search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.61k stars 501 forks source link

AADGroupsNamingPolicy Issue getting values #1536

Closed T630Dev closed 2 years ago

T630Dev commented 3 years ago

Details of the scenario you tried and the problem that is occurring

Configured a AADGroupsNamingPolicy with the Attribute CustomBlockedWordsList Using Credentials instead of App Reg. While running Start-DSCConfiguration, a permission issue occurred for the Rest call.

Insufficient privileges to complete the operation. Meldungs-ID: Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.NewMgDirectorySetting_CreateExpanded Fehlerkategorie: 7 Fehlercode: 7 Fehlertyp: MI

Besides the global admin, are there any other roles I need to assign to the service user when I do not use an App Reg?

Suggested solution to the issue

Workaround is to use the App reg. There, I can configure permissions for the Graph API and it works fine.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

instance of MSFT_AADGroupsNamingPolicy as $MSFT_AADGroupsNamingPolicy1ref
{
ResourceID = "[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24";
 CustomBlockedWordsList = {
    "Test2",
    "test"
};
 Ensure = "Present";
 SourceInfo = "::53::3::AADGroupsNamingPolicy";
 Credential = $MSFT_Credential1ref;
 IsSingleInstance = "Yes";
 ModuleName = "Microsoft365DSC";
 ModuleVersion = "1.21.1103.1";
 ConfigurationName = "MainConfig";
};
atdheekurteshi commented 2 years ago

I have tested dhe AADGroupsNamingPolicy by using the Credentials I still got the issue.

Results:

Start-DscConfiguration -UseExisting -Force -Verbose -Wait                                                                                                                                        VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =                                            root/Microsoft/Windows/DesiredStateConfiguration'.                                                                                                                                                                       VERBOSE: Vom Computer 'INHOUSE-WIN7' mit Benutzer-SID 'S-1-5-21-3768120332-928546867-543785711-4813' ist ein LCM-Methodenaufruf eingegangen.                                                                             VERBOSE: [INHOUSE-WIN7]:                            [] Das Konsistenzmodul wird gestartet.
VERBOSE: [INHOUSE-WIN7]: LCM:  [ StartenRessource]  [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37]
VERBOSE: [INHOUSE-WIN7]: LCM:  [ StartenTesten   ]  [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37]
VERBOSE: [INHOUSE-WIN7]:                            [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37] Testing configuration of AzureAD Groups Naming Policy
VERBOSE: [INHOUSE-WIN7]:                            [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37] Getting configuration of AzureAD Groups Naming Policy
Insufficient privileges to complete the operation.
    + CategoryInfo          : InvalidOperation: ({ Top = , Skip ...ndProperty =  }:) [], CimException
    + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgDirectorySetting_List
    + PSComputerName        : localhost

VERBOSE: [INHOUSE-WIN7]:                            [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37] Target Values: Credential=***; CustomBlockedWordsList=(Test2,test); Ensure=Present;
IsSingleInstance=Yes; Verbose=True
VERBOSE: [INHOUSE-WIN7]:                            [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37] Test-TargetResource returned False
VERBOSE: [INHOUSE-WIN7]: LCM:  [ BeendenTesten   ]  [[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37]  in 8.1510 Sekunden.
Die PowerShell DSC-Ressource "[AADGroupsNamingPolicy]Container-70-a4b9956e-eab7-4fd0-b187-658ea8de1a37" mit SourceInfo "::10::3::AADGroupsNamingPolicy" hat beim Ausführen der Funktion "Test-TargetResource"
mindestens einen Fehler ohne Abbruch ausgegeben. Diese Fehler werden im ETW-Kanal namens "Microsoft-Windows-DSC/Operational" protokolliert. Weitere Informationen finden Sie in diesem Kanal.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [INHOUSE-WIN7]:                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell
starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 8.91 seconds

Version of the DSC module that was used ('dev' if using current dev branch)

1.21.1222.1

andikrueger commented 2 years ago

This looks like an authentication issue. Did you try to fix the graph scopes as described here: https://microsoft365dsc.com/user-guide/get-started/complete-story/#microsoft-graph-permissions

atdheekurteshi commented 2 years ago

Yes the scopes are fine from our site.

NikCharlebois commented 2 years ago

@atdheekurteshi As mentioned by Andi, setting the Groups Naming Policy will require you to grant "Directory.ReadWrite.All" to either your custom application or to the Microsoft Graph PowerShell SDK, even if using Credentials. You can achieve this by calling: Update-M365DSCAllowedGraphScopes -ResourceNameList AADGroupsNamingPolicy -Type Update

Please let us know of the outcome

atdheekurteshi commented 2 years ago

Still the same: I get the same error even after I run the script mentioned above and even if I am connected to Graph through: Connect-MgGrpah.

