Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADRoleAssignmentScheduleRequest - BUG - The Role assignment already exists #5532

Closed
pangjaa opened this issue Dec 10, 2024 · 0 comments · Fixed by #5545
Closed

AADRoleAssignmentScheduleRequest - BUG - The Role assignment already exists #5532

pangjaa opened this issue Dec 10, 2024 · 0 comments · Fixed by #5545
Assignees
@NikCharlebois

Comments

@pangjaa
Copy link

pangjaa commented Dec 10, 2024
edited
Loading

Description of the issue

After role assignment, AADRoleAssignmentScheduleRequest is unable to find the assignment. DSC throws the error: The Role assignment already exists. I believe this is due to Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest being filtered by the Role template. See sample powershell script below where a custom role can be identified by either the TemplateId or the RoleDefinitionId.

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleAssignmentScheduleRequest/MSFT_AADRoleAssignmentScheduleRequest.psm1

Line 148 in 55ba015

[Array] $requests = Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance.Id)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '$($DirectoryScopeId)'"

In separate test tenant

Powershell calls to search for Assignment

$PrincipalInstance = '607d3b3d-c917-4e3d-b47d-94cc9fc28b46' # service principal for customrolecreator, objeect guid
$RoleDefinitionId = '9a85b016-38f3-4257-a6ff-51813b6fadc9' # 
$DirectoryScopeId = 'ce03c1c9-e946-4808-ab8c-21a716fd47a6' # customRoleCreator app
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

$role = Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and DirectoryScopeId eq '/$($DirectoryScopeId)'" -Property "RoleDefinition"
$role.RoleDefinition

PS C:\Users\Administrator\Desktop> $role | fl


Action               : AdminAssign
ActivatedUsing       : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleEligibilitySchedule
AppScope             : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAppScope
AppScopeId           :
ApprovalId           :
CompletedDateTime    : 12/10/2024 4:50:52 PM
CreatedBy            : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphIdentitySet
CreatedDateTime      : 12/10/2024 4:50:52 PM
CustomData           :
DirectoryScope       : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
DirectoryScopeId     : /ce03c1c9-e946-4808-ab8c-21a716fd47a6
Id                   : 045863d4-f1b7-4d50-8a8c-9c16eab868d0
IsValidationOnly     : False
Justification        : test
Principal            : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
PrincipalId          : 607d3b3d-c917-4e3d-b47d-94cc9fc28b46
RoleDefinition       : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleDefinition
RoleDefinitionId     : 4270f965-0c64-44c2-b8d5-78b1b185ed27
ScheduleInfo         : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphRequestSchedule
Status               : Provisioned
TargetSchedule       : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleAssignmentSchedule
TargetScheduleId     : 045863d4-f1b7-4d50-8a8c-9c16eab868d0
TicketInfo           : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphTicketInfo
AdditionalProperties : {}


PS C:\Users\Administrator\Desktop> Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.RoleDefinitionId

DisplayName Id                                   TemplateId                           Description IsBuiltIn IsEnabled
----------- --                                   ----------                           ----------- --------- ---------
[custom]    9a85b016-38f3-4257-a6ff-51813b6fadc9 9a85b016-38f3-4257-a6ff-51813b6fadc9 test        False     True


PS C:\Users\Administrator\Desktop> get-mgbetaroleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId '9a85b016-38f3-4257-a6ff-51813b6fadc9'

DisplayName Id                                   TemplateId                           Description IsBuiltIn IsEnabled
----------- --                                   ----------                           ----------- --------- ---------
[custom]    9a85b016-38f3-4257-a6ff-51813b6fadc9 9a85b016-38f3-4257-a6ff-51813b6fadc9 test        False     True

Microsoft 365 DSC Version

1.24.1204.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

$AppObjGuid = '4d34cfbe-915d-4d30-9459-67324a6e12e0'
    # https://microsoft365dsc.com/resources/azure-ad/AADRoleAssignmentScheduleRequest/
    AADRoleAssignmentScheduleRequest 'AADRoleAssignmentScheduleRequest-appasignment' {
        DependsOn             = @(
            '[AADApplication]AADApplication-Microsoft365DSC'
            '[AADApplication]AADApplication-Appname'
            '[AADServicePrincipal]AADServicePrincipal-Appname'
            '[AADRoleDefinition]AADRoleDefinition-CustomeRoleAppmyOrgCredUpdate'
        )
        Principal             = 'Appname' ### L1|Group that is assigned to eligible assignment
        RoleDefinition        = 'Custom. Role' ### L1|Role that is being targetted for eligible assignment
        PrincipalType         = 'ServicePrincipal' ### L3|Represents the type of principal to assign the request to. Accepted values are: Group and User.
        DirectoryScopeId      = '/4d34cfbe-915d-4d30-9459-67324a6e12e0' #+ $AppObjGuid ### L3|Identifier of the directory object representing the scope of the role eligibility.
        # Id                  = ''
        # AppScopeId            = 'Appname' ## object id; 4d34cfbe-915d-4d30-9459-67324a6e12e0
        Action                = 'AdminAssign' ### L2|Represents the type of operation on the role eligibility request.
        # IsValidationOnly
        Justification         = 'Assigning permanent eligibility for for service principal team' #
        IsValidationOnly      = $false
        ScheduleInfo          = MSFT_AADRoleAssignmentScheduleRequestSchedule {
            startDateTime = '2023-09-01T02:40:44Z'
            expiration    = MSFT_AADRoleAssignmentScheduleRequestScheduleExpiration {
                type = 'noExpiration'
            }
        }
        # TicketInfo
        Ensure                = 'Present'
        ApplicationId         = $ApplicationId
        TenantId              = $TenantId
        CertificateThumbprint = $Thumbprint
    }

