesting thing is if I filter for the specific App ClientID, then all 270 "user" Delegated permissions are successfully returned as expected. If I just pull "all" the permissions with specifying a filter, then only 44 are returned in the result set for this specific App.

The workarounds above don't see to make a difference.

The following "successfully" returns all 270 expected user Delegated permission authentications for the app. As mentioned, only 44 are returned for this app if I pull everything without specifying a filter!

Get-MgOauth2PermissionGrant -Filter "ClientId eq '988d0424-9a1b-499a-919a-zzzzzzzzzzzz'" -All

Running Microsoft.Graph 2.25.0

Thanks!

[MikeGitUser]

Adding on to the comment above. Looks like the issue is a Paging issue. Please see below

The number I'm expecting is 839. With no -PageSize I get 613. With -PageSize 999 I get the expected number which also matches the output of (Get-AzureADOAuth2PermissionGrant -All $true).Count

No -PageSize
PS C:> (Get-MgOauth2PermissionGrant -All).Count
613

Following is what I see when I add the -PageSize with different sizes.

PS C:> (Get-MgOauth2PermissionGrant -PageSize 1 -All).Count
383
PS C:> (Get-MgOauth2PermissionGrant -PageSize 10 -All).Count
505
PS C:> (Get-MgOauth2PermissionGrant -PageSize 100 -All).Count
613
PS C:> (Get-MgOauth2PermissionGrant -PageSize 500 -All).Count
796
PS C:> (Get-MgOauth2PermissionGrant -PageSize 999 -All).Count
839

Regardless of -PageSize shouldn't it always return the same record count?

Thanks!

[MikeGitUser]

Hi @timayabi2020, Would it be possible to reopen this? Please see comments above.

Thanks!