Hi @Bob I have created a support ticket for this

Please see cdata's response below
"Thank you for reaching out.

Sorry to hear that you are facing issues using our Azure Active Directory ADO .NET connector. I investigated the log file that you have provided and from there noticed: {"code":"Authentication_RequestFromUnsupportedUserRole","message":"User is not in the allowed roles" error to be thrown. Looking deeper in the log file I noticed that you were able to get data from tables except the Users one where this error message was thrown. Typically this error message is thrown due to permission or roles missing for the authenticated user. I did some tests executing the same query against the Users table: SELECT id], displayName], employeeId], isManagementRestricted], jobTitle], mail], onPremisesUserPrincipalName], preferredLanguage], signInActivity_lastSuccessfulSignInDateTime], signInActivity_lastSuccessfulSignInRequestId], userPrincipalName], cloudClipboard_id], solutions_id] FROM AzureAD]..Users] authenticating with a user who was missing roles and was able to reproduce the same error message. It seems that this error is thrown due to the user not having all the necessary roles assigned to get information regarding the user's signInActivity. After some research, I found out that if the Global Reader is added as an Assigned role for the user you are authenticating with, you will be able to get also data regarding the signInActivity.


I tried adding that, and the above-mentioned query was executed successfully this time. So, in this situation, this is what I would also suggest you, check the user-assigned roles and if he is missing anything, add the necessary one."

Hi Christian,

our DSA stated that de global reader role has too much authorisation. Instead he gave me the ”Reports Reader” role. I tested this and task has completed without errors. In this case the ”Reports Reader” role can be a safer alternative.

kind regards

Bob