Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error: The type eq 'subscription' or type eq 'managementgroup' filter is invalid. #217

Open
patkiamit opened this issue Nov 29, 2023 · 11 comments
Open

error: The type eq 'subscription' or type eq 'managementgroup' filter is invalid. #217

patkiamit opened this issue Nov 29, 2023 · 11 comments

Comments

@patkiamit
Copy link

AzGovViz version
6.3.4

CodeRunPlatform
Azure DevOps,

Describe the bug
azure DevOps pipeline failed with the below error

Screenshots
2023-11-29T11:46:00.5004337Z !f97434b8 Please report at aka.ms/AzGovViz and provide the following dump
2023-11-29T11:46:00.5014629Z [AzAPICallErrorHandler 1.1.84] Get PIM onboarded Subscriptions and Management Groups try #1; uri:"https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$select=id%2cdisplayName%2ctype%2cexternalId&$expand=parent&$filter=(type+eq+%27subscription%27+or+type+eq+%27managementgroup%27)&$skiptoken=b4NY2ZLEyNFBEHQKBIVA"; return: (StatusCode: '400' (BadRequest)) <.code: ''> <.error.code: 'InvalidFilter'> | <.message: ''> <.error.message: 'The type eq 'subscription' or type eq 'managementgroup' filter is invalid.'> - (plain : @{error=}) - AzAPICall: Stop
2023-11-29T11:46:00.5019099Z Parameters:
2023-11-29T11:46:00.5026304Z accountType:ServicePrincipal
2023-11-29T11:46:00.5049562Z ARMLocations:asia asiapacific australia australiacentral australiacentral2 australiaeast australiasoutheast brazil brazilsouth brazilsoutheast brazilus canada canadacentral canadaeast centralindia centralus centraluseuap centralusstage eastasia eastasiastage eastus eastus2 eastus2euap eastus2stage eastusstage eastusstg europe france francecentral francesouth germany germanynorth germanywestcentral global india israelcentral italynorth japan japaneast japanwest jioindiacentral jioindiawest korea koreacentral koreasouth northcentralus northcentralusstage northeurope norway norwayeast norwaywest polandcentral qatarcentral singapore southafrica southafricanorth southafricawest southcentralus southcentralusstage southcentralusstg southeastasia southeastasiastage southindia sweden swedencentral switzerland switzerlandnorth switzerlandwest uae uaecentral uaenorth uk uksouth ukwest unitedstates unitedstateseuap westcentralus westeurope westindia westus westus2 westus2stage westus3 westusstage
2023-11-29T11:46:00.5059455Z azAccountsVersion:n/a
2023-11-29T11:46:00.5069080Z azAPICallModuleVersion:1.1.84
2023-11-29T11:46:00.5078287Z azureCloudEnvironment:AzureCloud
2023-11-29T11:46:00.5087616Z codeRunPlatform:AzureDevOps
2023-11-29T11:46:00.5097099Z debugAzAPICall:False
2023-11-29T11:46:00.5116015Z debugWriteMethod:Host
2023-11-29T11:46:00.5124248Z DoAzureConsumption:False
2023-11-29T11:46:00.5133744Z DoNotIncludeResourceGroupsAndResourcesOnRBAC:False
2023-11-29T11:46:00.5143333Z DoNotIncludeResourceGroupsOnPolicy:False
2023-11-29T11:46:00.5152765Z DoNotShowRoleAssignmentsUserData:True
2023-11-29T11:46:00.5406294Z DoPSRule:False
2023-11-29T11:46:00.5418259Z GitHubActionsOIDC:False
2023-11-29T11:46:00.5427382Z gitHubRepository:aka.ms/AzGovViz
2023-11-29T11:46:00.5436805Z HierarchyMapOnly:False
2023-11-29T11:46:00.5447107Z LargeTenant:True
2023-11-29T11:46:00.5458207Z ManagementGroupsOnly:False
2023-11-29T11:46:00.5467439Z NoALZPolicyVersionChecker:False
2023-11-29T11:46:00.5476917Z NoJsonExport:False
2023-11-29T11:46:00.5486003Z NoMDfCSecureScore:True
2023-11-29T11:46:00.5496596Z NoNetwork:False
2023-11-29T11:46:00.5507005Z NoPolicyComplianceStates:False
2023-11-29T11:46:00.5516080Z NoResourceProvidersAtAll:True
2023-11-29T11:46:00.5525011Z NoResourceProvidersDetailed:False
2023-11-29T11:46:00.5534091Z NoResources:False
2023-11-29T11:46:00.5543454Z NoStorageAccountAccessAnalysis:False
2023-11-29T11:46:00.5561542Z onAzureDevOps:True
2023-11-29T11:46:00.5569978Z onAzureDevOpsOrGitHubActions:True
2023-11-29T11:46:00.5586796Z onGitHubActions:False
2023-11-29T11:46:00.5595841Z PolicyAtScopeOnly:True
2023-11-29T11:46:00.5614891Z ProductVersion:6.3.4
2023-11-29T11:46:00.5631170Z PSRuleFailedOnly:False
2023-11-29T11:46:00.5649071Z psVersion:7.2.16
2023-11-29T11:46:00.5656990Z RBACAtScopeOnly:True
2023-11-29T11:46:00.5675034Z skipAzContextSubscriptionValidation:False
2023-11-29T11:46:00.5692046Z subscriptionId4AzContext:undefined
2023-11-29T11:46:00.5708654Z subscriptionQuotaId:EnterpriseAgreement_2014-09-01
2023-11-29T11:46:00.5726085Z tenantId4AzContext:undefined
2023-11-29T11:46:00.5734626Z ThrottleLimit:10
2023-11-29T11:46:00.5743830Z userType:n/a
2023-11-29T11:46:00.5752921Z writeMethod:Host
2023-11-29T11:46:00.5759010Z [AzAPICallErrorHandler 1.1.84] Get PIM onboarded Subscriptions and Management Groups try #1; uri:"https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$select=id%2cdisplayName%2ctype%2cexternalId&$expand=parent&$filter=(type+eq+%27subscription%27+or+type+eq+%27managementgroup%27)&$skiptoken=b4NY2ZLEyNFBEHQKBIVA"; return: (StatusCode: '400' (BadRequest)) <.code: ''> <.error.code: 'InvalidFilter'> | <.message: ''> <.error.message: 'The type eq 'subscription' or type eq 'managementgroup' filter is invalid.'> - unhandledErrorAction: Stop
2023-11-29T11:46:00.6338041Z �[31;1mException:
2023-11-29T11:46:00.6338477Z �[36;1mLine |
2023-11-29T11:46:00.6339082Z �[36;1m 832 | �[0m �[36;1mThrow 'Error - check the last console output for details'�[0m
2023-11-29T11:46:00.6340173Z �[36;1m | �[31;1m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2023-11-29T11:46:00.6340986Z �[31;1m�[36;1m | �[31;1mError - check the last console output for details�[0m
2023-11-29T11:46:00.7383355Z ##[error]PowerShell exited with code '1'.
2023-11-29T11:46:00.7434406Z ##[section]Finishing: Run Azure Governance Visualizer

Additional context
Add any other context about the problem here.
@patkiamit patkiamit changed the title error debug error dump Nov 29, 2023
@JulianHayward
Copy link
Owner

@patkiamit thanks for reporting, but it sounds odd :) Does this happen every time you run it?

What happens if you run this?

$uri = 'https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources?$select=id%2cdisplayName%2ctype%2cexternalId&$expand=parent&$filter=(type+eq+%27subscription%27+or+type+eq+%27managementgroup%27)'

invoke-azrestmethod -uri $uri

ref - connect as service principal

@patkiamit
Copy link
Author

patkiamit commented Nov 30, 2023
edited
Loading

Hi, thanks for the reply, I tested above URL and was able to get the output , still 28th NOV all work well no issue it started from y'day

Headers : {[Transfer-Encoding, System.String[]], [Strict-Transport-Security, System.String[]], [request-id, System.String[]], [client-request-id, System.String[]]...}
Version : 1.1
StatusCode : 200
Method : GET
Content : {"@odata.context":"https://graph.microsoft.com/beta/$metadata#governanceResources(id,displayName,type,externalId,parent())","@odata.nextLink":"https://graph.microsoft.com/beta/privilegedAccess/az
ureResources/resources?$select=id%2cdisplayName%2ctype%2cexternalId&$expand=parent&$filter=(type+eq+%27subscription%27+or+type+eq+%27managementgroup%27)&$skiptoken=L0DwjWpAm0udxnBgvv-uCQ","value"
:[............................................................................................................long output..........................................................
teTime":null,"managedAt":null,"registeredRoot":null,"originTenantId":null}}]}

@kaiaschulz
Copy link
Contributor

kaiaschulz commented Nov 30, 2023
edited
Loading

@patkiamit I was able to reproduce the issue on my side as well.
First call was successful (http status code: 200 (OK)) and all other are failing (http status code: 400 (BadRequest)), which is related to the $skiptoken.

