IntuneAccountProtectionLocalUserGroupMembershipPolicy: Configurations with MSFT_IntuneAccountProtectionLocalUserGroupCollection action 'add_replace' compile but fail to be applied

[DerTolleEmil]

Description of the issue

Trying to create / update an account protection policy to add users/groups to local admins fails if the action is set to add_replace. The configuration compiles successfully but throws an error when getting applied.

According to the error message the value should actually be add_restrict.

I can confirm that manually changing the compiled .mof to use the Action add_restrict results in the configuration being applied successfuly:

instance of MSFT_IntuneAccountProtectionLocalUserGroupCollection as $MSFT_IntuneAccountProtectionLocalUserGroupCollection1ref
{
LocalGroups = {
    "administrators"
};
 Members = {
    "S-1-12-1-1719499666-1200013040-2812009110-2951708484"
};
 Action = "add_restrict";
 UserSelectionType = "users";

};

Updating the configuration itself to use add_restrict gives a compilation error (the expected values match what is mentioned in the documentation):

Microsoft365DSC\MSFT_IntuneAccountProtectionLocalUserGroupCollection : At least one of the values 'add_restrict' is not supported or valid for property 'Action' on class 'MSFT_IntuneAccountProtectionLocalUserGroupCollection'. Please specify only supported values: add_update, remove_update, add_replace.

Note: Exporting the policy via Export-M365DSCConfiguration produces a configuration with the the expected add_restrict value for action.

Microsoft 365 DSC Version

1.24.1016.1

Which workloads are affected

Intune

The DSC configuration

IntuneAccountProtectionLocalUserGroupMembershipPolicy "Grant_Local_Admin_Rights"
{
    Assignments              = @(
        MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments
        {
            deviceAndAppManagementAssignmentFilterType = 'none'
            groupDisplayName                           = 'All devices'
            dataType                                   = '#microsoft.graph.allDevicesAssignmentTarget'
            groupId                                    = 'PLACEHOLDER'
        }
    );
    Description              = "Test";
    DisplayName              = "MDW - Grant Local Admin Rights";
    Ensure                   = "Present";
    LocalUserGroupCollection = @(
        MSFT_IntuneAccountProtectionLocalUserGroupCollection
        {
            LocalGroups       = @('administrators')
            Members           = @("S-1-12-1-1719499666-1200013040-2812009110-2951708484")
            Action            = 'add_replace'
            UserSelectionType = 'users'
        }
    );
    Identity = "PLACEHOLDER";
    CertificateThumbprint    = $ConfigurationData.NonNodeData.CertificateThumbprint;
    ApplicationId            = $ConfigurationData.NonNodeData.ApplicationId;
    TenantId                 = $OrganizationName;
}

Verbose logs showing the problem

DEBUG: [EMILS-MASCHIN]: [[IntuneAccountProtectionLocalUserGroupMembershipPolicy]Grant_Local_Admin_Rights] PUT https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/3c57863c-4c41-4165-9817-cc92b4ab6dab
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 1c66a4d5-1e09-4f97-9c38-208fe9af03e7
client-request-id: ce994acd-dcfc-4288-884f-1cabf6e76cda
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"ZRH2EPF000000F0"}}
Date: Fri, 01 Nov 2024 10:30:12 GMT
Content-Encoding: gzip
Content-Type: application/json

{"error":{"code":"BadRequest","message":"{\r\n  \"_version\": 3,\r\n  \"Message\":
\"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action:  

Selected Option
device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_replace does not match with the list of expected options:

device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update,
device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update,
device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_restrict. 

- Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: ce994acd-dcfc-4288-884f-1cabf6e76cda - Url:
https://fef.amsub0502.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-3301-0608-102104424657/deviceManagement/configurationPolicies(
'3c57863c-4c41-4165-9817-cc92b4ab6dab')?api-version=5024-09-01\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n
\"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\":
\"{}\"\r\n}","innerError":{"date":"2024-11-01T10:30:13","request-id":"1c66a4d5-1e09-4f97-9c38-208fe9af03e7","client-request-id":"ce994acd-dcfc-4288-884f-1cabf6e76cda"}}}
Response status code does not indicate success: BadRequest (Bad Request).
    + CategoryInfo          : InvalidOperation: (Method: PUT, Re...ication/json
}:) [], CimException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    + PSComputerName        : localhost

Environment Information + PowerShell Version

Get-ComputerInfo -Property @('OsName','OsOperatingSystemSKU','OSArchitecture','WindowsVersion','WindowsBuildLabEx','OsLanguage','OsMuiLanguages')

OsName : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-US
OsMuiLanguages : {en-US, en-GB}

$PSVersionTable

Name Value

---

PSVersion 5.1.22621.4391
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.4391
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1