Export-M365DSCConfiguration error {InvalidOperation} System.Exception: [UnknownError] #3758
Comments
|
Hello, My question is regarding this case why such a privileged API permission like 'RoleEligibilitySchedule.ReadWrite.Directory' and 'RoleManagement.ReadWrite.Directory' needs for an export? Export fails in that stage: Why these API permissions need do not defined in the official documentation of the ‘AADConditionalAccessPolicy’ component? Thanks in advance! BR, |
|
This looks like a bug within the current settings.json file of the resource.
Usually, we would only require read permissions for read operations. |
|
The permissions were updated to reflect the actual required ones. |
Description of the issue
Export fails with the following error:
[2023/10/05 02:38:27]
"Couldn't find user xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx , that is defined in policy xxxxx - Require Compliance for all Salesforce Apps iOS and Android"
TenantId: xxxx.onmicrosoft.com
[2023/10/05 02:38:55]
"Couldn't find user xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx , that is defined in policy xxx - MFA Registration for All-Users and Windows when Termes & Conditions accepted"
TenantId: xxxx.onmicrosoft.com
Is this expected that for export we need ReadWrite permissions?
RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
[2023/10/05 02:40:44]
{InvalidOperation}
System.Exception: [UnknownError] : {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope RoleEligibilitySchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory.","instanceAnnotations":[]}
"Error during Export:"
at Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest, C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Beta.Identity.Governance\2.6.1\exports\ProxyCmdletDefinitions.ps1: line 101367
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1004.1\DSCResources\MSFT_AADRoleEligibilityScheduleRequest\MSFT_AADRoleEligibilityScheduleRequest.psm1: line 635
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1004.1\modules\M365DSCReverse.psm1: line 615
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1004.1\modules\M365DSCUtil.psm1: line 1312
at , C:\M365DSC\Run_ExportConfig.ps1: line 3
TenantId: xxxx.onmicrosoft.com
Microsoft 365 DSC Version
1.23.1004.1
Which workloads are affected
Azure Active Directory
The DSC configuration
Export-M365DSCConfiguration -Components @("AADAuthenticationMethodPolicy", "AADAuthenticationMethodPolicyAuthenticator", "AADAuthenticationMethodPolicyEmail", "AADAuthenticationMethodPolicyFido2", "AADAuthenticationMethodPolicySms", "AADAuthenticationMethodPolicySoftware", "AADAuthenticationMethodPolicyTemporary", "AADAuthenticationMethodPolicyVoice", "AADAuthenticationMethodPolicyX509", "AADAuthenticationStrengthPolicy", "AADAuthorizationPolicy", "AADConditionalAccessPolicy", "AADCrossTenantAccessPolicy", "AADCrossTenantAccessPolicyConfigurationDefault", "AADCrossTenantAccessPolicyConfigurationPartner", "AADEntitlementManagementAccessPackage", "AADEntitlementManagementAccessPackageAssignmentPolicy", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADEntitlementManagementConnectedOrganization", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADRoleEligibilityScheduleRequest", "AADRoleSetting", "AADSecurityDefaults", "AADTenantDetails", "AADTokenLifetimePolicy") -ApplicationId $ApplicationId -ApplicationSecret $ApplicationSecret -TenantId $TenantIdVerbose logs showing the problem
Environment Information + PowerShell Version
The text was updated successfully, but these errors were encountered: