AADGroup: New group creation failing due to AssignedToRole parameter not found in the first run
abhisri13 opened this issue · 0 comments
Description of the issue
The deployment of a new AADGroup
is failing during the MOF application because AssignedToRole
parameter is not recognized as a valid entry.
The verbose logging indicates that when DSC tries to set the values for a new group, it's proceeds with setting the value of AssignedToRole
first before IsAssignableToRole
is set to True possibly why "Set" fails.
We were able to bypass this issue by omitting AssignedToRole
parameter in the first run which let's us create the new group without any issues. In the next run, we assigned the desired value to AssignedToRole
and DSC was able to apply the configurations as expected.
Steps to reproduce the issue:
- CREATE NEW SECURITY GROUP AND ASSIGN RBAC ROLE TO THE PARAMETER AssignToRole
Steps to by-passs the issue:
- CREATE NEW SECURITY GROUP WITHOUT AssignToRole parameter.
- Once the above change is deployed, push another change setting the value of AssignToRole with a role.
Microsoft 365 DSC Version
1.24.529.1 & 1.24.619.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADGroup 'sg-group-directory-readers' {
DependsOn = @(
'[AADApplication]AADApplication-Microsoft365DSC'
)
DisplayName = 'sg-group-directory-readers' ### L1|This group is required for Directory Reader
MailNickname = 'sg-group-directory-readers' ### L2|This group should have the specified MailNickName
Description = 'Members of this group will gain Azure Reader Role.' ### L3|Description should be set
# Id = ''
Owners = @()
# Members = @()
# MemberOf = @()
# GroupTypes = @()
# MembershipRule = ''
# MembershipRuleProcessingState = ''
SecurityEnabled = $true ### L2|This group should be security enabled
MailEnabled = $false ### L2|Should not be mail enabled
IsAssignableToRole = $true ### L1|This group should be able to beassigned to a role.
AssignedToRole = @(
'Directory Readers' ### L2|Active assignment permitted by RBAC team for this group.
)
Visibility = 'Private' ### L2|This group is not intended for visibility
# AssignedLicenses =
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $Thumbprint
}
Verbose logs showing the problem
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Current Values: ApplicationId=***
AssignedToRole=()
CertificateThumbprint=***
Description=Members of this group will gain Azure Reader Role.
DisplayName=sg-group-directory-readers
Ensure=Absent
IsAssignableToRole=True
MailEnabled=False
MailNickname=sg-group-directory-readers
MemberOf=()
Members=()
Owners=()
SecurityEnabled=True
TenantId=***
Verbose=True
Visibility=Private
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Target Values: ApplicationId=***
AssignedToRole=(Directory Readers)
CertificateThumbprint=***
Description=Members of this group will gain Azure Reader Role.
DisplayName=sg-group-directory-readers
Ensure=Present
IsAssignableToRole=True
MailEnabled=False
MailNickname=sg-group-directory-readers
Owners=()
SecurityEnabled=True
TenantId=***
Verbose=True
Visibility=Private
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Test-TargetResource returned False
VERBOSE: LCM: [ End Test ]
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] in 0.4680 seconds.
VERBOSE: LCM: [ Start Set ]
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration]
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Setting configuration of Azure AD Groups
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Getting configuration of AzureAD Group
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Id was NOT specified
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Group was null, returning null
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Getting all Service Plans
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Checking to see if an existing deleted
group exists with DisplayName {sg-group-directory-readers}
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Creating new group
{sg-group-directory-readers}
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Creating Group with Values:
AssignedToRole=(Directory Readers)
Description=Members of this group will gain Azure Reader Role.
DisplayName=sg-group-directory-readers
IsAssignableToRole=True
MailEnabled=False
MailNickname=sg-group-directory-readers
SecurityEnabled=True
Verbose=True
Visibility=Private
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] A parameter cannot be found that matches
parameter name 'AssignedToRole'.
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Group {sg-group-directory-readers}
exists and it should.
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Updating settings by ID for group
{sg-group-directory-readers}
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Cannot set IsAssignableToRole once group is
created.
VERBOSE:
[[AADGroup]sg-group-directory-readers::[AzureAD]AzureAD_Configuration] Assigning AAD group
{sg-group-directory-readers} to Directory Role {Directory Readers}
[23:03:13 ERR] Error while starting DSC configuration: [Request_BadRequest] : Invalid target for navigation property update. URI must target an entity.
ERROR: [Request_BadRequest] : Invalid target for navigation property update. URI must target an entity.
At C:\AzurePipeline-Agent\_work\1\s\BuildScripts\Set-DSCConfiguration.ps1:53 char:9
+ Start-DscConfiguration @startDscConfigurationSplat
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At C:\AzurePipeline-Agent\_work\1\s\M365Config.build.ps1:387 char:1
+ Add-BuildTask Set {
+ ~~~~~~~~~~~~~~~~~~~
Build FAILED. 1 tasks, 1 errors, 0 warnings 00:02:14.3220435
##[error][Request_BadRequest] : Invalid target for navigation property update. URI must target an entity.
At C:\AzurePipeline-Agent\_work\1\s\BuildScripts\Set-DSCConfiguration.ps1:53 char:9
+ Start-DscConfiguration @startDscConfigurationSplat
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ DirectoryRole...ferenceCreate }:) [], CimException
+ FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaDirectoryRoleMemberB
yRef_Create
+ PSComputerName : localhost
##[error]PowerShell exited with code '1'.
Environment Information + PowerShell Version
OsName : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage : en-US
OsMuiLanguages : {en-US}
Name Value
---- -----
PSVersion 5.1.20348.2400
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.20348.2400
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1