@patkiamit
Copy link
Author

@patkiamit I was able to reproduce the issue on my side as well. First call was successful (http status code: 200 (OK)) and all other are failing (http status code: 400 (BadRequest)), which is related to the $skiptoken.

i run URL separately with skiptoken as well, and it runs without issue , but in script, it always fails

@kaiaschulz
Copy link
Contributor

Hi @patkiamit,
this Microsoft Graph API request is responding with 200 results by default. So, the problem should only happens if your count is greater than that.
Even with a $top=999 it will max. respond with 200 results.
If you have more than the default 200 PIM assignments (after 28th November?), this will cause the issue.
After that, it is starting the paging.
It seems that the $filter is somehow the problem of the second call in combination with the $skiptoken.

How were you able to use the url with skiptoken?
Could you please provide your test?

In my case, AzAPICall nor Invoke-AzRestMethod-command is working.

OUTPUT:

{"error":{"code":"InvalidFilter","message":"The type eq 'subscription' or type eq 'managementgroup' filter is invalid.","innerError":{"date":"2023-11-30T11:12:46","request-id":"x,"client-request-id":"y"}}}

Nevertheless, without $filter it isn't working as well:

{"error":{"code":"InvalidFilter","message":"The  filter is invalid.","innerError":{"date":"2023-11-30T11:26:57","request-id":"xx","client-request-id":"yy"}}}

@patkiamit
Copy link
Author

Hi @patkiamit, this Microsoft Graph API request is responding with 200 results by default. So, the problem should only happens if your count is greater than that. Even with a $top=999 it will max. respond with 200 results. If you have more than the default 200 PIM assignments (after 28th November?), this will cause the issue. After that, it is starting the paging. It seems that the $filter is somehow the problem of the second call in combination with the $skiptoken.

How were you able to use the url with skiptoken? Could you please provide your test?

In my case, AzAPICall nor Invoke-AzRestMethod-command is working.

OUTPUT:

{"error":{"code":"InvalidFilter","message":"The type eq 'subscription' or type eq 'managementgroup' filter is invalid.","innerError":{"date":"2023-11-30T11:12:46","request-id":"x,"client-request-id":"y"}}}

Nevertheless, without $filter it isn't working as well:

{"error":{"code":"InvalidFilter","message":"The  filter is invalid.","innerError":{"date":"2023-11-30T11:26:57","request-id":"xx","client-request-id":"yy"}}}

yes, I am running a script in a large tenant having many subscriptions, do we have any workaround for it?

@JulianHayward JulianHayward changed the title error dump error: The type eq 'subscription' or type eq 'managementgroup' filter is invalid. Dec 1, 2023
@JulianHayward
Copy link
Owner

meanwhile seeing/hearing this from other tenants, too.

Workaround until the issue is fixed: use the parameter -NoPIMEligibility.

Using a beta Microsoft Graph API here which is announced for deprecation; elaboration migration path to Azure Resource Manager (ARM) API

@JulianHayward JulianHayward reopened this Dec 14, 2023
@JulianHayward
Copy link
Owner

reopen for reference / to be closed when fixed

@kaiaschulz
Copy link
Contributor

kaiaschulz commented Mar 28, 2024
edited
Loading

Hey @JulianHayward,
any updates on this topic?
The eligible assignments of the Privileged Identity Management (PIM) are giving us still a hard time.
Actually tested with v6.4.3.

@JulianHayward
Copy link
Owner

hey @kaiaschulz - no progress, yet :(

@JulianHayward JulianHayward mentioned this issue May 16, 2024
Closed
@stevenoneill
Copy link

Love the tool! We're also hitting this. Keeping an eye on the thread.

@JulianHayward JulianHayward mentioned this issue Sep 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stevenoneill @JulianHayward @kaiaschulz @patkiamit