-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue leveraging CredentialsWithApplicationId Authentication Type #1761
Comments
What kind of authentication are you planning to use? Do you want to authenticate as an Application or a User?
Both will not work. |
For more details review these examples: https://microsoft365dsc.com/user-guide/cmdlets/Export-M365DSCConfiguration/#examples |
The short answer to that question is, I've tried both without success. Each method I have attempted has resulted in a number of issues retrieving some (or all) data due to a combination of access and/or scope issues. As for the long answer: We have a large number of tenant environments that we would like to leverage Microsoft365DSC for in order to export their configuration data. Whatever the default Application utilized by Microsoft365DSC on an individual tenant does not have the necessary scopes configured in order to export all of the workflows we are interested in. If this were only one or two clients, then configuring an application within each tenant with the necessary scopes would normally not be a problem, but as we have upwards of 600+ tenant environments that we are looking to target, you can see how this would not really be practical. This lead me to looking into executing a similar workflow to how we are currently exporting tenant data via the GraphAPI, using a combination of the tenants' Global Admin credentials along with an AppId of an administrative application (created on the CSP side) to generate an accessToken/refreshToken pair for each individual tenant for authentication against the GraphAPI. This ideally is the same workflow that the CredentialsWithApplicationId authentication piece is performing (which is present in M365DSCUtil.psm1) but not currently utilized. Example of Credential based authentication
Application based authentication Example
|
Thank you for the additional details on this topic. CredentialsWithApplicationId is supported for MS Graph cmdLets. All other workloads that do not use Microsoft graph would fall back to using user authentication. When registering your custom AAD Application you would need to request certain permissions for accessing the Microsoft Graph. If you do not specify an application ID, the default MS Graph PowerShell Application ID would be used. You can request the necessary permission for the graph api by calling Update-M365DSCAllowedGraphScopes with the matching parameters. |
Thanks for the follow up Andi. I appreciate the help here, but I apologize and hope you can bare with me as I am still a bit confused as to what workflows are actually supported and how these differ from what I am trying to do... Based on what you said in your previous message, the CredentialsWithApplicationId authentication IS supported, but only workflows that utilize MS Graph cmdlets. Any other specified workflows that are included in the export command that do not use the MS Graph cmdlets should fallback to user authentication utilizing the credential object specified to complete the export of said workflow(s). If these statements are accurate, then what I am attempting to do should work, as I am supplying a valid set of Global Admin credentials along with an AppId corresponding to a custom application which has the necessary permissions/scopes configured. Ideally, this should be no different than if the default MS Graph PowerShell App was used (assuming it was setup with the necessary scopes) except I am including the AppId in the command which seems to take the logic for a spin attempting to figure out what authentication method should be used, which ultimately fails and hence the error in my first post:
Based on what you have said, along with how the logic setup to handle this authentication method in M365DSCUtil.psm1, is this something that will only work currently when no AppId is provided? In other words, is this only "supported" when the default MS Graph PowerShell App is used and not a custom application...? If this is indeed the case, then supporting the use of a custom application should be a simple add as the only real difference here are would be the logic specifying what information is passed off to the MSCloudLoginAssistant to generate the accessToken for MS Graph. |
Hi @SGalazzo, so if I understand correctly: Your suggestion is to allow both to be specified and the code first exporting the resources using the Service Principal, filtering out resources that don't support that option. And then continue with those resources, using the specified Credentials. Am I correct? |
@ykuijs, yes that is correct. I believe many individuals will find themselves situations where they will be interested in exporting a combination of data and settings for various resources just to find themselves unable to do because of the provided authentication method(s). This would then require multiple differing commands to be executed in order to query all relevant information and then consolidation of the data would have to be done leading to more overhead and administrative burden. This would especially be true if you are looking to do this on a substantial number of tenant instances, so by supporting multiple authentications I believe this could save people a lot of headaches. |
I am currently working on adding support for multiple authentication methods to the Export functionality. See #1759 (comment) for more information. Currently testing some last items before I can create the PR. @SGalazzo, do you have the possibility to help test these updates using the following test version of Microsoft365DSC: If so:
Let me know if you encounter any issues/bugs/errors/etc! |
My apologies, I just recently had to recreate my lab environment as part of some other on-going projects so I am a little late getting back to this. Thank you @ykuijs that is great news! I'm very excited! As for testing, I can definitely help assist. I have downloaded the test version provided and will look to perform some tests between this week & next to provide any feedback. |
Just a bit of an update to keep the channel here open; I have done a bit of testing with the provided version and have noticed a few things... Unfortunately however, I will likely have to make a follow-up post here with the details, but for now I wanted to at least provide some sort of update. In my on and off testing I noticed the logic seemingly working generally well for picking the best matched authentication method based on the resource and available methods, but it still seems like the logic contained within the New-M365DSCConnection function located in the M365DSCUtil.psm1 for determining the available methods based on the input parameters seems flawed (at least as far as some of the GraphAPI calls go). At a high level, what I am is seeing is when you supply Credentials, TenantId, ApplicationId, and an ApplicationSecret, the logic taken once the code reaches the New-M365DSCConnection command will lose the Credentials from $InboundParameters and only contain TenantID, AppId, and Application secret thus resulting in the ServicePrincipalWithSecret method being selected. While this is a problem, this also is separate from the initial issues I had where CredentialsWithApplicationId would never be selected as an authentication type due to the way the logic is written in the New-M365DSCConnection command as the upper level elseif statement it is encapsulated if Credentials are present and ApplicationId is missing where as it expects the ApplicationId to present. I apologize again for the minimal detail here, but I will try and get a follow-up with some more code-snippets and screenshots soon to help provide some more insight. |
The improved Export method has been merged in PR #2230 and is include in v1.22.831.1. With that change you can specify multiple authentication methods and the code picks the most secure one supported by each resource and uses that to export the resource. Please go ahead and test if this now works for you. Closing this issue now |
Details of the scenario you tried and the problem that is occurring
Performing an
Export-M365DSCConfiguration
with a credential object and AppId combination, in an attempt to export data via the CredentialsWithApplicationId authentication type, fails with a"Could not determine authentication method"
error.Verbose logs showing the problem
Suggested solution to the issue
The Inbound parameters that get passed down to the underlying code in
M365DSCUtil.psm1
contain both the Credential Object and AppId, but due to the nature of how the logic is setup, the code will error out before ever reaching the necessary return statement.The upper-level
elseif
statement checks to ensure there is a credential object, but expects the ApplicationId, TenantId, and CertificateThumbprint to be all null or empty. The nestedif
statement (that we are looking to trigger) looks for an "ApplicationId" in the InboundParameters along with that ApplicationId not being empty-- a logic that will never trigger give its positioning within the upper-levelelseif
statement stating the ApplicationId should be null or empty.By modifying the default
M365DSCUtil.psm1
and moving the previously nestedif
statement into a separateelseif
statement with modified logic above allows for the expected behavior.Example success after modifying
M365DSCUtil.psm1
As I am not intimately familiar with all of the various authentication types and the logic within the Microsoft365DSC module to accommodate for them, the "fix" provided here may be over simplified. For the case of testing and verifying this issue it does work however, someone more familiar with these layers might be able to propose a more elegant solution.
The operating system the target node is running
OsName : Microsoft Windows Server 2016 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 14393.4583.amd64fre.rs1_release.210730-1850
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version of the DSC module that was used ('dev' if using current dev branch)
1.22.119.1
1.22.202.1
1.22.209.1
The text was updated successfully, but these errors were encountered: