Power Platform 403 Forbidden from Get-TenantDetailsFromGraph for E5 licensed tenants when running with non-interactive auth

[buidav]

Prerequisites

• This issue has an informative and human-readable title.

ScubaGear Version

v1.6 (latest from main)

Operating System

Windows 11

PowerShell Version

5.1

M365 Environment and License(s)

M365Environment: commercial
E5 Licensed

🐛 Summary

This error is current now displaying when running ScubaGear with invoke-scuba -productnames powerplaform

WARNING:     Power Platform Provider Warning: {"error":"invalid_tenant","error_description":"AADSTS90002: Tenant       'unretrievable' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud.   Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace
 ID: 00000000-0000-0000-0000-000000000000 Correlation ID: 00000000-0000-0000-0000-000000000000 Timestamp: 2025-05-01
02:18:43Z","error_codes":[90002],"timestamp":"2025-05-01
02:18:43Z","trace_id":"00000000-0000-0000-0000-000000000000","correlation_id":"00000000-0000-0000-0000-000000000000","
error_uri":"https://login.microsoftonline.com/error?code=90002"}. Unable to check if M365Environment is set correctly
in the Power Platform Provider. This MAY impact the output of the Power Platform Baseline report.
    See the 'Running the Script Behind Some Proxies' in the README.md for a possible solution to this warning.
WARNING: Error running Get-PowerAppTenantIsolationPolicy: Cannot bind argument to parameter 'TenantId' because it is
an empty string.. <= If a HTTP 403 ERROR is thrown then this is because you do not have the proper permissions.
Necessary roles for running ScubaGear with Power Platform: Power Platform Administrator with a Power Apps License or
Global Admininstrator

Tracking down the origin of the error this cmdlet Get-TenantDetailsFromGraph
is the offender.

> Get-TenantDetailsFromGraph


StatusCode        : 403
StatusDescription : Forbidden
Headers           : {ocp-aad-diagnostics-server-name, request-id, client-request-id,
                    x-ms-dirapi-data-contract-version...}
Error             :
Message           :
Internal          : System.Net.HttpWebResponse

1. Have tried updating to the latest PowerApps.Adminstration.PowerShell and PowerApps.PowerShell module versions. Issue still persists.
2. No issues for GCC or GCC High tenants.
3. Interactive auth then running Get-TenantDetailsFromGraph works for E5 tenants.
4. Even my old Service principals for E5 are now failing as well.

Steps to reproduce

0. Must be done on a commercial tenant.
1. Follow the app registration set up steps for Power Platform.
2. Auth with the app i.e `Invoke-SCuBA -ProductNames powerplatform -M365Environment commercial -CertificateThumbPrint 00000000 -AppID 00000000-0000-0000-0000-000000000000 -Organization MyTenant
3. Run Get-TenantDetailsFromGraph

Expected behavior

Get-TenantDetailsFromGraph to work with current instructions.

Output from Initialize-SCuBA (optional)

No response

[mitchelbaker-cisa]

One solution could be swapping out the Get-TenantDetailsFromGraph commandlet with a direct call to Graph. This is due to 'Microsoft.PowerApps.Administration.PowerShell' reference to Azure AD Graph endpoints which are now deprecated.

$route = "https://{graphEndpoint}}/{tenantIdentifier}/tenantDetails?api-version={graphApiVersion}"