AADAdministrativeUnit: Cannot leave 'Ensure' as default

[Borgquite]

Description of the issue

When creating an AADAdministrativeUnit resource, if the 'Ensure' field is not set, the resource is created correctly, but running Test-DscConfiguration afterwards still return 'False'. This also means that multiple runs of Start-DscConfiguration result in many AADAdministrativeUnits being created - in other words, it's not idempotent.

The apparent intention for the resource is that 'Ensure' defaults to 'Present'.

Setting Ensure = 'Present' manually resolves the issue but would rather this was not necessary.

Microsoft 365 DSC Version

1.24.228.1

Which workloads are affected

Azure Active Directory

The DSC configuration

$Microsoft365DSCApplicationId = Get-AutomationVariable -Name 'Microsoft365DSCApplicationId'
$Microsoft365DSCCertificateThumbprint = Get-AutomationVariable -Name 'Microsoft365DSCCertificateThumbprint'
$Microsoft365DSCOrganization = Get-AutomationVariable -Name 'Microsoft365DSCOrganization'

Configuration Example
{
    Import-DscResource -ModuleName Microsoft365DSC -ModuleVersion 1.24.228.1

    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            Id                            = 'Test-Unit'
            DisplayName                   = 'Test-Unit'
            Description                   = 'Test-Unit1'
            ApplicationId                 = $Microsoft365DSCApplicationId
            CertificateThumbprint         = $Microsoft365DSCCertificateThumbprint
            TenantId                      = $Microsoft365DSCOrganization
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

Example -ConfigurationData $cd

Verbose logs showing the problem

Running the configuration:

Start-DscConfiguration -Path .\Example\ -Wait -Verbose -Force                                                                        
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =                 root/Microsoft/Windows/DesiredStateConfiguration'.                                                                                                                                                
VERBOSE: An LCM method call arrived from computer <redacted> with user sid <redacted>.                                                                        
VERBOSE: [<REDACTED>]: LCM:  [ Start  Set      ]                                                                                                                                                  
VERBOSE: [<REDACTED>]: LCM:  [ Start  Resource ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]: LCM:  [ Start  Test     ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] Testing configuration of the Azure AD Administrative Unit with Id {Test-Unit} and DisplayName {Test-Unit}     
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] Test-TargetResource returned False - Ensure not the same                                                      
VERBOSE: [<REDACTED>]: LCM:  [ End    Test     ]  [[AADAdministrativeUnit]TestUnit]  in 2.3980 seconds.                                                                                           
VERBOSE: [<REDACTED>]: LCM:  [ Start  Set      ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] Creating an Azure AD Administrative Unit with DisplayName {Test-Unit}                                         
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] Creating new Administrative Unit with: description=Test-Unit1
displayName=Test-Unit
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] POST https://graph.microsoft.com/beta/administrativeUnits with 72-byte payload
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] received 346-byte response of content type application/json
VERBOSE: [<REDACTED>]: LCM:  [ End    Set      ]  [[AADAdministrativeUnit]TestUnit]  in 2.7220 seconds.                                                                                           
VERBOSE: [<REDACTED>]: LCM:  [ End    Resource ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]: LCM:  [ End    Set      ]                                                                                                                                                  
VERBOSE: [<REDACTED>]: LCM:  [ End    Set      ]    in  5.3020 seconds.                                                                                                                           
VERBOSE: Operation 'Invoke CimMethod' complete.                                                                                                                                                   
VERBOSE: Time taken for configuration job to complete is 5.346 seconds                                

Testing (after waiting a number of minutes)

$output = Test-DscConfiguration -Path .\Example\ -Verbose                                                                            
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = TestConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =                      root/Microsoft/Windows/DesiredStateConfiguration'.                                                                                                                                                
VERBOSE: An LCM method call arrived from computer <REDACTED> with user sid <redacted>.                                                                        
VERBOSE: [<REDACTED>]: LCM:  [ Start  Compare  ]                                                                                                                                                  
VERBOSE: [<REDACTED>]: LCM:  [ Start  Resource ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]: LCM:  [ Start  Test     ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] Testing configuration of the Azure AD Administrative Unit with Id {Test-Unit} and DisplayName {Test-Unit}     
VERBOSE: [<REDACTED>]:                            [[AADAdministrativeUnit]TestUnit] Test-TargetResource returned False - Ensure not the same                                                      
VERBOSE: [<REDACTED>]: LCM:  [ End    Test     ]  [[AADAdministrativeUnit]TestUnit] False in 22.5110 seconds.                                                                                     
VERBOSE: [<REDACTED>]: LCM:  [ End    Resource ]  [[AADAdministrativeUnit]TestUnit]                                                                                                               
VERBOSE: [<REDACTED>]: LCM:  [ End    Compare  ]     Completed processing compare operation. The operation returned False.                                                                        
VERBOSE: [<REDACTED>]: LCM:  [ End    Compare  ]    in  23.1140 seconds.                                                                                                                          
VERBOSE: Operation 'Invoke CimMethod' complete.                                                                                                                                                   
VERBOSE: Time taken for configuration job to complete is 23.217 seconds

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-GB
OsMuiLanguages       : {en-GB, en-US}

Key   : PSVersion
Value : 5.1.22621.2506
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.22621.2506
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[Borgquite]

@andikrueger @ykuijs @salbeck-sit Can you help here please, again. As you know I've been trying to use this resource on many occasions and each time I do something new, basic bugs just keep on coming (#2633, #2704, #2775, #2776, #3194). I am again wondering whether your unit and integration tests are anywhere near appropriate.

I tried this fix this myself and as far as I can tell Get-TargetResource is returning 'Ensure = Absent' if Absent is left blank, regardless of whether or not the AU exists. But:

• Running Get-DscConfiguration is currently broken for me (The PowerShell DSC resource returned results that are not valid from Get-TargetResource. The Verbose key is not a valid property in the corresponding DSC resource schema file. The results from Get-TargetResource must be in a Hashtable format. The keys in the Hashtable must be the same as the properties in the corresponding DSC resource schema file.)
• I can see that Test-TargetResource calls Get-TargetResource - but when I try to debug this using -Verbose, for some reason I don't see the output from the Write-Verbose calls in that function (I do get them for Test-TargetResource).
• Just trying to get a basic understanding of how GetTargetResource works here - as far as I can tell, lines 99-116 are entirely pointless - writing something to $getValue then setting it back to $null?

If someone can untangle this mess, I'd appreciate it. At present I hate touching Microsoft365DSC, it never, ever 'just works'.

[Borgquite]

Oh and I should have said - currently if you run Start-DscConfiguration on the test resource in this bug, you end up with multiple AdministrativeUnits created. So basically, for this resource, if Ensure is left blank, idempotency is broken.

[Borgquite]

Ah, just figured something out. The whole of Get-TargetResource is basically one huge try {} catch (from line 101 to 273). When attempting to create an AADAdministrativeUnit from scratch without an ID, this always fails on line 108, and bumps down to line 275, returning an error.

I'm not sure how to fix this - help?

[salbeck-sit]

@Borgquite I think the issue with leaving Ensure blank is that it then isn't part of $PSBoundParameters. See https://ss64.com/ps/psboundparameters.html
This affects Test-TargetResource in line 898 where the Ensure-value from Get-TargetResource is compared to $PSBoundParameters.Ensure.
This will always fail if Ensure is not explicitly stated in the config, leading to an 'indiscriminate' call to Set-TargetResource
However, I don't see any similar construct in Set-TargetResource where tests are done against $Ensure.
But, as you've noticed, a call without an ID will cause Get-TargetResource to return null due to the block of lines 105-118 which should absolutely be removed.
The missing verbose output is due to the Verbose-switch being stripped from PSBoundParameters in line 391 before calling Get-TargetResource
I'm a bit pressed for time for the next 2-3 weeks so I can't offer to fix the resource.

[salbeck-sit]

@Borgquite since I spent time to identify the problem it was almost a sin not to do a PR ;-)