MOF File:

@TargetNode='localhost'
@GeneratedBy=
@GenerationDate=05/13/2022 13:07:57
@GenerationHost=
*/

instance of MSFT_Credential as $MSFT_Credential1ref
{
 Password = "";
 UserName = "";

};

instance of MSFT_AADGroupsNamingPolicy as $MSFT_AADGroupsNamingPolicy1ref
{
ResourceID = "[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24";
 CustomBlockedWordsList = {
    "Test2",
    "test"
};
 Ensure = "Present";
 SourceInfo = "::53::3::AADGroupsNamingPolicy";
 Credential = $MSFT_Credential1ref;
 IsSingleInstance = "Yes";
 ModuleName = "Microsoft365DSC";
 ModuleVersion = "1.22.525.1";
 ConfigurationName = "MainConfig";
};

instance of OMI_ConfigurationDocument

                    {
 Version="2.0.0";

                        MinimumCompatibleVersion = "1.0.0";

                        CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};

                        Author="";

                        GenerationDate="05/13/2022 13:07:57";

                        GenerationHost="";

                        Name="MainConfig";

                    };

PowerShell Script returns (Device code terminal timed-out):

PS C:\Windows\system32> 
Update-M365DSCAllowedGraphScopes -ResourceNameList AADGroupsNamingPolicy -Type Update
Allowed Graph scopes updated!

PS C:\Windows\system32> 
Connect-MgGraph
Welcome To Microsoft Graph! 

PS C:\Windows\system32> 
Start-DscConfiguration -UseExisting -Force -Verbose -Wait  

Device code terminal timed-out after 120 seconds. Please try again. 

+ CategoryInfo          : NotSpecified: (:) [], CimException                                                                                                                                                             + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph                                                                                                                               + PSComputerName        : localhost

 Authentication needed, call Connect-MgGraph.
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgDirectorySetting_List
    + PSComputerName        : localhost

VERBOSE: :                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Target Values: Credential=***; CustomBlockedWordsList=(Test2,test); Ensure=Present;
IsSingleInstance=Yes; Verbose=True
VERBOSE: :                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Test-TargetResource returned False
VERBOSE: : LCM:  [ BeendenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]  in 121.9080 Sekunden.
Die PowerShell DSC-Ressource "[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24" mit SourceInfo "::53::3::AADGroupsNamingPolicy" hat beim Ausführen der Funktion "Test-TargetResource" mindestens einen
Fehler ohne Abbruch ausgegeben. Diese Fehler werden im ETW-Kanal namens "Microsoft-Windows-DSC/Operational" protokolliert. Weitere Informationen finden Sie in diesem Kanal.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: :                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell
starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 123.545 seconds
andikrueger commented 2 years ago

@atdheekurteshi Were you able to overcome this issue?

Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden. Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell starten.

You local LCM could not be started. There is an issue with you local system. Could you try to run this command within an elevated powershell session:

 Get-DscLocalConfigurationManager
atdheekurteshi commented 2 years ago

I have been testing it with a newer version of the MicrosoftM365DSC but I still get the some error.

MicrosoftM365DSC
1.22.706.1 (current version)

PowerShell Script

PS C:\Windows\system32> Connect-MsGraph                                                                                                                                                                                                                                                                                                                                                                                                           

UPN                                 TenantId     
---                                 --------                                                                                                                                                                             
asdasd@asdasd.onmicrosoft.com 000000-000000-000000-000000-000000

PowerShell Script

PS C:\Windows\system32> Update-M365DSCAllowedGraphScopes -ResourceNameList "AADGroupsNamingPolicy" -Type Update -Verbose  VERBOSE: Specified resources: AADGroupsNamingPolicy
VERBOSE: Retrieving Graph Delegated Permissions
VERBOSE: Processing AADGroupsNamingPolicy
VERBOSE: Found new Update permission {Directory.Read.All}
VERBOSE: Found new Update permission {Directory.ReadWrite.All} 
VERBOSE: Found new Read permission {Directory.Read.All}  
VERBOSE: Specified type: Update
VERBOSE: Found permissions: Directory.Read.All, Directory.ReadWrite.All
VERBOSE: Connecting to MS Graph to update permissions

Get-DscLocalConfigurationManager

PS C:\Windows\system32>  Get-DscLocalConfigurationManager

ActionAfterReboot              : StopConfiguration
AgentId                        : 2B874BF1-1A0E-11EC-B6AE-0022487F5355
AllowModuleOverWrite           : False
CertificateID                  : 6D3CCA38BD22861FAE0C141586D0BBD5731F60AF
ConfigurationDownloadManagers  : {}
ConfigurationID                :
ConfigurationMode              : ApplyOnly
ConfigurationModeFrequencyMins : 15
Credential                     :
DebugMode                      : {NONE}
DownloadManagerCustomData      :
DownloadManagerName            :
LCMCompatibleVersions          : {1.0, 2.0}
LCMState                       : PendingConfiguration
LCMStateDetail                 :
LCMVersion                     : 2.0
StatusRetentionTimeInDays      : 10
SignatureValidationPolicy      : NONE
SignatureValidations           : {}
MaximumDownloadSizeMB          : 500
PartialConfigurations          : {[PartialConfiguration]MainConfig}
RebootNodeIfNeeded             : False
RefreshFrequencyMins           : 30
RefreshMode                    : Push
ReportManagers                 : {}
ResourceModuleManagers         : {}
PSComputerName                 :

PowerShell Script:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> Publish-DscConfiguration -Path C:\Users\xgxtan4\Downloads\M365Automation-1\src\MOFs\MainConfig -Force -Verbose                                                                                   
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.                                                                                                                                                                       
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.                                                                             
VERBOSE: []: LCM:  [ StartenFestlegen]                                                                                                                                                                       
VERBOSE: []: LCM:  [ BeendenFestlegen]     Das Konfigurationsdokument wurde im Speicher für partielle Konfigurationen gespeichert.
VERBOSE: []: LCM:  [ BeendenFestlegen]
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Publish-DscConfiguration finished in 0.335 seconds.
PS C:\Windows\system32> Start-DscConfiguration -UseExisting -Force -Verbose -Wait
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.
VERBOSE: []:                            [] Das Konsistenzmodul wird gestartet.
VERBOSE: []: LCM:  [ StartenRessource]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []: LCM:  [ StartenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Testing configuration of AzureAD Groups Naming Policy
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Getting configuration of AzureAD Groups Naming Policy
VERBOSE: []: LCM:  [ BeendenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]  in 131.9410 Sekunden.
Die PowerShell DSC-Ressource "MSFT_AADGroupsNamingPolicy" konnte die Funktion "Test-TargetResource" nicht ausführen. Fehlermeldung: "Unable to connect to the Microsoft Graph. Please make sure the app permissions are
setup correctly. Please run Update-M365DSCAllowedGraphScopes."
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: []:                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell
starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 133.293 seconds

Permissions Assigned:

API / Permissions name
Type
Description
Admin consent required
Status
Microsoft Graph (66)
DeviceManagementApps.Read.All
Delegated
Read Microsoft Intune apps
Yes
 Granted for 
DeviceManagementApps.Read.All
Application
Read Microsoft Intune apps
Yes
 Granted for 
DeviceManagementApps.ReadWrite.All
Delegated
Read and write Microsoft Intune apps
Yes
 Granted for 
DeviceManagementApps.ReadWrite.All
Application
Read and write Microsoft Intune apps
Yes
 Granted for 
Directory.Read.All
Delegated
Read directory data
Yes
 Granted for 
Directory.ReadWrite.All
Delegated
Read and write directory data
Yes
 Granted for 
Directory.ReadWrite.All
Application
Read and write directory data
Yes
 Granted for 
Group.Create
Application
Create groups
Yes
 Granted for 
Group.Read.All
Delegated
Read all groups
Yes
 Granted for 
Group.Read.All
Application
Read all groups
Yes
 Granted for 
Group.ReadWrite.All
Delegated
Read and write all groups
Yes
 Granted for 
Group.ReadWrite.All
Application
Read and write all groups
Yes
 Granted for 
GroupMember.Read.All
Delegated
Read group memberships
Yes
 Granted for 
GroupMember.Read.All
Application
Read all group memberships
Yes
 Granted for 
GroupMember.ReadWrite.All
Delegated
Read and write group memberships
Yes
 Granted for 
GroupMember.ReadWrite.All
Application
Read and write all group memberships
Yes
 Granted for 
MailboxSettings.ReadWrite
Application
Read and write all user mailbox settings
Yes
 Granted for 
Organization.ReadWrite.All
Application
Read and write organization information
Yes
 Granted for 
Policy.Read.All
Delegated
Read your organization's policies
Yes
 Granted for 
Policy.Read.All
Application
Read your organization's policies
Yes
 Granted for 
Policy.Read.ConditionalAccess
Delegated
Read your organization's conditional access policies
No
 Granted for 
Policy.Read.ConditionalAccess
Application
Read your organization's conditional access policies
Yes
 Granted for 
Policy.Read.PermissionGrant
Delegated
Read consent and permission grant policies
Yes
 Granted for 
Policy.Read.PermissionGrant
Application
Read consent and permission grant policies
Yes
 Granted for 
Policy.ReadWrite.AccessReview
Delegated
Read and write your organization's directory access review default policy
Yes
 Granted for 
Policy.ReadWrite.AccessReview
Application
Read and write your organization's directory access review default policy
Yes
 Granted for 
Policy.ReadWrite.ApplicationConfiguration
Delegated
Read and write your organization's application configuration policies
Yes
 Granted for 
Policy.ReadWrite.ApplicationConfiguration
Application
Read and write your organization's application configuration policies
Yes
 Granted for 
Policy.ReadWrite.AuthenticationFlows
Delegated
Read and write authentication flow policies
Yes
 Granted for 
Policy.ReadWrite.AuthenticationFlows
Application
Read and write authentication flow policies
Yes
 Granted for 
Policy.ReadWrite.AuthenticationMethod
Delegated
Read and write authentication method policies
Yes
 Granted for 
Policy.ReadWrite.AuthenticationMethod
Application
Read and write all authentication method policies 
Yes
 Granted for 
Policy.ReadWrite.Authorization
Delegated
Read and write your organization's authorization policy
Yes
 Granted for 
Policy.ReadWrite.Authorization
Application
Read and write your organization's authorization policy
Yes
 Granted for 
Policy.ReadWrite.ConditionalAccess
Delegated
Read and write your organization's conditional access policies
Yes
 Granted for 
Policy.ReadWrite.ConditionalAccess
Application
Read and write your organization's conditional access policies
Yes
 Granted for 
Policy.ReadWrite.ConsentRequest
Delegated
Read and write consent request policy
Yes
 Granted for 
Policy.ReadWrite.ConsentRequest
Application
Read and write your organization's consent request policy
Yes
 Granted for 
Policy.ReadWrite.CrossTenantAccess
Delegated
Read and write your organization's cross tenant access policies
Yes
 Granted for 
Policy.ReadWrite.CrossTenantAccess
Application
Read and write your organization's cross tenant access policies
Yes
 Granted for 
Policy.ReadWrite.DeviceConfiguration
Delegated
Read and write your organization's device configuration policies
Yes
 Granted for 
Policy.ReadWrite.FeatureRollout
Delegated
Read and write your organization's feature rollout policies
Yes
 Granted for 
Policy.ReadWrite.FeatureRollout
Application
Read and write feature rollout policies
Yes
 Granted for 
Policy.ReadWrite.MobilityManagement
Delegated
Read and write your organization's mobility management policies
Yes
 Granted for 
Policy.ReadWrite.PermissionGrant
Delegated
Manage consent and permission grant policies
Yes
 Granted for 
Policy.ReadWrite.PermissionGrant
Application
Manage consent and permission grant policies
Yes
 Granted for 
Policy.ReadWrite.TrustFramework
Delegated
Read and write your organization's trust framework policies
Yes
 Granted for 
Policy.ReadWrite.TrustFramework
Application
Read and write your organization's trust framework policies
Yes
 Granted for 
PrivilegedAccess.Read.AzureAD
Delegated
Read privileged access to Azure AD
Yes
 Granted for 
PrivilegedAccess.Read.AzureAD
Application
Read privileged access to Azure AD roles
Yes
 Granted for 
PrivilegedAccess.Read.AzureADGroup
Delegated
Read privileged access to Azure AD groups
Yes
 Granted for 
PrivilegedAccess.Read.AzureADGroup
Application
Read privileged access to Azure AD groups
Yes
 Granted for 
PrivilegedAccess.Read.AzureResources
Delegated
Read privileged access to Azure resources
Yes
 Granted for 
PrivilegedAccess.Read.AzureResources
Application
Read privileged access to Azure resources
Yes
 Granted for 
PrivilegedAccess.ReadWrite.AzureAD
Delegated
Read and write privileged access to Azure AD
Yes
 Granted for 
PrivilegedAccess.ReadWrite.AzureAD
Application
Read and write privileged access to Azure AD roles
Yes
 Granted for 
PrivilegedAccess.ReadWrite.AzureADGroup
Delegated
Read and write privileged access to Azure AD groups
Yes
 Granted for 
PrivilegedAccess.ReadWrite.AzureADGroup
Application
Read and write privileged access to Azure AD groups
Yes
 Granted for 
PrivilegedAccess.ReadWrite.AzureResources
Delegated
Read and write privileged access to Azure resources
Yes
 Granted for 
PrivilegedAccess.ReadWrite.AzureResources
Application
Read and write privileged access to Azure resources
Yes
 Granted for 
Sites.FullControl.All
Application
Have full control of all site collections
Yes
 Granted for 
TeamMember.ReadWrite.All
Application
Add and remove members from all teams
Yes
 Granted for 
TeamSettings.ReadWrite.All
Application
Read and change all teams' settings
Yes
 Granted for 
UnifiedGroupMember.Read.AsGuest
Delegated
Read unified group memberships as guest
Yes
 Granted for 
User.Read.All
Application
Read all users' full profiles
Yes
 Granted for 
User.ReadWrite.All
Delegated
Read and write all users' full profiles
Yes
 Granted for 
Office 365 Exchange Online (3)
Exchange.ManageAsApp
Application
Manage Exchange As Application
Yes
 Granted for 
MailboxSettings.ReadWrite
Application
Read and write all user mailbox settings
Yes
 Granted for 
Organization.Read.All
Application
Organization.Read.All
Yes
 Granted for 
SharePoint (1)
Sites.FullControl.All
Application
Have full control of all site collections
Yes
 Granted for 
Skype for Business (1)
Conversations.PSTN
Application
Send/Receive PSTN (preview)
Yes
 Granted for
NikCharlebois commented 2 years ago

