IGA Commands are getting a 403 error after Module version v2.25.0

[theSysadminChannel]

Describe the bug

There is a bug with the PowerShell SDK. After doing some troubleshooting, I found out that Graph Module 2.25.0 is the last version that works with Identity Governance role.

For context, Anytime I run IGA commands on the newer versions of the graph module, I get a 403 error (see attached screenshot). The commands only work if I add myself as a catalog owner (which kind of defeats the purpose of the IGA role and elevating the role). I tested this on my own prod tenant and my lab tenant, results were the same.

This can also be replicated by running the following command while elevated to the IGA role (and not added as a catalog owner or Global admin):

Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId <guid>

Expected behavior

The commands work as expected like they were prior to Graph Module 2.25.0 and earlier.

How to reproduce

This can also be replicated by running the following command while elevated to the IGA role (and not added as a catalog owner or Global admin):

Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId <guid>

SDK Version

2.28.0 to latest no longer work

Latest version known to work for scenario above?

2.25.0

Known Workarounds

I have to add myself as a catalog owner to EACH catalog as a workaround to the 403 error. Adding myself as a catalog owner when I am an IGA admin defeats the purpose of the Entra ID role.

Debug output

 Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId 10cb7633-2b28-4809-883a-0064aacf7170 -Debug


DEBUG: [CmdletBeginProcessing]: - Get-MgBetaEntitlementManagementAccessPackage begin processing with parameterSet 'Get'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, AccessReview.ReadWrite.All, AdministrativeUnit.ReadWrite.All, AppCatalog.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, AuthenticationContext.ReadWrite.All, BitlockerKey.Read.All, Calendars.Read, Calendars.ReadWrite, ChannelMessage.Read.All, ChannelMessage.ReadWrite, Chat.Create, Chat.Read, Chat.ReadBasic, Chat.ReadWrite, ChatMessage.Read, ChatMessage.Send, CrossTenantInformation.ReadBasic.All, Device.Read.All, Device.ReadWrite.All, DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, Domain.ReadWrite.All, eDiscovery.Read.All, eDiscovery.ReadWrite.All, email, EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, IdentityRiskyUser.ReadWrite.All, Mail.Read, OnlineMeetings.Read, OnlineMeetingTranscript.Read.All, openid, Organization.Read.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration, Policy.ReadWrite.Authorization, Policy.ReadWrite.PermissionGrant, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, Sites.Read.All, Tasks.Read, Team.ReadBasic.All, TeamSettings.Read.All, TeamworkAppSettings.ReadWrite.All, User.Read, User.Read.All, User.ReadWrite, User.ReadWrite.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All, User-LifeCycleInfo.ReadWrite.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/10cb7633-2b28-4809-883a-0064aacf7170

Headers:
FeatureFlag                   : 00000003
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-US),PowerShell/7.5.4
SdkVersion                    : graph-powershell-beta/2.33.0
client-request-id             : b38f7c76-454c-448c-891c-5130b484369a
Accept-Encoding               : gzip,deflate,br

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 2b0f874e-3544-4ee2-a430-5c1fd38cef99
client-request-id             : b38f7c76-454c-448c-891c-5130b484369a
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"SJ1PEPF00001D38"}}
Date                          : Tue, 16 Dec 2025 17:41:39 GMT

Body:
{
  "error": {
    "code": "UnAuthorized",
    "message": "User is not authorized to perform the operation. Reason: Unauthorized",
    "details": [],
    "innerError": {
      "date": "2025-12-16T17:41:39",
      "request-id": "2b0f874e-3544-4ee2-a430-5c1fd38cef99",
      "client-request-id": "b38f7c76-454c-448c-891c-5130b484369a"
    }
  }
}


Get-MgBetaEntitlementManagementAccessPackage_Get: User is not authorized to perform the operation. Reason: Unauthorized

Status: 403 (Forbidden)
ErrorCode: UnAuthorized
Date: 2025-12-16T17:41:39

Headers:
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 2b0f874e-3544-4ee2-a430-5c1fd38cef99
client-request-id             : b38f7c76-454c-448c-891c-5130b484369a
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"SJ1PEPF00001D38"}}
Date                          : Tue, 16 Dec 2025 17:41:39 GMT


  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - Get-MgBetaEntitlementManagementAccessPackage end processing.

### Configuration

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.5.4
PSEdition                      Core
GitCommitId                    7.5.4
OS                             Microsoft Windows 10.0.26200
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Other information

No response

[gavinbarron]

Thanks for reporting this @theSysadminChannel

Would you be able to provide the -Debug output for the successful case in v2.25.0 as that might help us narrow the investigation down.

[theSysadminChannel]

Hi - Thank you for your response. Here is the -debug output for the same access package id on v 2.25.0. I also forgot to mention that I run into the same issue if I call the REST API (Absolute Uri listed below) directly using Invoke-MgGraphRequest. So maybe there might be an issue with the authentication flow/module??

----------------------------- Debug -----------------------------

PS C:\> Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId 10cb7633-2b28-4809-883a-0064aacf7170 -Debug

DEBUG: [CmdletBeginProcessing]: - Get-MgBetaEntitlementManagementAccessPackage begin processing with parameterSet 'Get'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, AccessReview.ReadWrite.All, AdministrativeUnit.ReadWrite.All, AppCatalog.Read.All, Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, AuthenticationContext.ReadWrite.All, BitlockerKey.Read.All, Calendars.Read, Calendars.ReadWrite, ChannelMessage.Read.All, ChannelMessage.ReadWrite, Chat.Create, Chat.Read, Chat.ReadBasic, Chat.ReadWrite, ChatMessage.Read, ChatMessage.Send, CrossTenantInformation.ReadBasic.All, Device.Read.All, Device.ReadWrite.All, DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, Domain.ReadWrite.All, eDiscovery.Read.All, eDiscovery.ReadWrite.All, email, EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, IdentityRiskyUser.ReadWrite.All, Mail.Read, OnlineMeetings.Read, OnlineMeetingTranscript.Read.All, openid, Organization.Read.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration, Policy.ReadWrite.Authorization, Policy.ReadWrite.PermissionGrant, profile, RoleAssignmentSchedule.ReadWrite.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, Sites.Read.All, Tasks.Read, Team.ReadBasic.All, TeamSettings.Read.All, TeamworkAppSettings.ReadWrite.All, User.Read, User.Read.All, User.ReadWrite, User.ReadWrite.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All, User-LifeCycleInfo.ReadWrite.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/10cb7633-2b28-4809-883a-0064aacf7170

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-US),PowerShell/7.5.4
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.25.0
client-request-id             : c5e30197-7b65-4e38-bb5d-4d6668b65448

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : private
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 662a93fe-8834-4330-bbd5-2b3db526d095
client-request-id             : c5e30197-7b65-4e38-bb5d-4d6668b65448
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"008","RoleInstance":"SJ1PEPF00002DB0"}}
odata-version                 : 4.0
Date                          : Thu, 18 Dec 2025 05:28:54 GMT

Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackages/$entity",
  "id": "10cb7633-2b28-4809-883a-0064aacf7170",
  "catalogId": "e7ad4061-37c6-4f2e-9200-f39bbdbe3233",
  "displayName": "Test Access Package",
  "uniqueName": null,
  "description": "Description of Test access package",
  "isHidden": false,
  "isRoleScopesVisible": false,
  "createdBy": "redacted@domain.com",
  "createdDateTime": "2025-12-11T18:02:09.8Z",
  "modifiedBy": "redacted@domain.com",
  "modifiedDateTime": "2025-12-11T18:08:12.053Z"
}



DEBUG: [CmdletEndProcessing]: - Get-MgBetaEntitlementManagementAccessPackage end processing.

Id                                   CatalogId                            CreatedBy                   CreatedDateTime
--                                   ---------                            ---------                   ---------------
10cb7633-2b28-4809-883a-0064aacf7170 e7ad4061-37c6-4f2e-9200-f39bbdbe3233 redacted@domain.com 12/11/2025 6:0…