I ran the Invoke-AADAssessmentDataCollection PowerShell scripts to acquire the Azure AD information. Without any error message this process succeeds. Also the report generation Complete-AADAssessmentReports runs succesfully.
In the AzureADAssessment PowerBI overview I have the following 4 tabs: Roles & Notification - App Assignments - App keys - Consent Grant.

However when I go through the Assessment guide it references to the following tabs in PowerBI which I seem to be missing.
Power BI: Tab "AADCH – Alerts", "Sync Performance", and "Sync – Object Count"

Am I missing something, need to run another script/parameter to get the AAD Connect Health information? My account has Global Reader access to the tenant. Thanks.

Whenever I run Invoke-AADAssessmentDataCollection I get the following error:

Catch-MsGraphError: C:\Users\USER\Documents\PowerShell\Modules\AzureADAssessment\2.2.2\internal\Get-MsGraphResults.ps1:308
Line |
308 | catch { Catch-MsGraphError $_ }
| ~~~~~~~~~~~~~~~~~~~~~
| The property 'StatusDescription' cannot be found on this object. Verify that the property exists.

The slide deck contains a phrase "follow up with GTP PM" what does GTP mean?

why are there 2 separate PowerBI files? how are they intended to be used? What are the instructions for logging in with them?

Getting an error that the application has been disabled by Microsoft, just checking to see if there is another version.

When running Invoke-AADAssessmentDataCollection -OutputDirectory 'C:\Temp\azureadassessment' I get an error.

Sorry for German. Don't know how to switch Powershell to English output. Deepl translation of this error: "The "guid" property was not found for this object. Make sure that the property is present."

Die Eigenschaft "guid" wurde für dieses Objekt nicht gefunden. Vergewissern Sie sich, dass die Eigenschaft
vorhanden ist.
In C:\Program
Files\WindowsPowerShell\Modules\AzureADAssessment\2.2.36\Invoke-AADAssessmentDataCollection.ps1:228
Zeichen:9

•     $ReferencedIdCache.roleGroup.guid | Get-MsGraphResults 'group ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : PropertyNotFoundStrict

Running this for a client and it is only reporting approximately 1000 of 8000 users. We have run multiple times, multiple source user accounts, same issue. We have uninstalled, reinstalled, and force updated the module over a period of several weeks with no improvement.

Hi everyone,

I have an environment where the report creation fails with following error:

ForEach-Object: Cannot convert argument "item", with value: "MicrosoftAdminPortals", for "Add" to type "System.Guid": "Cannot convert value "MicrosoftAdminPortals" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).""

How can I solve this please, any idea is welcome.

cheers

When I open the AzureADAssessment-ConditionalAccess powerbi file, I get many errors like " conditionalAccessPolicy
Loading blocked by failures with other queries." Is this expected behavior if there are not any CA policies in the tenant? I am in a tenant that has the Security Defaults enabled. Would this be causing this type of error?

Got file generation issue while completing Invoke-AADAssessmentdatacollection command.

After configuring the Application Registration and connection the next step is unable to complete in an environment that utilises Microsoft Admin Portals as there isn't a ClientID that the command can interpret to a GUID.

ForEach-Object : Cannot convert argument "item", with value:
"MicrosoftAdminPortals", for "Add" to type "System.Guid": "Cannot convert
value "MicrosoftAdminPortals" to type "System.Guid". Error: "Guid should
contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).""
At E:\Documents\WindowsPowerShell\Modules\AzureADAssessment\2.4.0\AzureADAssess
ment.psm1:143 char:132

• ... ice365' } | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) } ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     
  

  • CategoryInfo : NotSpecified: (:) [ForEach-Object], MethodExcept
    ion
  • FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument,Micr
    osoft.PowerShell.Commands.ForEachObjectCommand

I don't see a disconnect-azureAdAssessment cmdlet. What is the recommended method for running this against multiple tenants?

Cmdlet Connect-AADAssessment fails during connection after typing in the credentials and confirming the permission:

Confirm-ModuleAuthentication : The property 'TokenType' cannot be found on this object. Verify that the property exists.
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.4.0\AzureADAssessment.psm1:3897 char:9
+         Confirm-ModuleAuthentication $script:ConnectState.ClientAppli ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Confirm-ModuleAuthentication], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict,Confirm-ModuleAuthentication

Get-Module AzureADAssessment -ListAvailable
# Script     2.4.0      AzureADAssessment

Get-Module MSAL.PS -ListAvailable
# Script     4.37.0.0   MSAL.PS

Using the Cmdlet with an App Registration Connect-AADAssessment -ClientId does also not work.

Solution (FAQ): Restart Windows PowerShell ISE

Hello,

There are an error in the AAD Premium identifiers:

File Get-AADAssessUserReport.ps1, the fix is:

$aadp1plan = "41781fb2-bc02-4b7c-bd55-b576c07bb09d"
$aadp2plan = "eec0eb4f-6444-4f95-aba0-50c24d67f998"

File Invoke-AADAssessmentDataCollection.ps1 , the fix is:

if ($skus | Where-Object { $_.prepaidUnits.enabled -gt 0 -and ($_.servicePlans | Where-Object { $_.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" })}) {
            $licenseType = "P1"
        } elseif ($skus | Where-Object { $_.prepaidUnits.enabled -gt 0 -and ($_.servicePlans | Where-Object { $_.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" })}) {
            $licenseType = "P2"
        }

How can we connect to a tenant when we have been invited as a guest?

Hello all together,

I try out this module in my test environment and in a second tenant and I get this error.

`ForEach-Object : Cannot convert argument "item", with value: "Office365", for "Add" to type "System.Guid": "Cannot convert value "Office365" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).""
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.0.776660\internal\Add-AadReferencesToCache.ps1:50 char:76

• ... lications | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) } ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [ForEach-Object], MethodException
  • FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument,Microsoft.PowerShell.Commands.ForEachObjectCommand`

after this error, the Cmdlet stops.

The line where the error occurs, has this content:
Line:50 $InputObject.conditions.applications.excludeApplications | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) }

Does someone know the error?

Thanks
Arne

Hello Guys,
I have been running a few assessment as of late and have run in to a bug that keeps coming back. For multiple tenants, in the Conditional Access assessment report (powerbi) i get the following recommendation:

However, the CA in question always has this:

I think this might be a bug, or am i missing something?

Greatly appreciated. keep up the good work!

Hello,
Im supernew to this tool and was testing it out.
I was able to follow the wiki just fine (superb one btw!), i came all the way down to opening the two Power Bi reports:
AzureADAssessment.pbit
AzureADAssessment - ConditionalAccess.pbit
The ConditionalAccess one works just fine, but the AzureAdAssessment does not.

It has successfully created cvs and json files with content (if i open them they look correctly formated to!):

(Note that i do not use any AD sync or connectors, so i skipped that step in the pre-req)

When i run the AzureADAssessment.pbit i get the following error:

Those seems to be these:

Any help or suggestion greatly appreciated!

Trying to generate the assessment report as shown in the example

Expand-AADAssessAADConnectConfig -CustomerName 'Bananas' `
  -AADConnectProdConfigZipFilePath C:\AzureADAssessment\Bananas\AzureADAssessmentData-bananas.onmicrosoft.com.zip `
    -OutputRootPath C:\AzureADAssessment\Bananas\Report\AADC 

When I run the command, it breaks with the following error message. Hope you can fix this.

AADConnectSyncDocumenterConsole Error: 40000 : AADConnectSyncDocumenter (1.19.0130.0): 08/06/2021 13:58:45.0600:
Exception in 'AzureADConnectSyncDocumenter : ValidateInput'. Details: System.IO.FileNotFoundException: The pilot / target
configuration directory 'C:\AzureADAssessment\Report\AADC\Bananas\Data\Bananas\Production' does not exist..

AzureADAssessment works fine on my Live Tenant however fails on my Developer Environment.

Not sure what it's asking for?

"
Test-MsGraphBatchError : Value cannot be null.
Parameter name: source
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.2.54\internal\Get-MsGraphResults.ps1:309 char:31

• ... if (!(Test-MsGraphBatchError $results $currentRequest)) {

•                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : ArgumentNullException,Test-MsGraphBatchError

WARNING: The export package has not been generated
WARNING: If you are working with microsoft or a provider on the assessment please warn them
WARNING: Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen
WARNING: https://github.com/AzureAD/AzureADAssessment/issues
Method invocation failed because [System.Management.Automation.PSObject] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.2.54\Invoke-AADAssessmentDataCollection.ps1:149
char:13

•         $roleAssignmentSchedules + $roleAssignmentSchedulesAdditi ...
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (op_Addition:String) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : MethodNotFound "

I start the assessment with an non privileged user. I have Global Reader and Security Reader role assignments and you wrote, that for that we need the following rights.

Azure Active Directory as Global Administrator or Global Reader

When I start the assessment with the roles described above I get this error.
`
Catch-MsGraphError : Request Authorization failed
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.0.779889\internal\Get-MsGraphResults.ps1:247 char:25

•             catch { Catch-MsGraphError $_ }
  

•                     ~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Write-Error], WebException
  • FullyQualifiedErrorId : accessDenied,Catch-MsGraphError
    `

And when I check the outputs, the following file is missing:

• emailOTPMethodPolicy.json

When I start the assessment with Global administrative rigths no error occurs and the missing file is created.

Have a nice day
Arne

In the Assessment Reference, the table is incorrectly formatted at the Password Policy Check:
https://github.com/AzureAD/AzureADAssessment/wiki/Assessment-Reference#check-password-policy
Should have 7 table rows, only the first three are correctly formatted.

I have been trying to use the AAD-Assessment tool to run the assessment for Entra ID. But it seems that the tool does not pull all the data and in fact misses few data example there were 100 CA Policies in the environment, but the report was missing almost 40CA policies also it does miss to pull all the Users these are few of them.

How can we get the full assessment done correctly if we are not able to pull all the data from AzureAD ?
Please do let us know if there is a way so that we do not miss on any data while utilizing this tool.

I noticed on my latest assessment that the Conditional Access policy PowerBI only had 9 polices as opposed to the actual 13 in azure, turns out that there are preview features in the policies (did not go in to details on what they were) and to collect those the AzureADPreview module is needed

Hello,

I'm trying to test the assessment in a test Tenant and I meet the requirements, having the Global Admin role, but i'm getting a few errors on the API calls, for example:

WARNING: GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentSchedules?$expand=principal(%24select%3Did)%2CroleDefinition(%24select%3Did%2CtemplateId%2CdisplayName)&$filter=status+eq+%27Provisioned%27+and+assignmentType+eq+%27Assigned%27+and+directoryScopeId+eq+%27%2F%27&$select=id%2CdirectoryScopeId%2CmemberType%2CscheduleInfo%2Cstatus%2CassignmentType; error Response status code does not indicate success: 403 (Forbidden).; attempt 5 out of 5. Retrying after 16s

Here's the debug output:

DEBUG: {
"name": "AppExceptions",
"time": "2022-06-10T21:15:29.8607225Z",
"iKey": "9ef9a343-9c69-4468-a1a0-e1786a6d9f89",
"tags": {
"ai.application.ver": "2.2.36",
"ai.operation.id": "ecd8a0e3-b896-4e56-92a4-9894c33227c7",
"ai.operation.name": "Invoke-AADAssessmentDataCollection",
"ai.operation.parentId": "",
"ai.session.id": "236b794b-0bbd-4494-935f-9c6aad7510ff",
"ai.user.id": "@{",
"ai.device.osVersion": "Microsoft Windows 10.0.22000"
},
"data": {
"baseType": "ExceptionData",
"baseData": {
"ver": 2,
"properties": {
"Culture": "en-US",
"PsEdition": "Core",
"PsVersion": "7.2.4",
"DebugPreference": 2,
"TenantId": "",
"CloudEnvironment": "Global"
},
"exceptions": [
{
"hasFullStack": true,
"parsedStack": [],
"typeName": "Microsoft.PowerShell.Commands.WriteErrorException",
"message": "Attempted to perform an unauthorized operation.",
"id": 3556833
}
]
}
}
}
DEBUG: {
"id": "11",
"status": 403,
"headers": {
"Content-Type": "application/json"
},
"body": {
"error": {
"code": "UnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {
"date": "2022-06-10T21:15:27",
"request-id": "49bd963e-f3ea-40c2-ad4e-5185d410b1ef",
"client-request-id": "49bd963e-f3ea-40c2-ad4e-5185d410b1ef"
}
}
}
}

WARNING: The export package has not been generated
WARNING: If you are working with microsoft or a provider on the assessment please warn them
WARNING: Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen
WARNING: https://github.com/AzureAD/AzureADAssessment/issues
ForEach-Object: Cannot convert argument "item", with value: "MicrosoftAdminPortals", for "Add" to type "System.Guid": "Cannot convert
value "MicrosoftAdminPortals" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes
(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).""

Your naming could be confusing, as there is already a https://docs.microsoft.com/en-us/services-hub/health/getting-started-azuread

May be update your doco from Azure AD Assessment to Azure AD Config Assessment

I get this error when it tries to process Service Principles. I am running it on Windows 11.

PS C:\Users\jserban\OneDrive - Microsoft\Documents\GitHub\AzureADAssessment> Invoke-AADAssessmentDataCollection
Exporting applications: Completed 2 in 00:00:00
Exporting appRoleAssignments: Completed 32 in 00:00:00
Exporting oauth2PermissionGrants: Completed 12 in 00:00:00
Exporting servicePrincipals (JSON): Completed 15 in 00:00:00
Exporting servicePrincipals (CSV): Completed 15 in 00:00:00
Exporting groups: Completed 7 in 00:00:00
Loading users in lookup cache
Loading users registration details in lookup cache
Exporting UserReport: Completed 11 in 00:00:00
Loading groups in lookup cache
Exporting NotificationsEmailsReport: Completed 9 in 00:00:00
Loading administrative units in lookup cache
Loading applications in lookup cache
Loading service principals in lookup cache
WARNING: The export package has not been generated
WARNING: If you are working with microsoft or a provider on the assessment please warn them
WARNING: Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen
WARNING: https://github.com/AzureAD/AzureADAssessment/issues
Format-Csv: C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.2.64\Export-AADAssessmentReportData.ps1:226:11
Line |
226 | | Format-Csv `
| ~~~~~~~~~~
| The property 'Count' cannot be found on this object. Verify that the property exists.

When following the guide, if you are using Windows PowerShell 5.1, the install-module does not support -acceptlicense parameter and will throw an error.

Consider updating docs to recommend using latest PS 7.x, or provide examples of command when running on WPS 5.1 without the switch to avoid errors those not as familiar with PowerShell

Error bellow when calling Invoke-AADAssessmentDataCollection

When I debug 2.2.2\internal\Expand-MsGraphRelationship.ps1 it turns out that:

• $inputObject contained one item
  when final block started. But $results variable was empty, because there was no user in "Exchange administrator" role! Therefore error on line [array] $refValues = $Results[$i]
• btw $uri contained directoryRoles/{0}/members/$ref

SOLUTION?
In 2.2.2\internal\Expand-MsGraphRelationship.ps1 modify both foreach
from:
for ($i = 0; $i -lt $InputObjects.Count; $i++) {
to:
for ($i = 0; $i -lt $Results.Count; $i++) {

Hello AzureADAssessment-Team,

since the last versions I'm running in a issue in our production environment.
After a long runtime of 1h 50m there is multiple throttlling occuring:

WARNING: Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.
WARNING: Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.
WARNING: Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.
WARNING: Request returned error and will attempt retry 1 of 5 after 30s.
WARNING: Request returned error and will attempt retry 2 of 5 after 60s.
WARNING: Request returned error and will attempt retry 3 of 5 after 120s.
WARNING: Request returned error and will attempt retry 4 of 5 after 240s.
WARNING: Request was throttled and will attempt retry 5 of 5 after 30s

And then comes the fail:

Catch-MsGraphError : This request is throttled. Please try again after the value (in seconds) specified in the Retry-After header. CorrelationId: 638b720b-aa65-4df0-852e-5bfd4d0dd708
At C:\Users\VssAdministrator\Documents\PowerShell\Modules\AzureADAssessment\2.3.11\internal\Get-MsGraphResults.ps1:484 char:49
+                                                 Catch-MsGraphError $_
+                                                 ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (Method: GET, Reques…ssessment/2.3.11
}:HttpRequestMessage) [Invoke-RestMethod], HttpResponseException
+ FullyQualifiedErrorId : UnknownError,Catch-MsGraphError
##[error]PowerShell exited with code '1'

In smaller Environments (e.q. our test environment) I do not run into a issue.
I noticed that on older versions not so much throtteling was happening.

Maybe there is error in the retry logic.

Looking forward to an answer.

Hi Team,

We are getting below an error while running invoke-AADAssessmentdatacollection cmdlet.

WARNING: The export package has not been generated
WARNING: If you are working with microsoft or a provider on the assessment please warn them
WARNING: Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen
WARNING: https://github.com/AzureAD/AzureADAssessment/issues
ForEach-Object : Cannot convert argument "item", with value: "MicrosoftAdminPortals", for "Add" to type "System.Guid": "Cannot convert value "MicrosoftAdminPortals" to type
"System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).""
At C:\Users\SadishKk\Documents\WindowsPowerShell\Modules\AzureADAssessment\2.5.0\AzureADAssessment.psm1:143 char:132

• ... ice365' } | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) } ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [ForEach-Object], MethodException
  • FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument,Microsoft.PowerShell.Commands.ForEachObjectCommand

After applying some of the conditional access recommendations, I wanted to run another assessment against our tenant to see what the recommendations look like after the changes.

Upon rerunning it, and opening AzureADAssessment-ConditionalAccess.pbit I get the following error:
Query 'StaleUsersExcluded' (step 'Added staleUserExcluded') references other queries or steps, so it may not directly access a data source. Please rebuild this data combination.

I tried running the assessment with our breakglass account which is excluded from every CA policy, so I don't think the changes I made have broken the report

Thoughts?

Hello,
maybe this isn't the right place however I discovered the Add-AzureAssessmentTask doesn't support the -MFA parameter (despite I can read it referenced in documentation).

Get-Command Add-AzureAssessmentTask

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AzureAssessmentTask                            8.0.1.1086 Microsoft.PowerShell.Oms.Assessments

I have installed the latest version of Microsoft Monitoring Agent (MMA) v10.20.18067.0 available in Log Analytics workspaces.

This is my fault or it doesn't support the -MFA parameter anymore ?

Hi guys

Can you please describe the App Keys tab in AzureADAssessment PowerBi document?

Me and my team could not find a description regarding this. To me more precisely, its the 'Key Name' when the key type is password.

If we got data in this column, does it show the username, password or what does it provide us of information? Because we got different kind of data in this column sometimes that confuse us.

Thanks in advice

BR

Last successfull step: Loading users registration details in lookup cache
Then I see a lot(I mean a lot) of the following warnings: WARNING: authentication method registration not found for

Common for all of the users are that they are disabled/blocked sign-in.

The following occurs from the job:

Exporting UserReport: Completed 30 261 in 00:01:50
Loading groups in lookup cache
Exporting NotificationsEmailsReport: Completed 80 in 00:00:00
Loading administrative units in lookup cache
Loading applications in lookup cache
Loading service principals in lookup cache
Exporting RoleAssignmentReport: Completed 621 in 00:00:00
Exporting AppCredentialsReport: Completed 204 in 00:00:00
Exporting ConsentGrantReport: Completed 22 106 in 00:00:56
WARNING: The export package has not been generated
WARNING: If you are working with microsoft or a provider on the assessment please warn them
WARNING: Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen
WARNING: https://github.com/AzureAD/AzureADAssessment/issues
Unable to find type [System.IO.Compression.ZipFile].
At C:\Users<myusername>\Onedrive - mycompany\Documents\WindowsPowerShell\Modules\AzureADAssessment\2.2.54\Invo
ke-AADAssessmentDataCollection.ps1:345 char:13

•         [System.IO.Compression.ZipFile]::CreateFromDirectory($Out ...
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.IO.Compression.ZipFile:TypeName) [], ParentContainsErrorRecord
    Exception
  • FullyQualifiedErrorId : TypeNotFound

Hi ,

is it possible to get visualization of recommendations based on the data generated ?

Thanks
Priyan k J

On slide 7 in the AzureADAssessment-ReportOut.pptx, it says "Appilcation Overview". Should be "Application Overview".

Trying to collect data associated with a B2C tenant using this script, but getting an error.

Did read in a different post that support for backlinks wouldn't be supported for b2c. Not sure if there is a workaround for this to get data from a b2c client.

When running the script I am getting the following error.

InvalidOperation: C:\Users\fakename\Documents\PowerShell\Modules\AzureADAssessment\2.1.52\Invoke-AADAssessmentDataCollection.ps1:250
Line |
250 | $ReferencedIdCache.group.guid | Get-MsGraphResults 'groups/{0 …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The property 'guid' cannot be found on this object. Verify that the property exists.

