O365OrgSettings issue with V1.24.626.1
YenNantes opened this issue · 3 comments
Description of the issue
I get an error when trying to export the O365Orgsettings resource since I upgraded to V1.24.626.1
It was working with the previous versions.
I'm using cert thumbprint with the delegated permisions mentionned on the doc: Application.ReadWrite.All, ReportSettings.Read.All, OrgSettings-Microsoft365Install.Read.All, OrgSettings-Forms.Read.All, OrgSettings-Todo.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-DynamicsVoice.Read.All, Tasks.Read.All
Additionally I would like to know why the doc says that "Application.ReadWrite.All" is required even in read-only mode.
Microsoft 365 DSC Version
1.24.626.1
Which workloads are affected
Office 365 Admin
The DSC configuration
Export-M365DSCConfiguration -Components O365Orgsettings -CertificateThumbprint xxxxx -ApplicationId xxxx -TenantId xxxxx.onmicrosoft.comVerbose logs showing the problem
[2024/06/27 06:33:22]
{InvalidOperation}
System.Exception: [Authorization_RequestDenied] : Insufficient privileges to complete the operation.
"Error retrieving data:"
at New-MgServicePrincipal<Process>, C:\Program Files\WindowsPowerShell\Modules\Microsoft.Graph.Applications\2.19.0\exports\ProxyCmdletDefinitions.ps1: line 46027
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.626.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 208
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.626.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1079
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.626.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.626.1\Modules\M365DSCUtil.psm1: line 1389
at <ScriptBlock>, <No file>: line 1
TenantId: xxxxxxx.onmicrosoft.comEnvironment Information + PowerShell Version
No response
No logic changes have been made to that resource in close to 2 months. Something else must have changed. What was the previous version of M365DSC you were using that worked?
The export is failing on New-MgServicePrincipal this is code for service principals that might be not yet created on the tenant, which they should, the reason why it's failing it's due to lacking Application.ReadWrite.All to create those service principals, even during export.
No logic changes have been made to that resource in close to 2 months. Something else must have changed. What was the previous version of M365DSC you were using that worked?
It seems that you are right. I finally found that the issue was not affecting all tenants but mainly the new ones and that it was due to this part of the resource code:
_$OfficeOnlineId = 'c1f33bc0-bdb4-4248-ba9b-096807ddb43e'
$M365WebEnableUsersToOpenFilesFrom3PStorageValue = Get-MgServicePrincipal -Filter "appId eq '$OfficeOnlineId'" -Property 'AccountEnabled' -ErrorAction SilentlyContinue
if ($null -eq $M365WebEnableUsersToOpenFilesFrom3PStorageValue)
{
Write-Verbose -Message "Registering the Office on the web Service Principal"
New-MgServicePrincipal -AppId 'c1f33bc0-bdb4-4248-ba9b-096807ddb43e' -ErrorAction Stop | Out-Null
$M365WebEnableUsersToOpenFilesFrom3PStorageValue = Get-MgServicePrincipal -Filter "appId eq '$OfficeOnlineId'" -Property 'AccountEnabled' -ErrorAction SilentlyContinue
}_
If the Office on the web Service Principal does not exist, the script tries to create it. As we are not allowed to have write permissions on the tenant that we audit I will do this upfront on my script that create the Entra ID app required for M365DSC.