AADServicePrincipal: Error in creating AADServicePrincipal while deploying the configuration in target Azure AD Tenant #3390
Comments
|
Any chances you could share the redacted configuration you are trying to deploy? Thanks |
Thank you for taking a look at this. Please find below the configuration that I'm trying to deploy (.mof file). Please note that the .mof file has a lot of applications and service principals I'm trying to deploy but I've captured the screenshot only for 1 of the service principal for which I got the error I mentioned in the post. /* instance of MSFT_Credential as $MSFT_Credential1ref }; instance of MSFT_AADServicePrincipal as $MSFT_AADServicePrincipal1131ref ConfigurationName = "M365TenantConfig"; }; ... instance of OMI_ConfigurationDocument Version="2.0.0"; |
|
Can you confirm that the referenced application (by ID) exists on the destination tenant? |
Yes, the application object exist in the destination tenant, the issue is only with Service Principal object creation |
|
We are not able to replicate. While the application exists, can you confirm that its Displayname and ID properties match the DisplayName and AppId properties of the ServicePrincipal you are trying to associate it with? The error seems to indicate that the cmdlet can't retrieve the associated application based on the provided ID. Thanks |
|
I checked the AppId of the application Object created in my destination tenant which doesn't match the Appid in my configuration file. |
|
This is kind of a catch 22. Creating a new Service Principal requires an AppID to be passed in, however when cloning, you do not know the Id of the app since it is most likely not created yet on the target tenant or has a different Id on the Target than on the source. The only possible solution here would be for us to change the logic and allow to reference the associated App by DisplayName and then dynamically retrieve the ID instead of having you pass it into the configuration. This would cause issues in the case where you have multiple apps with the same name however. |
|
correct, I understand this. However, if there are multiple application with same displayname in the exported file, the tool throws an error while compiling the config while generating MOF file. I usually manually remove the duplicate entries of the AADApplication and corresponding AADServicePrincipals from .ps1 (exported file from source tenant) and then compile the file again. This ensures that all the applications which are going to be created in the target tenant have unique Displayname or at least that is what I would assume the logic is. Please correct me if I'm wrong. |
|
@NikCharlebois could you please let me know if you had a chance to take a look at my comment here. Is that something feasible for your team to modify in logic? |
|
Agreed that there are cases where multiple Azure AD Apps with the same name would exist, which would prevent the config from compiling, however, this is not a scenario we want to support. While it is possible to have multiple instances with the same name, it doesn't make business sense and is not something we want to promote. We are open to recommendations on how to best address this. |
|
Sorry for the confusion but I was not referring to be able to create multiple apps with same DisplayName. I was referring to this comment of yours Currently the Application object gets created with an appid which is different than source tenant Appid from the configuration. Due to which we're getting an error "The appId 'XXXX-AppID-XXXX' of the service principal does not reference a valid application object" Is this something you can fix? |
|
This is for sure something we can fix: The code is missing this line in 308: $currentParameters.Remove('AppId') | Out-Null |
|
@NikCharlebois I upgraded the tool to the latest version 1.23.621.1 and tries the AADServicePrincipal creation again and got the same error. Could you please let me know if AADServicePrincipal creation now dynamically retrieve the appid of the Application object already created and not the Appid mentioned in the .mof file. |
ISSUE DESCRIPTION:
I am trying to clone Azure AD tenant configurations. I exported the resources "AADApplication, AADServicePrincipal" from the source tenantA and then I tried to deploy the configuration in target tenantB. I'm receiving below error while creation of AADServicePrincipal object:
[[AADServicePrincipal]XXXX Performing the
operation "New-MgServicePrincipal_CreateExpanded" on target "Call remote
'ServicePrincipalsServicePrincipalCreateServicePrincipal' operation".
The appId 'XXXX' of the service principal does not reference a valid application
object.
I exported the configuration using below command:
Export-M365DSCConfiguration -Components @("AADApplication","AADServicePrincipal") -Credential $SourceCredential -Path C:\Dsc
Then I deployed the configuration using below commands:
$TargetCredential = Get-Credential
C:\Dsc\M365TenantConfig.ps1 -Credential $TargetCredential
Start-DscConfiguration -Path C:\Dsc\M365TenantConfig -Wait -Verbose
I see some ServicePrincipals created in target tenant but some don't. I'll paste the logs that I receive on my PowerShell window below:
==========================================================
[Server1]: LCM: [ Start Resource ] [[AADServicePrincipal]XXXX-ResourceID-XXXX]
[Server1]: LCM: [ Start Test ] [[AADServicePrincipal]XXXX-ResourceID-XXXX]
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Testing
configuration of Azure AD ServicePrincipal
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Getting
configuration of Azure AD ServicePrincipal
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Azure AD
ServicePrincipal with ObjectID: XXXX-ObjectID-XXXX could not be retrieved
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Target Values:
AccountEnabled=True; AlternativeNames=(); AppId=XXXX-AppID-XXXX; AppRoleAssignmentRequired=True;
Credential=***; DisplayName=XXXX; Ensure=Present;
Homepage=xxxx;
ObjectId=XXXX-ObjectID-XXXX; PublisherName=xxxx;
ReplyUrls=xxxx;
ServicePrincipalNames=(XXXX-AppID-XXXX); ServicePrincipalType=Application;
Tags=(WindowsAzureActiveDirectoryIntegratedApp); Verbose=True
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Test-TargetResource
returned False
[Server1]: LCM: [ End Test ] [[AADServicePrincipal]XXXX-ResourceID-XXXX] in 3.4840 seconds.
[Server1]: LCM: [ Start Set ] [[AADServicePrincipal]XXXX-ResourceID-XXXX]
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] 1 - There are now
{399 functions}
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] 2 - There are now
{399 functions}
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Setting
configuration of Azure AD ServicePrincipal
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Getting
configuration of Azure AD ServicePrincipal
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Azure AD
ServicePrincipal with ObjectID: XXXX-ObjectID-XXXX could not be retrieved
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Creating new
Service Principal
[Server1]: [[AADServicePrincipal]XXXX-ResourceID-XXXX] Performing the
operation "New-MgServicePrincipal_CreateExpanded" on target "Call remote
'ServicePrincipalsServicePrincipalCreateServicePrincipal' operation".
The appId 'XXXX-AppID-XXXX' of the service principal does not reference a valid application
object.
+ CategoryInfo : InvalidOperation: ({ body = Micros...icePrincipal1 }:) [], CimException
+ FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.NewMgServicePrincipal_CreateExpand
ed
+ PSComputerName : localhost
[Server1]: LCM: [ End Set ] [[AADServicePrincipal]XXXX-ResourceID-XXXX] in 2.4140 seconds.
The PowerShell DSC resource '[AADServicePrincipal]XXXX-ResourceID-XXXX' with SourceInfo
'F:\work\M365DSCConfiguration\Method- Global Admin
Credentials\Application\M365TenantConfig.ps1::32844::9::AADServicePrincipal' threw one or more non-terminating errors
while running the Set-TargetResource functionality. These errors are logged to the ETW channel called
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
==================================================
Version of the Microsoft365DSC module that was used: 1.23.308.1
The text was updated successfully, but these errors were encountered: