EXOManagementRoleAssignment: Errors when managing a resource with RecipientAdministrativeUnitScope

[Borgquite]

Details of the scenario you tried and the problem that is occurring

Just so you know, trying to rely on this module feels like playing Whack-a-mole at present - every new bug or feature just breaks existing functionality. It would be a good idea to get some unit and integration tests soon, as an end-user it's incredibly frustrating... [/rant]

The fix #3064 and possibly #3046 appear to have actually broken the RecipientAdministrativeUnitScope functionality for EXOManagementRoleAssignment. Resources are marked as 'Absent' during the Test process but the Set process shows that they do actually exist

Verbose logs showing the problem

VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Resource ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Test     ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Testing Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Current Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Absent
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Target Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Present
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Test-TargetResource returned False
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Test     ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]  in 6.7380 seconds.
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Set      ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Setting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Management Role Assignment'EXO SSD AU Mail Recipients Role' does not exist but it
should. Create and configure it.
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Returning precomputed version info: 3.1.0
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] POST
https://outlook.office365.com/adminapi/beta/22c6e8f7-a453-4d7f-a381-13ec6072b90f/InvokeCommand with -1-byte payload
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Query 1 failed.
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting message from error object
Ex17CDAE|Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException|Active Directory operation failed on
CWLP265A10DC005.GBRP265A010.PROD.OUTLOOK.COM. The object 'CN=EXO SSD AU Mail Recipients Role,CN=Role Assignments,CN=RBA
C,CN=Configuration,CN=tenantname.onmicrosoft.com,CN=ConfigurationUnits,DC=GBRP265A010,DC=PROD,DC=OUTLOOK,DC=COM'
already exists.
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : [Server=CWLP265MB4176,RequestId=e3926398-c54c-9689-9533-ad761af5cf60,TimeStamp=Wed, 19 A
   pr 2023 14:15:33 GMT],Write-ErrorMessage
    + PSComputerName        : localhost

VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Testing to ensure changes were applied.
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Testing Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Current Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Absent
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Target Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Present
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Test-TargetResource returned False
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Test-TargetResource returned False. Waiting for a total of 10 out of 120
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients

Suggested solution to the issue

There are a number of potential places which might be the cause in MSFT_EXOManagementRoleAssignment.psm1:

• Since Export-M365DSCConfiguration: "Organization cannot be a Guid, please enter the name of the tenant instead." when exporting SC config #3046 all EXO modules require TenantID to be supplied as a tenant name (*.onmicrosoft.com) instead of a GUID. Since EXOManagementRoleAssignment: Does not work if a soft-deleted identically named Administrative Unit exists #3064 this resource now connects to both Microsoft Graph and Exchange Online, and I don't think you can use a tenant name to connect to Microsoft Graph? Will it be necessary to create a new parameter e.g. TenantOrganization in this situation instead of making TenantID double up for both?
• Get-TargetResource uses Get-MgAdministrativeUnit - this is the beta cmdlet - should be using Get-MgDirectoryAdministrativeUnit
• Set-TargetResource still uses the Exchange Online Get-AdministrativeUnit - wasn't updated as part of EXOManagementRoleAssignment: Does not work if a soft-deleted identically named Administrative Unit exists #3064 - needs code to connect to Microsoft Graph, plus 2x switches to Get-MgDirectoryAdministrativeUnit

I've created a potential patch to resolve the last two solutions but they don't fix the problem on their own. UPDATE - Actually it looks like the patch fixes it completely, no need to worry about the references to #3046

The DSC configuration that is used to reproduce the issue (as detailed as possible)

$ApplicationId = '<id>'
$CertificateThumbprint = '<cert thumbprint>'
$TenantId = '<tenantid>.onmicrosoft.com'

Configuration Example
{
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            ApplicationId                    = $ApplicationId;
            CertificateThumbprint      = $CertificateThumbprint;
            TenantId                      = $TenantId;
            DisplayName                   = "Test-Unit";
            Ensure                        = "Present";
        }
        EXODistributionGroup 'MailEnabledSecurityGroup'
        {
            ApplicationId                    = $ApplicationId;
            CertificateThumbprint      = $CertificateThumbprint;
            TenantId                      = $TenantId;
            Name = "Test-Group";
            Alias = "Test-Group";
            Type = "Security";
            Ensure = "Present";
        }
        EXOManagementRoleAssignment 'AssignManagementRole'
        {
            ApplicationId                    = $ApplicationId;
            CertificateThumbprint      = $CertificateThumbprint;
            TenantId                      = $TenantId;
            Ensure               = "Present";
            Name                 = "MyManagementRoleAssignment";
            Role                 = "Mail Recipients";
            SecurityGroup        = "Test-Group";
            RecipientAdministrativeUnitScope = "Test-Unit"
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

The operating system the target node is running

PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.412.1

[Borgquite]

Correction - it appears the fixes in the pull request resolve the issue completely, ignore the references to #3046 above. Hopefully this is ready to commit.

[Borgquite]

Works fine now, thank you