Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AADRoleEligibilityScheduleRequest - : The Role assignment already exists - on Administrative Unit as DirectoryScopeId #5089

Closed
landsdale opened this issue Sep 24, 2024 · 1 comment · Fixed by #5400 or #5397

Comments

@landsdale
Copy link

Description of the issue

Hi guys,
I run a devops pipeline with this module configured like that:

  • Name: ""
    Action: "AdminAssign"
    DirectoryScopeId: "/administrativeUnits/"
    DependsOn: "[AADGroup]"
    Ensure: "Present"
    IsValidationOnly: False
    Principal: ""
    PrincipalType: "Group"
    RoleDefinition: "Privileged Authentication Administrator"
    ScheduleInfo:
    startDateTime: "2024-07-05T11:08:33Z"
    expiration:
    type: "noExpiration"

    So the first run of the pipeline is ok and the role correctly assigned.
    From a "second run" of the pipeline we get this error:

##[error][RoleAssignmentExists] : The Role assignment already exists.
+ CategoryInfo : InvalidOperation: ({ Headers = , b...heduleRequest }:) [], CimException
+ FullyQualifiedErrorId : RoleAssignmentExists,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaRoleManagementDire
ctoryRoleEligibilityScheduleRequest_CreateExpanded
+ PSComputerName : localhost
VERBOSE: [fv-az524-586]: LCM: [ End Set ]
[[AADRoleEligibilityScheduleRequest]::[EntraID]EntraID_Configuration] in
5.5520 seconds.
##[error]The PowerShell DSC resource

No problem with the DirectoryScopeId on "/"
I think it is a bug.

Thank you in advance.

Microsoft 365 DSC Version

1.24.904.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADRoleEligibilityScheduleRequest:
 - Name: "<group-to-assingn-NameDescription>"
    Action: "AdminAssign"
    DirectoryScopeId: "/administrativeUnits/<AUId>"  
    DependsOn: "[AADGroup]<group-to-assingn>"
    Ensure: "Present"
    IsValidationOnly: False
    Principal: "<group-to-assingn-Name>"
    PrincipalType: "Group"
    RoleDefinition: "Privileged Authentication Administrator"
    ScheduleInfo:
      startDateTime: "2024-07-05T11:08:33Z"
      expiration:
        type: "noExpiration"

Verbose logs showing the problem

##[error][RoleAssignmentExists] : The Role assignment already exists.
    + CategoryInfo          : InvalidOperation: ({ Headers = , b...heduleRequest }:) [], CimException
    + FullyQualifiedErrorId : RoleAssignmentExists,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaRoleManagementDire 
   ctoryRoleEligibilityScheduleRequest_CreateExpanded
    + PSComputerName        : localhost
VERBOSE: [fv-az524-586]: LCM:  [ End    Set      ]  
[[AADRoleEligibilityScheduleRequest]<group-to-assingn-NameDescription>::[EntraID]EntraID_Configuration]  in 
5.5520 seconds.
##[error]The PowerShell DSC resource

Environment Information + PowerShell Version

git version 2.45.2.windows.1
Task PowerShell Version: 2.245.1
@gibi916
Copy link

gibi916 commented Sep 26, 2024

I confirm, same problem on my side. I posted a comment on the similar post #3787

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants