From 9b14cbfcf1de1d498f6b02ccc19e337cddd329c7 Mon Sep 17 00:00:00 2001 From: rgunst Date: Wed, 11 Mar 2026 19:51:45 +0100 Subject: [PATCH] Fix permission scope for authenticationMethodConfigurations endpoints The 8 authenticationMethodConfigurations endpoints (email, fido2, microsoftAuthenticator, sms, temporaryAccessPass, softwareOath, voice, x509Certificate) declared Policy.Read.All as the required permission. However, the Microsoft Graph API requires Policy.Read.AuthenticationMethod for these endpoints. Policy.Read.All does not cover authentication method policies, resulting in 403 errors when the correct scope has not been separately consented. Changed DelegatedPermission and ApplicationPermission from Policy.Read.All to Policy.Read.AuthenticationMethod for all 8 endpoints. Co-Authored-By: Claude Opus 4.6 --- src/Get-EEDefaultSchema.ps1 | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/Get-EEDefaultSchema.ps1 b/src/Get-EEDefaultSchema.ps1 index 3a9f6e7..2bf79fd 100644 --- a/src/Get-EEDefaultSchema.ps1 +++ b/src/Get-EEDefaultSchema.ps1 @@ -272,57 +272,57 @@ function Get-EEDefaultSchema { GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/Email.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/fido2' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/FIDO2.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/MicrosoftAuthenticator.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/sms' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/SMS.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/temporaryAccessPass' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/TemporaryAccessPass.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/SoftwareOath.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/Voice.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate' Path = 'Policies/AuthenticationMethodsPolicy/AuthenticationMethodConfigurations/X509Certificate.json' Tag = @('All', 'Config', 'Policies') - DelegatedPermission = 'Policy.Read.All' - ApplicationPermission = 'Policy.Read.All' + DelegatedPermission = 'Policy.Read.AuthenticationMethod' + ApplicationPermission = 'Policy.Read.AuthenticationMethod' }, @{ GraphUri = 'policies/adminConsentRequestPolicy'