Try running:

Update-M365DSCAllowedGraphScopes -All -Type Update

Close PowerShell then try again. We are not able to replicate on our end.

andikrueger commented 2 years ago

Closing due to inactivity.

atdheekurteshi commented 2 years ago

Below you have the Power-Shell Script.

I have checked all the possibilities but not successfully, I am left with only one option, test it on a different tenant.

PS C:\Windows\system32> Publish-DscConfiguration -Path C:\Users\src\MOFs\MainConfig -Force -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.                                                                                                                                                                                                                               
VERBOSE: []: LCM:  [ StartenFestlegen]                                                                                                                                                                                                                                                                                                                         
VERBOSE: []: LCM:  [ BeendenFestlegen]     Das Konfigurationsdokument wurde im Speicher für partielle Konfigurationen gespeichert.                                                                                                                                                                                                                             
VERBOSE: []: LCM:  [ BeendenFestlegen]                                                                                                                                                                                                                                                                                                                         
VERBOSE: Operation 'Invoke CimMethod' complete.                                                                                                                                                                                                                                                                                                                            
VERBOSE: Publish-DscConfiguration finished in 0.152 seconds. 
PS C:\Windows\system32> Start-DscConfiguration -UseExisting -Force -Verbose -Wait
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.                                                                                                                                          
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.
VERBOSE: []:                            [] Das Konsistenzmodul wird gestartet.
VERBOSE: []: LCM:  [ StartenRessource]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []: LCM:  [ StartenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Testing configuration of AzureAD Groups Naming Policy
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Getting configuration of AzureAD Groups Naming Policy
VERBOSE: []: LCM:  [ BeendenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]  in 126.6800 Sekunden.
Die PowerShell DSC-Ressource "MSFT_AADGroupsNamingPolicy" konnte die Funktion "Test-TargetResource" nicht ausführen. Fehlermeldung: "Unable to connect to the Microsoft Graph. Please make sure the app permissions are setup correctly. Please run Update-M365DSCAllowedGraphScopes."
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: []:                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 127.473 seconds
PS C:\Windows\system32> Connect-MsGraph
UPN                                 TenantId
---                                 --------
userdemo@userdemo.onmicrosoft.com 

PS C:\Windows\system32> Update-M365DSCAllowedGraphScopes -ResourceNameList "AADGroupsNamingPolicy" -Type Update -Verbose
VERBOSE: Specified resources: AADGroupsNamingPolicy
VERBOSE: Retrieving Graph Delegated Permissions                                                                                                                                                                                                                                                                                                                            
VERBOSE: Processing AADGroupsNamingPolicy                                                                                                                                                                                                                                                                                                                                  
VERBOSE: Found new Update permission {Directory.Read.All}                                                                                                                                                                                                                                                                                                                  
VERBOSE: Found new Update permission {Directory.ReadWrite.All}                                                                                                                                                                                                                                                                                                             
VERBOSE: Found new Read permission {Directory.Read.All}                                                                                                                                                                                                                                                                                                                    
VERBOSE: Specified type: Update                                                                                                                                                                                                                                                                                                                                            
VERBOSE: Found permissions: Directory.Read.All, Directory.ReadWrite.All                                                                                                                                                                                                                                                                                                    
VERBOSE: Connecting to MS Graph to update permissions                                                                                                                                                                                                                                                                                                                      
Allowed Graph scopes updated!
PS C:\Windows\system32> Publish-DscConfiguration -Path C:\Users\src\MOFs\MainConfig -Force -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.
VERBOSE: []: LCM:  [ StartenFestlegen]
VERBOSE: []: LCM:  [ BeendenFestlegen]     Das Konfigurationsdokument wurde im Speicher für partielle Konfigurationen gespeichert.
VERBOSE: []: LCM:  [ BeendenFestlegen]
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Publish-DscConfiguration finished in 0.123 seconds.
PS C:\Windows\system32> Start-DscConfiguration -UseExisting -Force -Verbose -Wait
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.
VERBOSE: []:                            [] Das Konsistenzmodul wird gestartet.
VERBOSE: []: LCM:  [ StartenRessource]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []: LCM:  [ StartenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Testing configuration of AzureAD Groups Naming Policy
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Getting configuration of AzureAD Groups Naming Policy
VERBOSE: []: LCM:  [ BeendenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]  in 126.9710 Sekunden.
Die PowerShell DSC-Ressource "MSFT_AADGroupsNamingPolicy" konnte die Funktion "Test-TargetResource" nicht ausführen. Fehlermeldung: "Unable to connect to the Microsoft Graph. Please make sure the app permissions are setup correctly. Please run Update-M365DSCAllowedGraphScopes."
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: []:                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 155.904 seconds
PS C:\Windows\system32>  Update-M365DSCAllowedGraphScopes -All -Type Update
WARNING: Error in reading Graph permissions. Missing graph node in settings.json for AADAuthorizationPolicy.
WARNING: Error in reading Graph permissions. Missing graph node in settings.json for IntuneAntivirusPolicyWindows10SettingCatalog.
WARNING: Error in reading Graph permissions. Missing graph node in settings.json for IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.
WARNING: Error in reading Graph permissions. Missing graph node in settings.json for IntuneExploitProtectionPolicyWindows10SettingCatalog.
Allowed Graph scopes updated!
PS C:\Windows\system32> Publish-DscConfiguration -Path C:\Users\src\MOFs\MainConfig -Force -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.
VERBOSE: []: LCM:  [ StartenFestlegen]
VERBOSE: []: LCM:  [ BeendenFestlegen]     Das Konfigurationsdokument wurde im Speicher für partielle Konfigurationen gespeichert.
VERBOSE: []: LCM:  [ BeendenFestlegen]
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Publish-DscConfiguration finished in 0.125 seconds.
PS C:\Windows\system32> Start-DscConfiguration -UseExisting -Force -Verbose -Wait
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: Vom Computer '' mit Benutzer-SID '' ist ein LCM-Methodenaufruf eingegangen.
VERBOSE: []:                            [] Das Konsistenzmodul wird gestartet.
VERBOSE: []: LCM:  [ StartenRessource]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []: LCM:  [ StartenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Testing configuration of AzureAD Groups Naming Policy
VERBOSE: []:                            [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24] Getting configuration of AzureAD Groups Naming Policy
VERBOSE: []: LCM:  [ BeendenTesten   ]  [[AADGroupsNamingPolicy]f631af4c-f59e-4b83-a2a2-0c42dac92c24]  in 125.5920 Sekunden.
Die PowerShell DSC-Ressource "MSFT_AADGroupsNamingPolicy" konnte die Funktion "Test-TargetResource" nicht ausführen. Fehlermeldung: "Unable to connect to the Microsoft Graph. Please make sure the app permissions are setup correctly. Please run Update-M365DSCAllowedGraphScopes."
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

VERBOSE: []:                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 126.208 seconds

Retested in Microsoft365DSC 1.22.720.1 Version and all the permissions where given check the assigned permissions on the thread above.