Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to access DSC components using -AccessTokens (@("AADAuthorizationPolicy")) #4682

Closed
99conqueror99 opened this issue May 16, 2024 · 1 comment
Closed

Unable to access DSC components using -AccessTokens (@("AADAuthorizationPolicy")) #4682

99conqueror99 opened this issue May 16, 2024 · 1 comment

Comments

@99conqueror99
Copy link

99conqueror99 commented May 16, 2024
edited
Loading

Description of the issue

Previously we were using Credentials to fetch DSC components, as the -AccessTokens is introduced I am trying to fetch DSC components with it, but it doesn't work.

DSC command:-
Export-M365DSCConfiguration -Components @("AADAuthorizationPolicy") -AccessTokens ['eyubdbsdjsdsjdj'] -TenantId "xyz.onmicrosoft.com"

Error:-
{NotSpecified} Microsoft.Graph.PowerShell.AuthenticationException: Authentication needed. Please call Connect-MgGraph. at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.<GetAuthenticationProviderAsync>d__10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Authentication.Helpers.HttpHelpers.GetGraphHttpClient() at Microsoft.Graph.Beta.PowerShell.Module.BeforeCreatePipeline(InvocationInfo invocationInfo, HttpPipeline& pipeline) at Microsoft.Graph.Beta.PowerShell.Module.CreatePipeline(InvocationInfo invocationInfo, String parameterSetName) at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaPolicyAuthorizationPolicy_List.<ProcessRecordAsync>d__88.MoveNext() "Could not find existing authorization policy" at Get-MgBetaPolicyAuthorizationPolicy<Process>, C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Beta.Identity.SignIns\2.19.0\exports\ProxyCmdletDefinitions.ps1: line 32142 at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\DSCResources\MSFT_AADAuthorizationPolicy\MSFT_AADAuthorizationPolicy.psm1: line 127 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\DSCResources\MSFT_AADAuthorizationPolicy\MSFT_AADAuthorizationPolicy.psm1: line 585 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\Modules\M365DSCReverse.psm1: line 677 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\Modules\M365DSCUtil.psm1: line 1375 at <ScriptBlock>, <No file>: line 1 TenantId: xyz.onmicrosoft.com

How did I generate Access Token ?

  • I used Oauth2 flow with required scopes [Policy.Read.All Policy.ReadWrite.Authorization].
  • I have created a custom AAD App

API used to fetch Token:-

  1. https://login.microsoftonline.com{TENANT_ID}/oauth2/v2.0/authorize?client_id={CLIENT_ID}&response_type=code&scope=Policy.Read.All Policy.ReadWrite.Authorization

  2. Token - https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
    Successfully Generated token

Now I am trying to fetch DSC component AADAuthorizationPolicy by executing the following command
Export-M365DSCConfiguration -Components @("AADAuthorizationPolicy") -AccessTokens ['eyubdbsdjsdsjdj'] -TenantId "xyz.onmicrosoft.com"

And I am facing the error shared above, when I do Connect-MgGraph it pops up the browser screen I login with Global Administrator account, but still the above error persists.

Microsoft 365 DSC Version

1.24.515.2

Which workloads are affected

Azure Active Directory (Entra ID), Exchange Online, Office 365 Admin, OneDrive for Business, SharePoint Online, Teams

The DSC configuration

DSC command causing the issue - `Export-M365DSCConfiguration -Components @("AADAuthorizationPolicy") -AccessTokens ['eyubdbsdjsdsjdj'] -TenantId "xyz.onmicrosoft.com"`


Error log - `{NotSpecified}
Microsoft.Graph.PowerShell.AuthenticationException: Authentication needed. Please call Connect-MgGraph.
   at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.<GetAuthenticationProviderAsync>d__10.MoveNext()`

Verbose logs showing the problem

VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADAuthorizationPolicy

Authentication methods specified:
- Access Tokens

VERBOSE: Removing the imported "Export-TargetResource" function.
VERBOSE: Removing the imported "Get-TargetResource" function.
VERBOSE: Removing the imported "Set-TargetResource" function.
VERBOSE: Removing the imported "Test-TargetResource" function.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\DSCResources\MSFT_AADAuthorizationPolicy\MSFT_AADAuthorizationPolicy.psm
1'.
VERBOSE: Importing function 'Export-TargetResource'.
VERBOSE: Importing function 'Get-TargetResource'.
VERBOSE: Importing function 'Set-TargetResource'.
VERBOSE: Importing function 'Test-TargetResource'.
Connecting to {MicrosoftGraph}...✅
[1/1] Extracting [AADAuthorizationPolicy] using {AccessTokens}...VERBOSE: Dependencies were already successfully validated.
VERBOSE: Attempting connection to {MicrosoftGraph} with:
VERBOSE:
Name                           Value

----                           -----

TenantId                       xyz.onmicrosoft.com

AccessTokens
{[eyJ0eXAiOiJKV1QiLCJub25jZSI6ImgwX0QzblZ1RXkzR1ZnaDZIdTUtbzVQNnp2RElnaW1sX1ZpU0Q3Z0NKYkkiLCJhbGc...


VERBOSE: Connecting via Access Tokens
VERBOSE: Attempting connection to {MicrosoftGraph} with:
VERBOSE:
Name                           Value

----                           -----

AccessTokens
{[eyJ0eXAiOiJKV1QiLCJub25jZSI6ImgwX0QzblZ1RXkzR1ZnaDZIdTUtbzVQNnp2RElnaW1sX1ZpU0Q3Z0NKYkkiLCJhbGc...
ApplicationSecret

IsSingleInstance               Yes

ApplicationId

Credential

TenantId                       xyz.onmicrosoft.com

CertificateThumbprint

ManagedIdentity                False



VERBOSE: Connecting via Access Tokens
VERBOSE: Dependencies were already successfully validated.
 Error Log created at {file://C:/WINDOWS/system32/4752-M365DSC-ErrorLog.log}
❌

Environment Information + PowerShell Version

PSVersion                      5.1.22621.2506
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2506
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@FabienTschanz
Copy link
Collaborator

@99conqueror99 The authentication with AccessTokens should work by now. Please try again. I will close the issue, if it doesn't work, feel free to reopen it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@99conqueror99 @FabienTschanz