Skip to content

Get-MgBetaNetworkAccessForwardingPolicyRule Returns 200 OK with Empty Value [] for Policies with Existing Rules #3358

New issue
New issue
Open
Open
Get-MgBetaNetworkAccessForwardingPolicyRule Returns 200 OK with Empty Value [] for Policies with Existing Rules#3358
Labels
status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience
@ggilmoreAtWork

Description

@ggilmoreAtWork
ggilmoreAtWork
opened on Jul 10, 2025

Describe the bug

When querying for the rules of a specific, valid forwarding policy ID using Get-MgBetaNetworkAccessForwardingPolicyRule, the Graph API successfully returns a 200 OK status code. However, the body of the response incorrectly contains an empty value array ("value": []), even when the policy has numerous rules (application segments) visible in the Microsoft Entra admin center.

This behavior makes it impossible to automate the enumeration of all FQDNs and IP ranges within Private Access, as the API is not returning the configured data.

Expected behavior

List the rules for the policy? Display the IP and FQDN, possibly the Ports and protocol.

How to reproduce

Connect-MgGraph -Scopes "NetworkAccess.Read.All"
# Get all policies and select one for testing
$policies = Get-MgBetaNetworkAccessForwardingPolicy | Where-Object { $_.TrafficForwardingType -eq 'private' }
$testPolicyId = $policies[0].Id
Get-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $testPolicyId

SDK Version

2.29.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

DEBUG: [CmdletBeginProcessing]: - Get-MgBetaNetworkAccessForwardingPolicyRule begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [AccessReview.Read.All, Application.Read.All, AuditLog.Read.All, Calendars.Read, Calendars.Read.Shared, Channel.ReadBasic.All, ConsentRequest.Read.All, DelegatedPermissionGrant.Read.All, Device.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Domain.ReadWrite.All, email, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, GroupMember.ReadWrite.All, IdentityRiskyUser.ReadWrite.All, Mail.Read, NetworkAccess.Read.All, openid, profile, Team.ReadBasic.All, User.Read, User.Read.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/networkAccess/forwardingPolicies/88de4bbf-27fc-46b8-b926-87f7e4e896b7/policyRules

Headers:
FeatureFlag                   : 00000003
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-US),PowerShell/2025.2.0
SdkVersion                    : graph-powershell-beta/2.29.0
client-request-id             : 99b91890-3907-4b0f-ac87-9a80f4711f25
Accept-Encoding               : gzip,deflate,br

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Date                          : Thu, 10 Jul 2025 05:08:21 GMT
Transfer-Encoding             : chunked
Connection                    : keep-alive
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 972d1873-7839-4cfd-940d-b77f366ffd03
client-request-id             : 99b91890-3907-4b0f-ac87-9a80f4711f25
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"MWH0EPF0009A7D2"}}
OData-Version                 : 4.0
X-Cache                       : CONFIG_NOCACHE

Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#networkAccess/forwardingPolicies('88de4bbf-27fc-46b8-b926-87f7e4e896b7')/policyRules",
  "value": []
}


DEBUG: [CmdletEndProcessing]: - Get-MgBetaNetworkAccessForwardingPolicyRule end processing.

Configuration

  • OS: Windows 11 25H2 (OS Build 26200.5670)
  • x64
  • Powershell 7.5.2 and 5.1

Other information

Get-MgBetaNetworkAccessForwardingPolicy -Filter "TrafficForwardingType eq 'private'" | fl

Also reflects blank PolicyRules:

Description           : This policy represents application segment configuration on appId
                        ed26595d-2982-4862-99da-342c53a26a5e
Id                    : a56c642a-4811-4dda-a4ee-265866c048b8
Name                  : Private Access Policy for App ed26595d-2982-4862-99da-342c53a26a5e
PolicyRules           :
TrafficForwardingType : private
Version               : 1.0.0
AdditionalProperties  : {}

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions