Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Update-M365DSCAzureAdApplication #5694

Open
Arne-RFA opened this issue Jan 29, 2025 · 0 comments
Open

Issue with Update-M365DSCAzureAdApplication #5694

Arne-RFA opened this issue Jan 29, 2025 · 0 comments

Comments

@Arne-RFA
Copy link

Arne-RFA commented Jan 29, 2025
edited
Loading

Description of the issue

Very happy to have found Microsoft365DSC.

I have a few comments from attempting to get it to work (probably either my mistake or lack of understanding, or missed during initial "installation").

Using example 4 from https://microsoft365dsc.com/user-guide/cmdlets/Update-M365DSCAzureAdApplication/

Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList (Get-M365DSCAllResources) -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer

  1. The example shows "-ApplicationName $Microsoft365DSC" I presumed was a typo when compared to the other examples, and meant to be as per the other examples "-ApplicationName 'Microsoft365DSC'

  2. The documentation states for "-Credential" "The credential to use for authenticating the request. Mutually exclusive with -TenantId.", and there is no explanation as to "$creds" however from going through other documentation pages this looks to have probably been "-Credential (Get-Credential)" but this is not used for the connection to the tenant (confirmed with dummy credentials) without this specified it will error "Could not determine authentication method".

I have not used the "-AdminConsent" as although the initial graph connection is made with MFA, it repeatably does not authorize. For my use case this is not an issue as it can be manually authorized post deployment.

My edit of the example, to create names that will not clash when connected to multiple clients etc.

#Set Application permissions1
$Permissions = Get-M365DSCCompiledPermissionList -ResourceNameList (Get-M365DSCAllResources) -PermissionType Application -AccessType Read
#
$TenantDomain = 'labTenantName'
$OnMicrosoft = '.onmicrosoft.com'
$TenantDomainName = "$TenantDomain$OnMicrosoft"
$Microsoft365DSC = '.Microsoft365DSC'
$AppName = "$TenantDomain$Microsoft365DSC"
#
Update-M365DSCAzureAdApplication -ApplicationName "$AppName" -Permissions $Permissions -Type Certificate -CreateSelfSignedCertificate -CertificatePath "c:\Temp\DSC\$TenantDomain.cer" -TenantId $TenantDomainName -Credential (Get-Credential)

There is an error shown before the certificate is created.

Connect-M365Tenant : The term 'Connect-M365Tenant' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.115.1\Modules\M365DSCUtil.psm1:2368 char:9
+         Connect-M365Tenant -Workload $Workload `
+         ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Connect-M365Tenant:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

After the App Registration is created, I then attempt to connect

Export-M365DSCConfiguration -ApplicationId <AppID> -TenantId labTenantName.onmicrosoft.com -CertificateThumbprint 44A73A73E01A3A16F13B2CED653598F885C5F05F

This errors

Exporting Microsoft 365 configuration for Mode: Default
There is a newer version of the 'Microsoft365DSC' module available on the gallery.
To update the module and it's dependencies, run the following command:
Update-M365DSCModule

Authentication methods specified:
- Service Principal with Certificate Thumbprint

Partial Export file was saved at: C:\Users\rdsuser\AppData\Local\Temp\461\daacf698-a2af-475c-8fae-abe039f4cc08.partial.ps1
New-M365DSCConnection : The term 'Connect-M365Tenant' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.115.1\Modules\M365DSCUtil.psm1:1761 char:27
+ ...  $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Connect-M365Tenant:String) [New-M365DSCConnection], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,New-M365DSCConnection

Microsoft 365 DSC Version

1.25.115.1

Which workloads are affected

other

The DSC configuration



Verbose logs showing the problem


PS C:\Users\rdsuser\Downloads> .\dsc-start.ps1

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Connect-M365Tenant : The term 'Connect-M365Tenant' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.115.1\Modules\M365DSCUtil.psm1:2368 char:9
+         Connect-M365Tenant -Workload $Workload `
+         ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Connect-M365Tenant:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

