AADTenantDetails: Can not set tenant details

[mario-beeler]

I tried to update the "technical contact" in "AADTenantDetails". So I exported the resource "AADTenantDetails" with application secret, which should work for AzureAD settings. The export works fine and I could also generate the MOF-Files with different ConfigurationData, so I could test the import on two different tenants. On both tenants we have the app registration with application secret with the following permissions:

So if the tenant is in desired starte, the configuration runs without an error. If it is not in desired state and should set the "TechnicalNotificationMails" I get the information "Cannot Set AzureAD Tenant Details":

Do you know why I get this error? I checked with "Get-M365DSCCompiledPermissionList" to get the permissions which I set on the app registration.

Thank you for your help.

[mlhickey]

For perms validation you might try:

Connect-M365Tenant -Workload MicrosoftGraph {authentication parameters}
(Get-MgContext).Scopes

to see what effective perms the service is seeing.

[mario-beeler]

As I see in picture, "Organization.ReadWrite.All" is missing. Is that the point, and do I have to set the permission on the App registration and on MgGraph?

[mlhickey]

Yes - that's the required perm for updates

[mario-beeler]

So I updated the AllowedGraphScopes with "Update-M365DSCAllowedGraphScopes -ResourceNameList @('AADTenantDetails') -Type 'Update'" and then the Scopes are like that:

(It is another tenant, thats why other permission than in Screenshot 1)

I have now "Organization.Read.All" and "Organization.ReadWrite.All" but still have the same error:

[andikrueger]

Just had a look through the issue list and it looks like we had a similar issue with this resource #1799. There was another issue too, in regards to certificate based auth.

I was able to use this resource recently using credentials. Could you check if this is possible for you as well?

[mario-beeler]

I tried it now using Credentials. The problem is, I just have Users configured with MFA which I can use to set this AADTenantDetail. When I tried now just to Test it, I get this error. But you see I checked the Graph Scopes:

Tried it again on two different Tenants and get the same error. But on both tenant I have just users with MFA.

[andikrueger]

Could you login into your tenant using the app authentication and run the following update cmdLet:

Connect-MGGraph
Update-MgOrganization {YOUR PARAMETERS}

[mario-beeler]

I first tried it with the credential authentication, worked:

Then i tried it with the app authentication and set the TechnicalNotificationMails with Update-MgOrganization, also worked fine:

[andikrueger]

This is interesting and now even more complex to figure out, what causes the issue.
would you be able to run the configuration again ad check if it is working now too?

[mario-beeler]

I tried it. I disconnected graph, and connected it again with using the app authentication, exactly the same like I tested with "Update-MgOrganization". After export and test the configuration I started the DSCConfiguration but still have the same error.

[andikrueger]

This very unfortunate. Did you close the PowerShell Session or reused to prior one?

[mario-beeler]

The only difference: Connect-MgGraph is with ID of TenantID and Export-M365DSCConfiguration is with FQDN of TenantID.

I reused the same Session where I was trying with Update-MgOrganization, before that I closed it. I can retry it with a complete new session.

[mario-beeler]

I have now done a completly new PowerShell Session, used FQDN of TenantID to Connect-MgGraph with AppSecret and tried it again. It is still the same.

M365DSC is very new for me, not to be ruled out that I missed something. But I rechecked the configuration many times, thats why I came here. So thank you for your Inputs!

[andikrueger]

Did you grant admin consent for the app's permissions within the other tenants?

[mario-beeler]

Yes I have a app registration with both Permissions, Organization.Read.All and Organization.ReadWrite.All and grant admin consent on both tenants.

[andikrueger]

Could you please modify this line and add $_ to the End of the message I add a new line for the detailed error.

The file is located within your PowerShell modules folder, Microsoft365DSC,…

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_AADTenantDetails/MSFT_AADTenantDetails.psm1

Line 222 in 7a8192e

Write-Verbose -Message 'Cannot Set AzureAD Tenant Details'

this should help to better understand the issue.

The test method succeeds and for this part authentication is working fine.

[mario-beeler]

I tried this:

[andikrueger]

Thanks for the screenshot. This clears it up. There is an issue with the parameter application secret.

Will look into it.

[mario-beeler]

Thank you very much andikrueger! I will be away from computer the next days, so I will be online again on monday.