Unable to Export-M365DSCConfiguration using the -AccessTokens parameter.
MarcoJanse opened this issue · 7 comments
I'm struggling with understanding how the -AccessTokens parameter in Export-M365DSCConfiguration is designed to work.
The help page for the cmdlet does not show much information or an example for this parameter only that it should be a string array.
What I assumed it would do is to use a token from an existing session and reuse this for Microsoft Graph.
Normally, I can do this to use a token from my Azure PowerShell session to connect to Microsoft Graph:
$accessToken = Get-AzAccessToken -ResourceType MSGraph -AsSecureString
Connect-MgGraph -AccessToken $accessToken.TokenI wanted to use this technique to use a managed identity in my Azure DevOps pipeline to run the Export-M365DscConfiguration using a Microsoft hosted agent. I've successfully tested the above PowerShell snippet in a DevOps pipeline to query something in Ms Graph using that managed identity.
However, if I try the same with the Export-M365DSCConfiguration:
$accessToken = (Get-AzAccessToken -ResourceType MSGraph).Token
$accessTokenArray = @($accessToken)
Export-M365DSCConfiguration -Workloads INTUNE -Mode Default -TenantId '<TenantId>' -AccessTokens $accessTokenArrayWhen looking at the pipeline log, I see this for each Intune component that is tried to be extracted:
2024-06-25T12:54:12.5781798Z ❌
2024-06-25T12:54:13.0478021Z [2/76] Extracting [IntuneAccountProtectionLocalUserGroupMembershipPolicy] using {AccessTokens}...VERBOSE: Attempting connection to {MicrosoftGraph} with:
2024-06-25T12:54:13.9896975Z VERBOSE:
2024-06-25T12:54:13.9897138Z
2024-06-25T12:54:13.9897323Z Name Value
2024-06-25T12:54:13.9897825Z
2024-06-25T12:54:13.9897871Z
2024-06-25T12:54:13.9898397Z ---- -----
2024-06-25T12:54:13.9898489Z
2024-06-25T12:54:13.9898533Z
2024-06-25T12:54:13.9898679Z TenantId <tenantName>.onmicrosoft.com
2024-06-25T12:54:13.9898810Z
2024-06-25T12:54:13.9898853Z
2024-06-25T12:54:13.9898982Z AccessTokens
2024-06-25T12:54:13.9899176Z {eyJ0eXAiOiJKV1QiLCJub25jZSI6InNKMFdfa1RmY3ZabVEwYWYyUXltd0ZkRDZwNUxFNUhRcVdPSkFlWVRj...
2024-06-25T12:54:13.9899298Z
2024-06-25T12:54:13.9899360Z
2024-06-25T12:54:13.9899402Z
2024-06-25T12:54:13.9899445Z
2024-06-25T12:54:13.9899590Z VERBOSE: Connecting via Access Tokens
2024-06-25T12:54:13.9899768Z VERBOSE: Dependencies were already successfully validated.
2024-06-25T12:54:13.9900038Z ❌
2024-06-25T12:54:13.9900253Z [3/76] Extracting [IntuneAccountProtectionPolicy] using {AccessTokens}...VERBOSE: Attempting connection to {MicrosoftGraph} with:
2024-06-25T12:54:13.9900482Z VERBOSE:
2024-06-25T12:54:13.9900534Z
2024-06-25T12:54:13.9900676Z Name Value
2024-06-25T12:54:13.9900742Z
2024-06-25T12:54:13.9900784Z
2024-06-25T12:54:13.9901057Z ---- -----
2024-06-25T12:54:13.9901123Z
2024-06-25T12:54:13.9901169Z
2024-06-25T12:54:13.9901332Z TenantId <tenantName>.onmicrosoft.com
2024-06-25T12:54:13.9901413Z
2024-06-25T12:54:13.9901473Z
2024-06-25T12:54:13.9901581Z AccessTokens
2024-06-25T12:54:13.9901791Z {eyJ0eXAiOiJKV1QiLCJub25jZSI6InNKMFdfa1RmY3ZabVEwYWYyUXltd0ZkRDZwNUxFNUhRcVdPSkFlWVRj...
I would really appreciate it if someone could clarify the proper use of the AccessTokens parameter.
Have to ask: does the -ManagedIdentity switch not work in this scenario?
Thank you for the suggestion @mlhickey.
As far as I know, the -ManagedIdentity switch can be used on a self-hosted runner is the managed identity is assigned to the VM. This is a Microsoft hosted runner, where I have configured the service connection to use Workload Identity federation to use a managed identity for authentication.
I have tested this technique in two different pipelines. Both use an AzurePowerShell@5 task to connect to Azure in which I refer my ServiceConnection as input. The Managed identity has read permissions on my Azure subscription and can connect successfully to Azure.
In my first pipeline, I try Connect-MgGraph with the -Identity parameter and this gives the following error:
##[error]Failed to connect to Microsoft Graph: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
If I use the Connect-MgGraph with both the -Identity and -ClientId parameter with the Client ID of the managed identity, I get exactly the same error.
However in my second pipeline I use the -AccessToken technique for authentication and that works:
$accessToken = Get-AzAccessToken -ResourceType MSGraph -AsSecureString
Connect-MgGraph -AccessToken $accessToken.Token
After that, I can successfully query resources using graph cmdlets.
But trying to use the same technique with the -AccessTokens parameter for the Export-M365DSCConfiguration is failing with the above errors.
I would really appreciate if someone could clarify how the -AccessTokens parameter should work and why it's plural. It's the only parameter without a description in the help
Perhaps a bug in MicrosoftGraph.psm1? AuthenticationType is set to 'AccessTokens' in ConnectionProfile
elseif ($this.AccessTokens -and -not [System.String]::IsNullOrEmpty($this.TenantId)) { $this.AuthenticationType = 'AccessTokens' }
but is tested for 'AccessToken' in MicrosoftGraph:
elseif($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.AuthenticationType -eq 'AccessToken')
@NikCharlebois
As @mlhickey mentioned, there is an invalid check for the authentication type in MicrosoftGraph.psm1#L154. Actually, this value is AccessTokens, as specified in ConnectionProfile.psm1#L209.
I opened microsoft/MSCloudLoginAssistant#177 to address the issue.
Thank you so much @FabienTschanz for opening this PR. Too bad it's still not approved after more than a month now. Hopefully someone will review this PR soon now... 🙏
@MarcoJanse The pull request was approved. We will soon get a new release with the updated version, then you can check again.