Closed remyloy closed 1 year ago
In which scenario are you calling into Connect-MSCloudLoginTasksWithCertificateThumbprint
while using Microsoft 365 DSC. Within M365DSC we use Connect-M365Tenant....
My minimal repro here is
using module 'c:\microsoft365dsc\Modules\Microsoft365DSC\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1'
$Params = @{
IsSingleInstance = 'Yes'
ApplicationId = $AppId
TenantId = $TenantName
CertificateThumbprint = $CertThumbprint
}
MSFT_O365OrgSettings\Test-TargetResource @Params
And that snippet fails with
Get-Item : Der Pfad "Cert:\CurrentUser\My\[...]" kann nicht gefunden werden, da er nicht vorhanden ist.
In C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.114\Workloads\Tasks.psm1:83 Zeichen:24
+ ... rtificate = Get-Item "Cert:\CurrentUser\My\$($Global:MSCloudLoginConn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Cert:\CurrentUs[...]:String) [Get-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
In C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.114\Workloads\Tasks.psm1:86 Zeichen:9
+ $CertificateBase64Hash = [System.Convert]::ToBase64String($Ce ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
I changed the line locally in Tasks.psm1 from CurrentUser to LocalMachine and that worked, i.e. it picked up the certificate that was already installed there for the Microsoft Graph related stuff.
This looks like an specific issue to the Tasks Workload which was recently introduced by: https://github.com/microsoft/MSCloudLoginAssistant/commit/0c030dfe0ef8ac99c471c642e31c9d926e813197
Within Microsoft Graph, there is a better implementation available:
The function Connect-MSCloudLoginTasksWithCertificateThumbprint only checks the CurrentUser store for the certificate with the given thumbprint, but does not check the store of the local machine.
This is problematic for us, or makes things more complicated, when used with Microsoft365DSC and the O365OrganizationSettings resource as this requires the certificate to be installed in the certificate store of the LCM user / LocalSystem user.
It would simplify things for us, if this function would use the local machine store, like the Microsoft Graph workload does, or if it at least would try both stores, if CurrentUser needs to be kept around for backwards compatibility.