Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADApplication - Includsion of AppRoles field causes errors when config is applied #5524

Closed
bnlonc opened this issue Dec 6, 2024 · 0 comments · Fixed by #5541
Closed

AADApplication - Includsion of AppRoles field causes errors when config is applied #5524

bnlonc opened this issue Dec 6, 2024 · 0 comments · Fixed by #5541

Comments

@bnlonc
Copy link

bnlonc commented Dec 6, 2024
edited
Loading

Description of the issue

AADApplication resources that include the AppRoles field throw the following error when applied to Azure:

##[error][CannotDeleteOrUpdateEnabledEntitlement] : Permission (scope or role) cannot be deleted or updated unless disabled

Microsoft 365 DSC Version

1.24.1120.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

# https://microsoft365dsc.com/resources/azure-ad/AADApplication/
AADApplication 'TestApp1' {
    AvailableToOtherTenants = $False
    DisplayName             = 'TestApp1'
    Ensure                  = 'Present'
    IdentifierUris          = @()
    KnownClientApplications = @()
    IsFallbackPublicClient  = $False
    AppRoles                = @(
        MSFT_MicrosoftGraphappRole {
            AllowedMemberTypes = @('Application')
            Id = '354ab5bc-bc09-4ae9-bfb6-93c46e111918'
            IsEnabled = $True
            Origin = 'Application'
            Value = 'Application.Read.All'
            DisplayName = 'Test role 1'
            Description = 'This is an app role'
        }
    )
    Owners                  = @('[email protected]')
    Permissions             = @(
        MSFT_AADApplicationPermission {
            Name                = 'User.Read'
            Type                = 'Delegated'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $False
        }
    )
    PublicClient            = $False
    ReplyURLs               = @()
    ApplicationId           = $ApplicationId
    TenantId                = $TenantId
    CertificateThumbprint   = $Thumbprint
}

Verbose logs showing the problem

2024-12-05T00:31:25.9068666Z VERBOSE: [MACHINE-ID]:
2024-12-05T00:31:25.9074804Z [[AADApplication]TestApp1::[AzureAD]AzureAD_Configuration] Updating existing AzureAD
2024-12-05T00:31:25.9080315Z Application {TestApp1} with values:
2024-12-05T00:31:25.9083491Z
2024-12-05T00:31:25.9086866Z
2024-12-05T00:31:25.9090117Z
2024-12-05T00:31:25.9096155Z Key                    Value
2024-12-05T00:31:25.9099282Z
2024-12-05T00:31:25.9105415Z ---                    -----
2024-12-05T00:31:25.9108314Z
2024-12-05T00:31:25.9114299Z DisplayName            TestApp1
2024-12-05T00:31:25.9117354Z
2024-12-05T00:31:25.9123450Z GroupMembershipClaims  None
2024-12-05T00:31:25.9126583Z
2024-12-05T00:31:25.9132707Z IsFallbackPublicClient False
2024-12-05T00:31:25.9135786Z
2024-12-05T00:31:25.9141876Z OptionalClaims         {accessToken}
2024-12-05T00:31:25.9145040Z
2024-12-05T00:31:25.9150949Z AppRoles               {System.Collections.Hashtable}
2024-12-05T00:31:25.9154140Z
2024-12-05T00:31:25.9160258Z ApplicationId          555937d7-700a-4d64-a61f-dff9b84f3ce1
2024-12-05T00:31:25.9163099Z
2024-12-05T00:31:25.9169061Z SignInAudience         AzureADMyOrg
2024-12-05T00:31:25.9172400Z
2024-12-05T00:31:25.9179538Z Verbose                True
2024-12-05T00:31:25.9961435Z VERBOSE: [MACHINE-ID]:
2024-12-05T00:31:25.9968325Z [[AADApplication]TestApp1::[AzureAD]AzureAD_Configuration] Performing the operation
2024-12-05T00:31:25.9974804Z "Update-MgApplication_UpdateExpanded" on target "Call remote 'PATCH /applications/{application-id}' operation".
2024-12-05T00:31:26.7668151Z ##[error][CannotDeleteOrUpdateEnabledEntitlement] : Permission (scope or role) cannot be deleted or updated unless disabled
first.
    + CategoryInfo          : InvalidOperation: ({ ApplicationId...phApplication }:) [], CimException
    + FullyQualifiedErrorId : CannotDeleteOrUpdateEnabledEntitlement,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgApplic
   ation_UpdateExpanded
    + PSComputerName        : localhost

Environment Information + PowerShell Version

Name                           Value
----                           -----
PSVersion                      5.1.20348.2849
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2849
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@bnlonc bnlonc changed the title AADApplication - Includsion of AppRoles fields causes errors when config is applied AADApplication - Includsion of AppRoles field causes errors when config is applied Dec 10, 2024
@NikCharlebois NikCharlebois mentioned this issue Dec 11, 2024
Merged
7 tasks
@NikCharlebois NikCharlebois reopened this Dec 11, 2024
@NikCharlebois NikCharlebois mentioned this issue Dec 11, 2024
Merged
7 tasks
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Dec 12, 2024
@NikCharlebois
Merge branch 'Dev' into FIXES-microsoft#5524
d624f8f
NikCharlebois added a commit that referenced this issue Dec 12, 2024
@NikCharlebois
Merge pull request #5541 from NikCharlebois/FIXES-#5524
0983c9c 
Fixes #5524
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #5524 NikCharlebois/Microsoft365DSC
2 participants
@NikCharlebois @bnlonc