The line in question is 250

Add nested groups

    $ReferencedIdCache.group.guid | Get-MsGraphResults 'groups/{0}/transitiveMembers/microsoft.graph.group?$count=true&$select=id' -Top 999 -TotalRequests $ReferencedIdCache.group.Count -DisableUniqueIdDeduplication `
    | ForEach-Object { [void]$ReferencedIdCache.group.Add($_.id) }

The final output of the script is not in a zip format as stated in the Readme either nor does it contain the right data for the PowerBI dashboards to work properly. I am unsure what is causing this error. Thanks!

Have been doing some testing and trying to run through the process against my demo CDX environment and there seems to be a few issues.

1. if (!(Test-MsGraphBatchError $results)) {Value cannot be null. Parameter name: source
   I got the script to complete as there was a few null values which the script didn't expect by using try and removing remarking the following out:

$ReferencedIdCache.roleGroup.guid | Get-MsGraphResults 'groups/{0}/transitiveMembers/microsoft.graph.group?$count=true&$select=id' -Top 999 -TotalRequests $ReferencedIdCache.roleGroup.Count -DisableUniqueIdDeduplication `
#| ForEach-Object { [void]$ReferencedIdCache.group.Add($_.id) }

3. It gave the following error but was able to generate the zip file Get-AADAssessRoleAssignmentReport -Offline -RoleAssignmentSch …| Use of the offline parameter requires that all data be provided using the data parameters.
4. Opening PowerBI I've got data issues as some files are empty as i guess is related to the export not working as expected.

I can provide access to my demo tenant for testing to confirm it's not environmental but my collogue also tried against his own CDX environment and also gave errors. When I executed against an production tenant it failed.

I've added rough quick debugging results that might help
AADAssessmentDebug31-05-2022.docx
.

Hello -- trying to run Connect-AADAssessment -CloudEnvironment USGOVDoD -- after authenticating I'm getting the URI Redirect mismatch error. Normally would try modifying the uri property as noted here: https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50011-redirect-uri-mismatch but i'm not seeing the ability to add this since it's found as an Enterprise App. Would appreciate any advice or help on this.

PS /home/ga> Connect-AADAssessment
Connect-AADAssessment: The 'Connect-AADAssessment' command was found in the module 'AzureADAssessment', but the module could not be loaded. For more information, run 'Import-Module AzureADAssessment'.

Hello together,
I try to run the assessment with an service principal and setup delegated graph permission for Directory.Read.All and Policy.Read.All but I get the errors below.

I think we mss some permissions in ms graph.

Catch-MsGraphError : Applications without a signed-in user are not allowed access to this report or data.
At C:\Program Files\WindowsPowerShell\Modules\AzureADAssessment\2.3.7\internal\Get-MsGraphResults.ps1:372 char:33
+                                 Catch-MsGraphError $_
+                                 ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Write-Error], WebException
    + FullyQualifiedErrorId : AccessDenied,Catch-MsGraphError

When it is not allowed to use service principals, for what is the option to Connect-AADAssessment -Certificate ...

Can someone help me?
Thanks
Arne

Hello all together,

I analyse the last assessment and I wonder why one app in my tenant is marked as expired. The App registration in this case has no certificate and no secret, so nothing can expire from my point of view.
What I see ist that the enddate is calculated, creation date plus two years and that is the expiration date.

Is this correct or is this an error?

Getting this error: Unable to find type [System.IO.Compression.ZipFile

Dumps from PS:

Exporting UserReport: Completed 78,906 in 00:13:31
Loading groups in lookup cache
Exporting NotificationsEmailsReport: Completed 85 in 00:00:06
Loading administrative units in lookup cache
Loading applications in lookup cache
Loading service principals in lookup cache
Exporting RoleAssignmentReport: Completed 1,232 in 00:00:15
Exporting AppCredentialsReport: Completed 18,856 in 00:02:36
Exporting ConsentGrantReport: Completed 49,738 in 00:05:36
WARNING: The export package has not been generated
WARNING: If you are working with microsoft or a provider on the assessment please warn them
WARNING: Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen
WARNING: https://github.com/AzureAD/AzureADAssessment/issues
Unable to find type [System.IO.Compression.ZipFile].

Any solution for this?