Unable to access DSC components using -AccessTokens (@("AADAuthorizationPolicy"))
renish-charaniya opened this issue · 0 comments
Description of the issue
Previously we were using Credentials to fetch DSC components, as the -AccessTokens is introduced I am trying to fetch DSC components with it, but it doesn't work.
DSC command:-
Export-M365DSCConfiguration -Components @("AADAuthorizationPolicy") -AccessTokens ['eyubdbsdjsdsjdj'] -TenantId "xyz.onmicrosoft.com"
Error:-
{NotSpecified} Microsoft.Graph.PowerShell.AuthenticationException: Authentication needed. Please call Connect-MgGraph. at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.<GetAuthenticationProviderAsync>d__10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.PowerShell.Authentication.Helpers.HttpHelpers.GetGraphHttpClient() at Microsoft.Graph.Beta.PowerShell.Module.BeforeCreatePipeline(InvocationInfo invocationInfo, HttpPipeline& pipeline) at Microsoft.Graph.Beta.PowerShell.Module.CreatePipeline(InvocationInfo invocationInfo, String parameterSetName) at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaPolicyAuthorizationPolicy_List.<ProcessRecordAsync>d__88.MoveNext() "Could not find existing authorization policy" at Get-MgBetaPolicyAuthorizationPolicy<Process>, C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Beta.Identity.SignIns\2.19.0\exports\ProxyCmdletDefinitions.ps1: line 32142 at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\DSCResources\MSFT_AADAuthorizationPolicy\MSFT_AADAuthorizationPolicy.psm1: line 127 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\DSCResources\MSFT_AADAuthorizationPolicy\MSFT_AADAuthorizationPolicy.psm1: line 585 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\Modules\M365DSCReverse.psm1: line 677 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\Modules\M365DSCUtil.psm1: line 1375 at <ScriptBlock>, <No file>: line 1 TenantId: xyz.onmicrosoft.com
How did I generate Access Token ?
- I used Oauth2 flow with required scopes [Policy.Read.All Policy.ReadWrite.Authorization].
- I have created a custom AAD App
API used to fetch Token:-
-
https://login.microsoftonline.com{TENANT_ID}/oauth2/v2.0/authorize?client_id={CLIENT_ID}&response_type=code&scope=Policy.Read.All Policy.ReadWrite.Authorization
-
Token -
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
Successfully Generated token
Now I am trying to fetch DSC component AADAuthorizationPolicy by executing the following command
Export-M365DSCConfiguration -Components @("AADAuthorizationPolicy") -AccessTokens ['eyubdbsdjsdsjdj'] -TenantId "xyz.onmicrosoft.com"
And I am facing the error shared above, when I do Connect-MgGraph it pops up the browser screen I login with Global Administrator account, but still the above error persists.
Microsoft 365 DSC Version
1.24.515.2
Which workloads are affected
Azure Active Directory (Entra ID), Exchange Online, Office 365 Admin, OneDrive for Business, SharePoint Online, Teams
The DSC configuration
DSC command causing the issue - `Export-M365DSCConfiguration -Components @("AADAuthorizationPolicy") -AccessTokens ['eyubdbsdjsdsjdj'] -TenantId "xyz.onmicrosoft.com"`
Error log - `{NotSpecified}
Microsoft.Graph.PowerShell.AuthenticationException: Authentication needed. Please call Connect-MgGraph.
at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.<GetAuthenticationProviderAsync>d__10.MoveNext()`
Verbose logs showing the problem
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADAuthorizationPolicy
Authentication methods specified:
- Access Tokens
VERBOSE: Removing the imported "Export-TargetResource" function.
VERBOSE: Removing the imported "Get-TargetResource" function.
VERBOSE: Removing the imported "Set-TargetResource" function.
VERBOSE: Removing the imported "Test-TargetResource" function.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.515.2\DSCResources\MSFT_AADAuthorizationPolicy\MSFT_AADAuthorizationPolicy.psm
1'.
VERBOSE: Importing function 'Export-TargetResource'.
VERBOSE: Importing function 'Get-TargetResource'.
VERBOSE: Importing function 'Set-TargetResource'.
VERBOSE: Importing function 'Test-TargetResource'.
Connecting to {MicrosoftGraph}...✅
[1/1] Extracting [AADAuthorizationPolicy] using {AccessTokens}...VERBOSE: Dependencies were already successfully validated.
VERBOSE: Attempting connection to {MicrosoftGraph} with:
VERBOSE:
Name Value
---- -----
TenantId xyz.onmicrosoft.com
AccessTokens
{[eyJ0eXAiOiJKV1QiLCJub25jZSI6ImgwX0QzblZ1RXkzR1ZnaDZIdTUtbzVQNnp2RElnaW1sX1ZpU0Q3Z0NKYkkiLCJhbGc...
VERBOSE: Connecting via Access Tokens
VERBOSE: Attempting connection to {MicrosoftGraph} with:
VERBOSE:
Name Value
---- -----
AccessTokens
{[eyJ0eXAiOiJKV1QiLCJub25jZSI6ImgwX0QzblZ1RXkzR1ZnaDZIdTUtbzVQNnp2RElnaW1sX1ZpU0Q3Z0NKYkkiLCJhbGc...
ApplicationSecret
IsSingleInstance Yes
ApplicationId
Credential
TenantId xyz.onmicrosoft.com
CertificateThumbprint
ManagedIdentity False
VERBOSE: Connecting via Access Tokens
VERBOSE: Dependencies were already successfully validated.
Error Log created at {file://C:/WINDOWS/system32/4752-M365DSC-ErrorLog.log}
❌
Environment Information + PowerShell Version
PSVersion 5.1.22621.2506
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.2506
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1