Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EXOManagementRoleAssignment: Unable to set RecipientAdministrativeUnitScope via an AU DisplayName #2708

Closed
Borgquite opened this issue Dec 21, 2022 · 1 comment · Fixed by #2737 or #2745
Closed

EXOManagementRoleAssignment: Unable to set RecipientAdministrativeUnitScope via an AU DisplayName #2708

Borgquite opened this issue Dec 21, 2022 · 1 comment · Fixed by #2737 or #2745

Comments

@Borgquite
Copy link
Contributor

Details of the scenario you tried and the problem that is occurring

Trying to set up the following:

  • An Azure Active Directory Administrative Unit
  • With a mail-enabled security group
  • Which has the 'Mail Recipients' management role over the recipients assigned to the AU

However, the *-ManagementRoleAssignment cmdlets used by this resource require a AdministrativeUnitIdParameter in order to operate - this is system-generated, so currently this is not feasable using DSC.

See sample configuration file below (NB may need to create AU yourself until #2706 is resolved)

Verbose logs showing the problem

VERBOSE: [COMPUTERNAME]: LCM: [ Start Resource ] [[EXOManagementRoleAssignment]AssignManagementRole]
VERBOSE: [COMPUTERNAME]: LCM: [ Start Test ] [[EXOManagementRoleAssignment]AssignManagementRole]
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Testing Management Role Assignment for MyManagementRoleAssignment
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Getting Management Role Assignment for MyManagementRoleAssignment
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Current Values: Credential=; Ensure=Absent; Name=MyManagementRoleAssignment; RecipientAdministrativeUnitScope=Test-Unit; Role=Mail Recipients; SecurityGroup=Test-Group; Verbose=True
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Target Values: Credential=; Ensure=Present; Name=MyManagementRoleAssignment; RecipientAdministrativeUnitScope=Test-Unit; Role=Mail Recipients; SecurityGroup=Test-Group; Verbose=True
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Test-TargetResource returned False
VERBOSE: [COMPUTERNAME]: LCM: [ End Test ] [[EXOManagementRoleAssignment]AssignManagementRole] in 1.0220 seconds.
VERBOSE: [COMPUTERNAME]: LCM: [ Start Set ] [[EXOManagementRoleAssignment]AssignManagementRole]
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Setting Management Role Assignment for MyManagementRoleAssignment
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Getting Management Role Assignment for MyManagementRoleAssignment
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Management Role Assignment'MyManagementRoleAssignment' does not exist but it should. Create and configure it.
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Returning precomputed version info: 3.0.0 VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] POST with -1-byte payload
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Query 1 failed.
VERBOSE: [COMPUTERNAME]: [[EXOManagementRoleAssignment]AssignManagementRole] Getting message from
error object |Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|Couldn't find administrative unit "Test-Unit". Make
sure you have typed the identifier correctly.

  • CategoryInfo : NotSpecified: (:) [], CimException
  • FullyQualifiedErrorId : [Server=CWLP265MB1059,RequestId=0c5c1417-f779-6e02-661b-427475744a2a,TimeStamp=Wed, 21 Dec 2022
    17:43:58 GMT],Write-ErrorMessage
  • PSComputerName : localhost VERBOSE: [COMPUTERNAME]: LCM: [ End Set ] [[EXOManagementRoleAssignment]AssignManagementRole] in 1.2190 seconds.
    The PowerShell DSC resource '[EXOManagementRoleAssignment]AssignManagementRole' with SourceInfo
    'C:\Users\user.name\Documents\MAFINT Azure AD Automation\DscConfigurations\Example.ps1::24::9::EXOManagementRoleAssignment'
    threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the
    ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
  • CategoryInfo : InvalidOperation: (:) [], CimException
  • FullyQualifiedErrorId : NonTerminatingErrorFromProvider
  • PSComputerName : localhost VERBOSE: [COMPUTERNAME]: LCM: [ End Set ]
    The SendConfigurationApply function did not succeed.
    • CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    • FullyQualifiedErrorId : MI RESULT 1
    • PSComputerName : localhost

Suggested solution to the issue

It ought to be fairly simple work to convert between the ID and DisplayName (which appears to be the user-configurable 'key' for AUs) inside the script, with the output for Get and inputs for Test and Set, using either Get-MgAdministrativeUnit or Get-MgAdministrativeUnitById

The DSC configuration that is used to reproduce the issue (as detailed as possible)

$credsCredential = Get-Credential

Configuration Example
{
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            Credential                    = $credsCredential;
            DisplayName                   = "Test-Unit";
            Ensure                        = "Present";
        }
        EXODistributionGroup 'MailEnabledSecurityGroup'
        {
            Credential = $credsCredential;
            Name = "Test-Group";
            Alias = "Test-Group";
            Type = "Security";
            Ensure = "Present";
        }
        EXOManagementRoleAssignment 'AssignManagementRole'
        {
            Credential           = $credsCredential;
            Ensure               = "Present";
            Name                 = "MyManagementRoleAssignment";
            Role                 = "Mail Recipients";
            SecurityGroup        = "Test-Group";
            RecipientAdministrativeUnitScope = "Test-Unit"
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

Example -ConfigurationData $cd

The operating system the target node is running

OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-GB
OsMuiLanguages : {en-GB, en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

1.22.1214.1
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Jan 3, 2023
@NikCharlebois
Fixes microsoft#2708
7b63f00
@NikCharlebois NikCharlebois mentioned this issue Jan 3, 2023
Merged
NikCharlebois added a commit that referenced this issue Jan 3, 2023
@NikCharlebois
Merge pull request #2737 from NikCharlebois/Fixes-#2708
9a316f3 
Fixes #2708
@NikCharlebois NikCharlebois mentioned this issue Jan 4, 2023
Merged
@Borgquite
Copy link
Contributor Author

@NikCharlebois Fix seems to have done the job perfectly for me - many thanks :)

@Borgquite Borgquite mentioned this issue Mar 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #2708 NikCharlebois/Microsoft365DSC
Release 1.23.104.1 NikCharlebois/Microsoft365DSC
1 participant
@Borgquite