Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release pipeline errors caused by AADAuthenticationMethodPolicy. #4079

Closed
kochi-shunsuke opened this issue Dec 21, 2023 · 7 comments · Fixed by #4932 or #4944
Closed

Release pipeline errors caused by AADAuthenticationMethodPolicy. #4079

kochi-shunsuke opened this issue Dec 21, 2023 · 7 comments · Fixed by #4932 or #4944
Labels
DevOps Issues related to using M365DSC in DevOps Entra ID

Comments

@kochi-shunsuke
Copy link

Description of the issue

I built my environment according to the Azure DevOps whitepaper.
And I added AzureAD workload using exported settings.
Error occurred in the release pipeline.
If I comment out AADAuthenticationMethodPolicyFido2, the error did not occur.
What is causing it? And how should I do to solve these?

Microsoft 365 DSC Version

V1.23.1213.1

Which workloads are affected

Azure Active Directory

The DSC configuration

AADAuthenticationMethodPolicyFido2 "AADAuthenticationMethodPolicyFido2"
        {
            Credential                       = $Credential;
            Ensure                           = "Present";
            Id                               = "Fido2";
            IncludeTargets                   = @(
                MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget{
                    Id = 'all_users'
                    TargetType = 'group'
                }
            );
            IsAttestationEnforced            = $False;
            IsSelfServiceRegistrationAllowed = $True;
            KeyRestrictions                  = MSFT_MicrosoftGraphfido2KeyRestrictions{
                IsEnforced = $False
                EnforcementType = 'block'
                AaGuids = @()
            };
            State                            = "disabled";
        }

Verbose logs showing the problem

##[error]ClassVersion Qualifier not found.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException

    + FullyQualifiedErrorId : MI RESULT 6

    + PSComputerName        : localhost

Environment Information + PowerShell Version

No response

@ykuijs
Copy link
Member

ykuijs commented Jan 3, 2024

Hi @kochi-shunsuke, where exactly did you add the above DSC config? And during which step are you getting the mentioned errors?

@kochi-shunsuke
Copy link
Author

Hi @ykuijs, the config was added to AzureAD.schema.psm1. (I create the file by copying Office365's one. )
And the error occurred during the step to deploy the configuration in the release pipeline.

@ykuijs
Copy link
Member

ykuijs commented Jan 4, 2024

Could you share a version of the file that is not working?

@kochi-shunsuke
Copy link
Author

The files are following:
AzureAD.psd1

    RootModule           = 'AzureAD.schema.psm1'
    ModuleVersion        = '0.0.1'
    GUID                 = '4fc5f373-7984-46e6-835c-97401ba17f9a'
    Author               = 'Yorick Kuijs'
    CompanyName          = 'Microsoft'
    Copyright            = 'Copyright to Microsoft Corporation. All rights reserved.'
    ##RequiredModules      = @(
    #    @{ ModuleName = 'xPSDesiredStateConfiguration'; ModuleVersion = '8.4.0.0' }
    #)
    DscResourcesToExport = @('AzureAD')
}

AzureAD.schema.psm1
※Parameters other than "AADAuthenticationMethodPolicyFido2" are omitted.

{
    param
    (
        [Parameter()]
        [PSCredential]
        $Credential,
        [Parameter()]
        [System.String]
        $ApplicationId,
        [Parameter()]
        [System.String]
        $TenantId,
        [Parameter()]
        [System.String]
        $Thumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC
    $paramCount = ($PSBoundParameters.GetEnumerator() | Where-Object -FilterScript { $_.Key -in 'ApplicationId', 'TenantId', 'Thumbprint' }).Count
    if ($paramCount -gt 0 -and $paramCount -lt 3)
    {
        throw "Please specify ApplicationId, TenantId and Thumbprint"
    }
    $OrganizationName = $ConfigurationData.NonNodeData.Environment.OrganizationName

AADAuthenticationMethodPolicyFido2 "AADAuthenticationMethodPolicyFido2-Fido2"
        {
            Credential                       = $Credential;
            Ensure                           = "Present";
            Id                               = "Fido2";
            IncludeTargets                   = @(
                MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget{
                    Id = 'all_users'
                    TargetType = 'group'
                }
            );
            IsAttestationEnforced            = $False;
            IsSelfServiceRegistrationAllowed = $True;
            KeyRestrictions                  = MSFT_MicrosoftGraphfido2KeyRestrictions{
                IsEnforced = $False
                EnforcementType = 'block'
                AaGuids = @()
            };
            State                            = "disabled";
        }
}

#~ Other parameters are omitted ~

@ykuijs
Copy link
Member

ykuijs commented Jan 5, 2024

Can you please try to take out the IncludeTargets parameter and then try again? Does that fix the issue??

@kochi-shunsuke
Copy link
Author

I tried, but it didn't fix.

@andikrueger andikrueger added DevOps Issues related to using M365DSC in DevOps Entra ID labels Jan 17, 2024
@kochi-shunsuke
Copy link
Author

@ykuijs
What should I try next to solve this problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
DevOps Issues related to using M365DSC in DevOps Entra ID
Projects
None yet
3 participants