New-MgSecurityAttackSimulation - endUserNotificationSetting properties seem to be broken

[sc9246]

Describe the bug

Trying to create a new attack simulation with New-MgSecurityAttackSimulation, but once I introduce settings for endUserNotificationSetting, the cmdlet always errors with:

• `{"Code":400,"Message":"Bad request","Target":null,"Details":[{"Code":400,"Message":"Parameter endUserNotificationId is not valid","Target":null,"Details":null,"InnerError":null}],"InnerError":null}

Status: 400 (BadRequest)
ErrorCode: UnknownError`

If I set endUserNotificationSetting -> settingType = unknown, it ignores that property and everything under it, and the simulation creates OK. The issue seems to be no matter how I try to include notification settings, creation via Graph results in an error. Even using the documented creation from the MS KB does not work:

• https://learn.microsoft.com/en-us/graph/api/attacksimulationroot-post-simulation?view=graph-rest-1.0&tabs=powershell

Expected behavior

Expect to be able to provide notification options to API/cmdlet, and have them work.

How to reproduce

Purged tenant data, apologies if I messed up formatting, but this should be a mostly complete example that will not work as is (unless changing endUserNotificationSetting = @{ settingtype = "unknown"}

[Microsoft.Graph.PowerShell.Models.IMicrosoftGraphSimulation]$newCampaignData = @{
#AND/OR just $newCampaignData = @{
    
    AttackTechnique = "credentialHarvesting"
    AttackType = "social"

    "[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/$($payloadID)"
    "[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/$($landingPageID)"
    "[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/$($loginPageID)"

    includedAccountTarget = @{
        "@odata.type" = "#microsoft.graph.addressBookAccountTargetContent"
        type = "addressBook"
        accountTargetEmails = $aryTargetUsers
    }

    TrainingSetting = @{
        # Even when this is set to "noTraining", fails.
        settingType = "microsoftManaged"
        trainingCompletionDuration = "fortnite"
    }

    endUserNotificationSetting  = @{
        notificationPreference = "microsoft"
        settingType = "noTraining" #I have tried every supported value for this - setting to unknown lets this work, anything with training in name fails.

        positiveReinforcement = @{
            # I've tried every combination I can figure out for enduserNotification data, but no matter what I

            # "[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/$($positiveNotificationID)"
            # endUserNotification = "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/$($positiveNotificationID)"
            # endUserNotification = ($allEndUserNotifications | where NotificationType -eq "positiveReinforcement") #This is a GET for the correct notification, containing all properties
            deliveryPreference = "deliverImmedietly"
            defaultLanguage = "en"
        }

        simulationNotification = @{
            targettedUserType = "compromised"
            "[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/$($simulationNotificationID)"
            defaultLanguage = "en"
        }
    }

    createdBy = @{ email = "[email protected]" }
    launchDateTime = (Get-Date)
    payloadDeliveryPlatform = "email"
    Description = $newCampaignName
    DisplayName = $newCampaignName
    DurationInDays = 2
    status = "draft"
}

New-MgSecurityAttackSimulation -BodyParameter $newCampaignData -ErrorAction Stop

SDK Version

No response

Latest version known to work for scenario above?

No response

Known Workarounds

Per above, tweaking this will make it work, but it ignores all notification options.

    endUserNotificationSetting  = @{
        notificationPreference = "microsoft"
        settingType = "unknown"
    }

Debug output

Click to expand log

```

</details>


### Configuration

_No response_

### Other information

_No response_

[petrhollayms]

Hi @sc9246 ,

Thanks for raising this! I see the metadata is there and it shall work.

Which SDK version are you using?
Can you please run the cmdlet with the -Debug parameter and share the output here? See Error handling and troubleshooting cmdlets | Microsoft Learn

Does the API call work when using Graph Explorer (if it works in your environment)?

[sc9246]

Hi @petrhollayms - I did more testing over the weekend to try and get things working, but still cannot. The problem seems to exist for both the SDK and the API, but they behave differently.

• The SDK always errors when I provide the endUserNotificationSetting properties, when settingType = trainingSelected.

• The API doesn't always error, BUT it does not properly set the endUserNotificationSetting properties

• SDK versions tried: 2.15.0, 2.19.0

• SDK Debug output:

DEBUG: [CmdletBeginProcessing]: - New-MgSecurityAttackSimulation begin processing with parameterSet 'Create'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: 'XXXXXXXXXX'.
DEBUG: [Authentication]: - Scopes: [AttackSimulation.Read.All, AttackSimulation.ReadWrite.All].

Confirm
Are you sure you want to perform this action?
Performing the operation "New-MgSecurityAttackSimulation_Create" on target "Call remote 'POST /security/attackSimulation/simulations' operation".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/security/attackSimulation/simulations

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19043; en-US),PowerShell/2024.3.2
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.19.0
client-request-id             : abc32bbe-ece7-4314-9567-5db611d47ba3

Body:
Skipped: Content body was disposed before the logger could access it.

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 1f27ffcc-9f2c-4c33-9762-801f0bf34f10
client-request-id             : abc32bbe-ece7-4314-9567-5db611d47ba3
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"CH01EPF0002EB25"}}
Date                          : Mon, 03 Jun 2024 10:41:39 GMT

Body:
{
  "error": {
    "code": "UnknownError",
    "message": "{\"Code\":400,\"Message\":\"Bad request\",\"Target\":null,\"Details\":[{\"Code\":400,\"Message\":\"Parameter endUserNotificationId is not
valid\",\"Target\":null,\"Details\":null,\"InnerError\":null}],\"InnerError\":null}",
    "innerError": {
      "date": "2024-06-03T10:41:40",
      "request-id": "1f27ffcc-9f2c-4c33-9762-801f0bf34f10",
      "client-request-id": "abc32bbe-ece7-4314-9567-5db611d47ba3"
    }
  }
}

I built the data by using a manually created attack simulation as a reference. I took the exact same data supplied to the cmdlet above, and posted it via Invoke-RestMethod, and also the Graph Explorer API. I got an Accepted 202 response (both are same). It did create the attack simulation, but it did not set any of the notification settings (it shows as do not deliver notifications in the UI portal).

• JSON data used for POST:

{
    "endUserNotificationSetting":  {
                                       "@odata.type":  "#microsoft.graph.endUserNotification",
                                       "trainingAssignment":  {
                                                                  "deliveryFrequency":  "unknown",
                                                                  "defaultLanguage":  "en-us",
                                                                  "@odata.type":  "#microsoft.graph.trainingReminderNotification"
                                                              },
                                       "trainingReminder":  {
                                                                "deliveryFrequency":  "weekly",
                                                                "defaultLanguage":  "en-us",
                                                                "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/f48f4cec-5ea2-4ca6-826a-40ac1378b5fe"
                                                            },
                                       "settingtype":  "trainingSelected",
                                       "positiveReinforcement":  {
                                                                     "defaultLanguage":  "en-us",
                                                                     "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/endUserNotifications/39f2c7bb-0df5-44be-9c6b-e30403c0b845",
                                                                     "deliveryPreference":  "deliverImmedietly",
                                                                     "@odata.type":  "#microsoft.graph.positiveReinforcementNotification"
                                                                 },
                                       "notificationPreference":  "microsoft"
                                   },
    "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/b2b7c6de-e151-4687-b8a0-d5bc5ce03c1e",
    "AttackTechnique":  "credentialHarvesting",
    "AttackType":  "social",
    "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/7101e020-0f5f-4e92-912d-43cd1f172716",
    "createdBy":  {
                      "email":  "[email protected]"
                  },
    "DisplayName":  "AUTOMATION TESTING - June 2024 692",
    "TrainingSetting":  {
                            "settingType":  "microsoftManaged",
                            "trainingCompletionDuration":  "fortnite",
                            "@odata.type":  "#microsoft.graph.trainingSetting"
                        },
    "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/1cdfcb49-1065-46a6-b1c3-672071e20a6b",
    "Description":  "AUTOMATION TESTING - June 2024 692",
    "status":  "draft",
    "payloadDeliveryPlatform":  "email",
    "includedAccountTarget":  {
                                  "accountTargetEmails":  [
                                                              "[email protected]"
                                                          ],
                                  "type":  "addressBook",
                                  "@odata.type":  "#microsoft.graph.addressBookAccountTargetContent"
                              },
    "DurationInDays":  2,
    "launchDateTime":  "2024-06-03T06:40:07Z"
}

• Simulation creates OK, all other settings are OK, but endUserNotificationSetting doesn't get set. Here is a GET of the property, for the newly created campaign. It ignored/reset endUserNotificationSetting:

PS C:\> $Method                    
GET
PS C:\> $uri
https://graph.microsoft.com/v1.0/security/attacksimulation/simulations/fb299b82-1865-5db8-b22c-7a2908f1bd33/endUserNotificationSetting
PS C:\> $graphResponse | fl


@odata.context         : https://graph.microsoft.com/v1.0/$metadata#security/attackSimulation/simulations('fb299b82-1865-5db8-b22c-7a2908f1bd33')/endUserNotificationSetting
settingType            : noNotification
positiveReinforcement  :
notificationPreference : unknown

I could just be supplying the property incorrectly, but I've tried so many variations of what/how is included, and cannot get it to apply the settings. I've even tried leaving them unknown, and then PATCH'ing the enduserNotificationSetting, but it doesn't seem to be supported as an update parameter (no error but nothing changes).

[akgraph]

Hi,

I attempted to repro this error using the commandlet & graph explorer but was unsuccessful.

Attached JSON post data and the powershell script used for verifying.

astgraph.txt
graphexplorer.json

Few observations based on the JSON post data shared in previous comment:

1. When notification preference is "microsoft" there is no need to explicitly add "[email protected]" property again, default notifications will be used.
2. "@odata.type": "#microsoft.graph.endUserNotification", this should be microsoft.graph.endUserNotificationSetting

[damianscoles]

I was also having this issue and it looks like the key revolves around the URL for the various bits for payload, login page, landing page and end user notifications:

payloads('02178408-41c4-48d1-9828-688db34fe881')"
loginPages('e88a15d4-2cd6-49b6-a0cf-67426bcd88b3')"
attacksimulation/landingPages('63556317-dc90-4a03-9918-317fa8d2592d')"

and in the End User Notification section:

endUserNotifications('39f2c7bb-0df5-44be-9c6b-e30403c0b845')"
endUserNotifications('b1290929-bcbf-4c91-a7d9-0714cd0d7054')"
endUserNotifications('8ef49985-be7b-46c3-8541-c3dfa2b4a5a3')"

Basically, the URL was wrong and the GUID for the object called needed to be in quotes and then in parenthesis. Hope that makes sense. Bolding did not seem to work in my browser.

[sc9246]

Hi,

I attempted to repro this error using the commandlet & graph explorer but was unsuccessful.

Attached JSON post data and the powershell script used for verifying.

astgraph.txt graphexplorer.json

Few observations based on the JSON post data shared in previous comment:

1. When notification preference is "microsoft" there is no need to explicitly add "[[email protected]](mailto:[email protected])" property again, default notifications will be used.

2. "@odata.type":  "#microsoft.graph.endUserNotification", this should be microsoft.graph.endUserNotificationSetting

Understood on changes - it was just throwing everything at it in an attempt to make things work. It would be great if documentation for the POST data, or cmdlet, were updated (nothing anywhere I can find ever mentions wrapping IDs in quotes and parenthesis).

The cmdlet is working with the very bare-bones notification setting. However, the main component of this I was trying to get working was also microsoftManaged training. I can take your example JSON to post, also my own, and send it via powershell/Graph Explorer and it does not error. However, it also does not do anything (always a accepted status and then nothing appears). Below is JSON for a POST that I would expect to work. This is for direct API call so I did not use ('') around IDs, but I did try that as a test (same problem). Is there something else wrong here? Documentation for each pieces makes it seems like this should work:

{
    "endUserNotificationSetting":  {
                                       "settingtype":  "trainingSelected",
                                       "trainingAssignment":  {
                                                                  "deliveryFrequency":  "unknown",
                                                                  "defaultLanguage":  "en-us"
                                                              },
                                       "trainingReminder":  {
                                                                "deliveryFrequency":  "weekly",
                                                                "defaultLanguage":  "en-us"
                                                            },
                                       "positiveReinforcement":  {
                                                                     "deliveryPreference":  "deliverImmedietly",
                                                                     "defaultLanguage":  "en-us"
                                                                 },
                                       "notificationPreference":  "microsoft"
                                   },
    "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/b2b7c6de-e151-4687-b8a0-d5bc5ce03c1e",
    "attackTechnique":  "credentialHarvesting",
    "AttackType":  "social",
    "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/ae9fe55e-1e7e-4f8a-bef7-d82fd49ba6c8",
    "createdBy":  {
                      "email":  "[email protected]"
                  },
    "DisplayName":  "AUTOMATION TESTING - October 2024 999",
    "TrainingSetting":  {
                            "settingType":  "microsoftManaged",
                            "trainingCompletionDuration":  "fortnite"
                        },
    "[email protected]":  "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/1cdfcb49-1065-46a6-b1c3-672071e20a6b",
    "Description":  "AUTOMATION TESTING - October 2024 999",
    "status":  "draft",
    "payloadDeliveryPlatform":  "email",
    "includedAccountTarget":  {
                                  "accountTargetEmails":  [
                                                          "[email protected]"
                                                          ],
                                  "type":  "addressBook",
                                  "@odata.type":  "#microsoft.graph.addressBookAccountTargetContent"
                              },
    "DurationInDays":  14,
    "launchDateTime":  "2024-10-08T14:19:12Z"
}