Get-M365DSCCompiledPermissionList with -AccessType Read returns Write permissions
raandree opened this issue · 1 comments
raandree commented
Description of the issue
When calling
Get-M365DSCCompiledPermissionList -ResourceNameList (Get-M365DSCAllResources) -AccessType read -PermissionType Delegated
we get two permissions back that are not expected:
- Sites.FullControl.All
- Policy.ReadWrite.AuthenticationMethod
Is that expected?
Microsoft 365 DSC Version
1.24.313.1
Which workloads are affected
other
The DSC configuration
NA
Verbose logs showing the problem
NA
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-US
OsMuiLanguages : {en-US}
Name Value
---- -----
PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.22631
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
andikrueger commented
Thanks for raising this issue. The cmdLet will return some write permissions as they are required from the API side or are listed within the documentation of the cmdLets as requirement.
In your case with delegation you can assign read-only rights to the account used. This will still narrow down the access scope of the account.