Your app has been throttled by AAD due to too many requests.
cdenders opened this issue · 10 comments
Description of the issue
Running the Start-DSCConfiguration command, makes some progress and then a whole bunch of it starts failing with:
failed to execute Test-TargetResource functionality with
error message: Your app has been throttled by AAD due to too many requests. To avoid this, cache your tokens see
https://aka.ms/msal-net-throttling.
I'm not sure how to tell this system to cache the tokens?
Microsoft 365 DSC Version
1.24.619.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
No response
Verbose logs showing the problem
No response
Environment Information + PowerShell Version
No response
Maybe helps to indicate I am using password authentication. I'll look into trying a different authentication method.
If using Credentials than you are leveraging the Microsoft Graph SDK app which is probably shared by other processes/apps in your application. This means that all calls to it are being counted against the throttling limit, not just the M365DSC ones. Using Service Principal authentication instead of credentials should definitively help resolve this situation.
I'm trying to push the configuration to a new empty tenant, so there would be no other apps hitting the throttle limit. Is the Throttle limit configurable?
Or can I slow down the push, and/or just keep repeating the push until it finishes?
M365DSC does leverage standard Microsoft Graph authentication methods and there should not be more sign-ins than necessary. In the authentication layer of M365DSC there are functions implemented that should verify an existing connection to a tenant and only create a new authentication context if the token would have expired.
Any chance you could share a redacted version of the sign in logs for the user?
Apparently my computer is repeatedly signing in... I didn't realize that a DSC push configuration repeatedly trying in the background?
Even though I've been using the -wait parameter, I guess I have some push happening as background jobs.
I've now run Remove-DscConfigurationDocument -Stage Pending -force , and this appears to have stopped the repeated logins. Though I'm unclear as to how it started, I've been using the -wait parameter to run the Start-dscconfiguration command interactively. Maybe I missed it one time?
I'll try again in an hour or two, see if I get the throttle error again.
Please run Get-DscLocalConfigurationManager and check the settings for the mode of the LCM. LCM does a 15 minute consistency check per default.
Checked my sign-in logs, it has been an hour without any additional sign-ins since I ran Remove-DscConfigurationDocument -Stage Pending -force
ActionAfterReboot : ContinueConfiguration
AgentId : 9B3B3E40-D2A4-11EE-90DC-F4C88A239208
AllowModuleOverWrite : False
CertificateID :
ConfigurationDownloadManagers : {}
ConfigurationID :
ConfigurationMode : ApplyAndMonitor
ConfigurationModeFrequencyMins : 15
Credential :
DebugMode : {NONE}
DownloadManagerCustomData :
DownloadManagerName :
LCMCompatibleVersions : {1.0, 2.0}
LCMState : Idle
LCMStateDetail :
LCMVersion : 2.0
StatusRetentionTimeInDays : 10
SignatureValidationPolicy : NONE
SignatureValidations : {}
MaximumDownloadSizeMB : 500
PartialConfigurations :
RebootNodeIfNeeded : False
RefreshFrequencyMins : 30
RefreshMode : PUSH
ReportManagers : {}
ResourceModuleManagers : {}
PSComputerName :
That is correct. Right now, LCM does not have any configuration to verify.
As soon as you run start-dscconfiguration a new config file will be placed in the LCM engine store and be checked every 15 minutes.
These two settings are responsible for doing so:
ConfigurationMode : ApplyAndMonitor
ConfigurationModeFrequencyMins : 15
If you do not want any kind of monitoring you need to set the configuration mode to apply only.
For more information about the LCM configuration please see this article here: https://learn.microsoft.com/en-us/powershell/dsc/managing-nodes/metaconfig?view=dsc-1.1
Thank you for your assistance.