Verbose logs showing the problem

### Error Message


##[error][RoleAssignmentExists] : The Role assignment already exists.
    + CategoryInfo          : InvalidOperation: ({ Headers = , b...heduleRequest }:) [], CimException
    + FullyQualifiedErrorId : RoleAssignmentExists,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaRoleManagementDire 
   ctoryRoleAssignmentScheduleRequest_CreateExpanded
    + PSComputerName        : localhost
VERBOSE: [LCM-]: LCM:  [ End    Set      ]  
[[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration]  in 
2.8770 seconds.
##[error]The PowerShell DSC resource 
'[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration' with 
SourceInfo 'C:\AzurePipeline-Agent\_work\1\s\M365Config\0.0.1\DSCResources\AzureAD\AzureAD.schema.psm1::66::5::AADRoleA
ssignmentScheduleRequest' threw one or more non-terminating errors while running the Set-TargetResource functionality. 
These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more 
details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost



### Get Request to Graph


Displaying debug messages from Powershell DSC resource:
	 ResourceID : [AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration 
	 Message : [LCM-]:                            [[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration] ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests?$filter=PrincipalId eq '131d3946-d3bc-47b4-8d68-c6ce4f5efe00' and RoleDefinitionId eq 'c9138e48-33ad-4443-9ba2-e5c14cc517f4' and DirectoryScopeId eq '/4d34cfbe-915d-4d30-9459-67324a6e12e0'
Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; en-US),PowerShell/5.1.20348.2849
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.25.0
client-request-id             : ed27c22e-47bf-480f-bb68-6e6ec364703e
Body:
MachineName	
LCM-.
Payload.JobId	
{242912C7-B6AE-11EF-BAD7-02EE0AFD4B61}
Payload.MessageBody	
[LCM-]:                            [[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration] ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests?$filter=PrincipalId eq '131d3946-d3bc-47b4-8d68-c6ce4f5efe00' and RoleDefinitionId eq 'c9138e48-33ad-4443-9ba2-e5c14cc517f4' and DirectoryScopeId eq '/4d34cfbe-915d-4d30-9459-67324a6e12e0'
Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; en-US),PowerShell/5.1.20348.2849
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.25.0
client-request-id             : ed27c22e-47bf-480f-bb68-6e6ec364703e
Body:
Payload.ResourceId	
[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration
ProcessID	
2692
ProviderName	
Microsoft-Windows-DSC



### Returned Message


Displaying debug messages from Powershell DSC resource:
	 ResourceID : [AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration 
	 Message : [LCM-]:                            [[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration] ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : e0a1a9f7-7243-4527-b5db-df5d98d86827
client-request-id             : ed27c22e-47bf-480f-bb68-6e6ec364703e
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"CO1PEPF00004A98"}}
OData-Version                 : 4.0
Cache-Control                 : private
Date                          : Tue, 10 Dec 2024 04:22:31 GMT
Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
  "value": []
}
MachineName	
LCM-.
Payload.JobId	
{242912C7-B6AE-11EF-BAD7-02EE0AFD4B61}
Payload.MessageBody	
[LCM-]:                            [[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration] ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : e0a1a9f7-7243-4527-b5db-df5d98d86827
client-request-id             : ed27c22e-47bf-480f-bb68-6e6ec364703e
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"CO1PEPF00004A98"}}
OData-Version                 : 4.0
Cache-Control                 : private
Date                          : Tue, 10 Dec 2024 04:22:31 GMT
Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
  "value": []
}
Payload.ResourceId	
[AADRoleAssignmentScheduleRequest]AADRoleAssignmentScheduleRequest-appasignment::[AzureAD]AzureAD_Configuration
ProcessID	
2692
ProviderName	
Microsoft-Windows-DSC

Environment Information + PowerShell Version

PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.20348.2849
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2849
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@NikCharlebois NikCharlebois self-assigned this Dec 11, 2024
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Dec 12, 2024
@NikCharlebois
Merge remote-tracking branch 'upstream' into Fix-microsoft#5532
7bab490
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Dec 12, 2024
@NikCharlebois
Fixes microsoft#5532
e3746a3
@NikCharlebois NikCharlebois mentioned this issue Dec 12, 2024
Merged
7 tasks
NikCharlebois added a commit that referenced this issue Dec 12, 2024
@NikCharlebois
Merge pull request #5545 from NikCharlebois/Fix-#5532
fde3c01 
Fix #5532
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NikCharlebois NikCharlebois

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #5532 NikCharlebois/Microsoft365DSC
2 participants
@NikCharlebois @pangjaa