2025-01-29 16:20:17 - Checking specified parameters
2025-01-29 16:20:17 -   Using a Certificate as credential
2025-01-29 16:20:17 -
2025-01-29 16:20:17 -   Make sure your certificate has the following prerequisites:
2025-01-29 16:20:17 -     KeySpec           : Signature
2025-01-29 16:20:17 -     KeyLength         : 2048
2025-01-29 16:20:17 -     KeyAlgorithm      : RSA
2025-01-29 16:20:17 -     HashAlgorithm     : SHA256 or SHA1
2025-01-29 16:20:17 -     Enhanced Key Uses : Client Authentication and Server Authentication
2025-01-29 16:20:17 -     And the entire certificate chain is available!
2025-01-29 16:20:17 -
2025-01-29 16:20:20 -
2025-01-29 16:20:20 - Checking existance of AD Application
2025-01-29 16:20:20 -   New Azure AD application 'labTenantName.Microsoft365DSC' created!
2025-01-29 16:20:20 -
2025-01-29 16:20:20 - Checking app permissions
2025-01-29 16:20:20 -   Checking permission 'Graph\Organization.Read.All'
2025-01-29 16:20:20 -   Checking permission 'Graph\AccessReview.Read.All'
2025-01-29 16:20:20 -   Checking permission 'Graph\Policy.Read.All'
2025-01-29 16:20:20 -   Checking permission 'Graph\AdministrativeUnit.Read.All'
2025-01-29 16:20:20 -   Checking permission 'Graph\RoleManagement.Read.Directory'
2025-01-29 16:20:20 -   Checking permission 'Graph\Application.Read.All'
2025-01-29 16:20:20 -   Checking permission 'Graph\CustomSecAttributeDefinition.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Policy.Read.ConditionalAccess'
2025-01-29 16:20:21 -   Checking permission 'Graph\Policy.ReadWrite.AuthenticationMethod'
2025-01-29 16:20:21 -   Checking permission 'Graph\UserAuthenticationMethod.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Agreement.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Group.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\User.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Directory.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Policy.Read.DeviceConfiguration'
2025-01-29 16:20:21 -   Checking permission 'Graph\Domain.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\NetworkAccess.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\EntitlementManagement.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\ReportSettings.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\PrivilegedEligibilitySchedule.Read.AzureADGroup'
2025-01-29 16:20:21 -   Checking permission 'Graph\IdentityUserFlow.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\LifecycleWorkflows.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\ProgramControl.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Policy.Read.IdentityProtection'
2025-01-29 16:20:21 -   Checking permission 'Graph\NetworkAccessPolicy.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\RoleAssignmentSchedule.Read.Directory'
2025-01-29 16:20:21 -   Checking permission 'Graph\RoleEligibilitySchedule.Read.Directory'
2025-01-29 16:20:21 -   Checking permission 'Graph\RoleManagementPolicy.Read.Directory'
2025-01-29 16:20:21 -   Checking permission 'Graph\RoleManagement.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\IdentityProvider.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Exchange\Exchange.ManageAsApp'
2025-01-29 16:20:21 -   Checking permission 'Graph\DeviceManagementConfiguration.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\DeviceManagementApps.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\DeviceManagementManagedDevices.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\DeviceManagementConfiguration.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\DeviceManagementServiceConfig.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\DeviceManagementRBAC.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\ExternalConnection.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Application.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\OrgSettings-Microsoft365Install.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\OrgSettings-Forms.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\OrgSettings-Todo.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\OrgSettings-AppsAndServices.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\OrgSettings-DynamicsVoice.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Tasks.Read.All'
2025-01-29 16:20:21 -   Checking permission 'SharePoint\Sites.FullControl.All'
2025-01-29 16:20:21 -   Checking permission 'SharePoint\'
2025-01-29 16:20:21 -   Checking permission 'Graph\SharePointTenantSettings.Read.All'
2025-01-29 16:20:21 -   Checking permission 'SharePoint\User.Read.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Group.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\AppCatalog.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\TeamSettings.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\Channel.Delete.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\ChannelSettings.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\ChannelMember.ReadWrite.All'
2025-01-29 16:20:21 -   Checking permission 'Graph\ChannelSettings.Read.All'
2025-01-29 16:20:21 -     Permission updated for application
2025-01-29 16:20:21 -
2025-01-29 16:20:21 - Checking app credentials
2025-01-29 16:20:21 -   Uploading App Certificate
2025-01-29 16:20:21 -     CreateSelfSignedCertificate specified, generating new Self Signed Certificate
2025-01-29 16:20:27 -     Certificate exported to c:\Temp\DSC\labTenantName.cer
2025-01-29 16:20:27 -     Certificate details: CN=labTenantName.Microsoft365DSC (44A73A63E09A3A16F13B2CED653598F835C5F05F)
2025-01-29 16:20:27 -
2025-01-29 16:20:27 - Application Id: 072cae31-8c86-448a-8823-d522dfd52682
2025-01-29 16:20:27 -
2025-01-29 16:20:27 - NOTE: Make sure you add the application to the required Microsoft 365 (e.g. Global Admin) or Exchange (e.g. Organization Management) role groups as well!
2025-01-29 16:20:27 -       See the documentation for any required permissions.
PS C:\Users\rdsuser\Downloads>


Environment Information + PowerShell Version


OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      5.1.20348.2849
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2849
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

      		
    

      
  





        

            


            

              
            

        

      


      
    








      

    







  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  




          
    
No branches or pull requests







    
  




      

    

  
      

  

    

      1 participant
    

    

        
          @Arne-RFA