You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using MicrosoftDSC to extract the settings and save them for archival purposes. Now I have to change the authentication to Service Principal with Certificate Thumbprint.
When I run the script locally everything works and I can extract the values from AAD workload. When running it in the pipeline I just get the following:
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy
Authentication methods specified:
Service Principal with Certificate Thumbprint
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1
Within the pipeline I download the cert and the private key from an Azure Key Vault and save it into the local cert store of the agent where the job is running. This works and I see the cert is installed and we have the private key:
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy
Authentication methods specified:
Service Principal with Certificate Thumbprint
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1
##[error]The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Function Export-TargetResource cannot be created because function capacity 4096 has been exceeded for this scope.
##[error]PowerShell exited with code '1'.
Finishing: Export the current config
Description of the issue
I'm using MicrosoftDSC to extract the settings and save them for archival purposes. Now I have to change the authentication to Service Principal with Certificate Thumbprint.
When I run the script locally everything works and I can extract the values from AAD workload. When running it in the pipeline I just get the following:
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy
Authentication methods specified:
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1
Within the pipeline I download the cert and the private key from an Azure Key Vault and save it into the local cert store of the agent where the job is running. This works and I see the cert is installed and we have the private key:
PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\F3FB2E541495962FD6070B57811F9B54D8
C471B1
PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName : F3FB2E541495962FD6070B57811F9B54D8C471B1
PSIsContainer : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 5/23/2024 1:58:13 PM
NotBefore : 5/23/2023 1:38:13 PM
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 3, 14...}
SerialNumber : 1A32DAC5159BAD814D84D14DABA3685F
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : F3FB2E541495962FD6070B57811F9B54D8C471B1
Version : 3
Handle : 2952549909680
Issuer : CN=MicrosoftDSC365
Subject : CN=MicrosoftDSC365
EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList : {MicrosoftDSC365}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
How can I get more information where it's actually failing? I added -debug and -verbose to the command but the output above is all I get.
Microsoft 365 DSC Version
1.23.712.1
Workload
Azure Active Directory
The DSC configuration
Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy", "AADAuthorizationPolicy", "AADGroup", "AADAdministrativeUnit", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADRoleSetting", "AADSecurityDefaults", "AADTenantDetails", "AADTokenLifetimePolicy") -ApplicationId 0477c4d5-1234-48d1-afd9-16a8c30921be -TenantId testli01.onmicrosoft.com -CertificateThumbprint F3FB2E541495962FD6070B57AB1F9B54D8C471B1 -Path D:\a_temp -Filters @("AADGroup": "startsWith(DisplayName,'ABCZ')") -FileName "AAD_Components"
Verbose logs showing the problem
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy
Authentication methods specified:
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1
##[error]The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Function Export-TargetResource cannot be created because function capacity 4096 has been exceeded for this scope.
##[error]PowerShell exited with code '1'.
Finishing: Export the current config
Environment Information + PowerShell Version
The text was updated successfully, but these errors were encountered: