TeamsAppSetupPolicy: Can't create policy if using Certificate authentication

[ricmestre]

Description of the issue

I'm testing all Teams resources with certificate authentication and TeamsOrgWideAppSettings and TeamsUserCallingSettings are known to not work with it, nevertheless TeamsAppSetupPolicy accepts certificate authentication as parameter but actually doesn't work.

It wasn't the first resource I've noticed this, but to have output from the Teams cmdlets (to catch errors) they need to be added the Verbose switch and not being piped to Out-Null which is the case on this one, otherwise it just returns without output and nothing happens. After running Start-DSCConfiguration it outputs that the resource was created but actually doesn't create anything, I was able to figure it out by creating it manually in Verbose mode.

I've created a list of pinned appbar apps as follows:

PS C:\temp\dsc\TeamsAppSetupPolicy> $pinnedAppBarAppsValue
Identity :
Priority : 
Id       : 14d6962d-6eeb-4f48-8890-de55454bb136
Order    : 1
Identity : 
Priority : 
Id       : 42f6c1da-a241-483a-a3cc-4f5be9185951
Order    : 2
Identity :
Priority :
Id       : 86fcd49b-61a2-4701-b771-54728cd291fb
Order    : 3
Identity :
Priority :
Id       : 20c3440d-c67e-4420-9f80-0e50c39693df
Order    : 4

Connected to Teams via certificate gave me this output:

PS C:\temp\dsc\TeamsAppSetupPolicy> New-CsTeamsAppSetupPolicy -AllowSideLoading $false -AllowUserPinning $true
-Description "TeamsAppSetupPolicy_1" -Identity "TeamsAppSetupPolicy_1" -PinnedAppBarApps $pinnedAppBarAppsValue
-Verbose
New-CsTeamsAppSetupPolicy :  The App Id(s) specified could not be validated from the App Catalog. Please refer to
documentation. CorrelationId: 1f020e4f-5e26-440a-96f0-9928816d8a71
At line:1 char:1
+ New-CsTeamsAppSetupPolicy -AllowSideLoading $false -AllowUserPinning  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-CsTeamsAppSetupPolicy], PolicyRpException
+ FullyQualifiedErrorId : ClientError,Microsoft.Teams.Policy.Administration.Cmdlets.Core.NewTeamsAppSetupPolicyCmdlet

But instead running with credentials the policy is actually created:

PS C:\temp\dsc\TeamsAppSetupPolicy> New-CsTeamsAppSetupPolicy -AllowSideLoading $false -AllowUserPinning $true
-Description "TeamsAppSetupPolicy_1" -Identity "TeamsAppSetupPolicy_1" -PinnedAppBarApps $pinnedAppBarAppsValue
-Verbose

Identity                    : Tag:TeamsAppSetupPolicy_1
AppPresetList               : {}
PinnedAppBarApps            : {14d6962d-6eeb-4f48-8890-de55454bb136, 42f6c1da-a241-483a-a3cc-4f5be9185951, 86fcd49b-61a2-4701-b771-54728cd291fb, 20c3440d-c67e-4420-9f80-0e50c39693df}
PinnedMessageBarApps        : {}
AppPresetMeetingList        : {}
AdditionalCustomizationApps : {}
Description                 : TeamsAppSetupPolicy_1
AllowSideLoading            : False
AllowUserPinning            : True

All other Teams resources I've tested, which includes almost all of them, didn't have this issue, in any case these are the permissions I've granted to my app which also is assigned the Teams Administrator role. According to https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication the cmdlets on this resource should work with certificate, maybe some additional permission is required which is not mentioned in settings.json? Or is the documentation on that webpage incorrect?

AppCatalog.ReadWrite.All
Channel.Delete.All
ChannelMember.ReadWrite.All
ChannelSettings.Read.All
ChannelSettings.ReadWrite.All
Group.ReadWrite.All
Organization.Read.All
TeamSettings.ReadWrite.All
TeamsTab.Create
TeamsTab.ReadWrite.All
User.Read.All 

Microsoft 365 DSC Version

1.23.124.1

Which workloads are affected

Teams

The DSC configuration

TeamsAppSetupPolicy "TeamsAppSetupPolicy-TeamsAppSetupPolicy_1"
        {
            AllowSideLoading      = $False;
            AllowUserPinning      = $True;
            ApplicationId         = $TeamsApplicationId;
            CertificateThumbprint = $TeamsCertThumbprint;
            Description           = "TeamsAppSetupPolicy_1";
            Ensure                = "Present";
            Identity              = "TeamsAppSetupPolicy_1";
            PinnedAppBarApps      = @("14d6962d-6eeb-4f48-8890-de55454bb136","42f6c1da-a241-483a-a3cc-4f5be9185951","86fcd49b-61a2-4701-b771-54728cd291fb","20c3440d-c67e-4420-9f80-0e50c39693df");
            TenantId              = $OrganizationName;
        }

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise                                                                                                                                                             OsOperatingSystemSKU : EnterpriseEdition                                                                                                                                                                           OsArchitecture       : 64-bit                                                                                                                                                                                      WindowsVersion       : 2009                                                                                                                                                                                        WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250                                                                                                                                                     OsLanguage           : en-US                                                                                                                                                                                       OsMuiLanguages       : {en-US, en-GB}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                               Name                           Value                                                                                                                                                                               ----                           -----                                                                                                                                                                               PSVersion                      5.1.22621.1778                                                                                                                                                                      PSEdition                      Desktop                                                                                                                                                                             PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                             BuildVersion                   10.0.22621.1778                                                                                                                                                                     CLRVersion                     4.0.30319.42000                                                                                                                                                                     WSManStackVersion              3.0                                                                                                                                                                                 PSRemotingProtocolVersion      2.3                                                                                                                                                                                 SerializationVersion           1.1.0.1

[FabienTschanz]

@ricmestre Today, it seems like this is working. Just connected to the Teams workload using my app registration and created / updated / deleted this policy. Can you agree?

[ricmestre]

@FabienTschanz Yeah I did a few CRUD tests back and forth and it also worked for me now, thanks for the heads up!!

[FabienTschanz]

Awesome, thanks for letting me know. Currently on a roll to check older issues and close them if possible. Fixing old stuff which got left alone should be a priority as well, there are so many small details that are a thorn in my eye. Glad this one works though 🚀