Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add error handling to AAD Get-MgBetaUser and put redundant code into a function #842

Open
1 task
tkol2022 opened this issue Jan 24, 2024 · 0 comments
Open
1 task

Add error handling to AAD Get-MgBetaUser and put redundant code into a function #842

tkol2022 opened this issue Jan 24, 2024 · 0 comments
Labels
enhancement This issue or pull request will add new or improve existing functionality
Milestone
Backlog

Comments

@tkol2022
Copy link
Collaborator

💡 Summary

While testing #794 @buidav uncovered an edge case where if you delete a user or move them out of a group while ScubaGear is running, the AAD function Get-PrivilegedUser calls to Get-MgBetaUser can produce errors that prematurely halt the software. Although the probability of this happening is low, it would be good to handle this event gracefully. We also have redundant code that handles calling this graph function and processing it output so it would be good to put that into a utility function.

Implementation notes

This implementation is specific to Get-PrivilegedUser but the assignee should review the Get-PrivilegedRole function to see if similar enhancements are applicable there.

  • Inside of the function, find all calls to Get-MgBetaUser and determine the common code associated with that API. Create a utility function that takes the following arguments, the PrivilegedUsers hashtable, the user's ID and a role name. The function will retrieve information about the user from the Get-MgBetaUser API and add it to the hashtable. Here is an example code block from the function that processes a specific user.
  if (-Not $PrivilegedUsers.ContainsKey($UserObjectId)) {
      $AADUser = Get-MgBetaUser -ErrorAction Stop -Filter "Id eq '$UserObjectId'"
      $PrivilegedUsers[$AADUser.Id] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()}
  }
  # If the current role has not already been added to the user's roles array then add the role
  if ($PrivilegedUsers[$UserObjectId].roles -notcontains $Role.DisplayName) {
      $PrivilegedUsers[$UserObjectId].roles += $Role.DisplayName
  }
  • Add error handling with a try catch block around the Get-MgBetaUser inside the function. If the error Request_ResourceNotFound occurs then handle the exception by writing to the debug output. Here is an example catch block that you may need to tweak.
catch {
                    if ($_.FullyQualifiedErrorId.Contains("Request_ResourceNotFound")) {
                        Write-Debug "Error retrieving user data for user with ID: $($PIMEligibleUserId)"
                    }
                    else {
                        throw $_
                    }
                }
@tkol2022 tkol2022 added the enhancement This issue or pull request will add new or improve existing functionality label Jan 24, 2024
@buidav buidav mentioned this issue Jan 24, 2024
Merged
12 tasks
@schrolla schrolla added this to the Backlog milestone Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@tkol2022 @schrolla