SmoothRob
commented
2 years ago Hi I also have the same issue - Think it could be due to Graph not having the correct permissions? Any ideas?
Closed sir-benniboy closed 2 years ago
SmoothRob
commented
2 years ago Hi I also have the same issue - Think it could be due to Graph not having the correct permissions? Any ideas?
sir-benniboy
commented
2 years ago Based on closed #issue1559, it seems like we need to register the PnP management shell within the tenant: Register-PnPManagementShellAccess
However, after having tried it on my side, I keep getting the same error, prohibiting the Get-MgDomain request to run. Get-MgDomain : Insufficient privileges to complete the operation. At C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.78\MSCloudLoginAssistant.psm1:322 char:9
+ CategoryInfo : InvalidOperation: ({ Top = , Skip ...ndProperty = }:<>f__AnonymousType25`8) [Get-MgDoma
in_List1], RestException`1
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgDomain_List1After keeping on reading, I read somewhere it might be that there is a permission to read, and a different permission to list. However, I have no idea how to assign this additional permission in the Enterprise Application "PnP Management Shell".
SmoothRob
commented
2 years ago Found this and seems to have worked:
https://www.youtube.com/watch?v=36siepFcWOk&ab_channel=Microsoft365DSC
sir-benniboy
commented
2 years ago You're absolutely right! Here the long version answer for whomever might face the same problem. We need to be able to assign permissions to the Microsoft Graph Powershell Enterprise Application within the Azure AD. This can be done through the following command: connect-mggraph -scopes [Enter scopes required]
You can find a list of related scopes under Get-M365DSCCompiledPermissionList. Since I'm working with a Default export, I have a lot of parameters:
Input:
$list=Get-M365DSCCompiledPermissionList -ResourceNameList @("AADApplication", "AADConditionalAccessPolicy", "AADGroup", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADTenantDetails", "AADTokenLifetimePolicy", "EXOAcceptedDomain", "EXOActiveSyncDeviceAccessRule", "EXOAddressBookPolicy", "EXOAddressList", "EXOAntiPhishPolicy", "EXOAntiPhishRule", "EXOApplicationAccessPolicy", "EXOAtpPolicyForO365", "EXOAvailabilityAddressSpace", "EXOAvailabilityConfig", "EXOCASMailboxPlan", "EXOClientAccessRule", "EXODkimSigningConfig", "EXOEmailAddressPolicy", "EXOGlobalAddressList", "EXOHostedConnectionFilterPolicy", "EXOHostedContentFilterPolicy", "EXOHostedContentFilterRule", "EXOHostedOutboundSpamFilterPolicy", "EXOHostedOutboundSpamFilterRule", "EXOInboundConnector", "EXOIntraOrganizationConnector", "EXOJournalRule", "EXOMailTips", "EXOMalwareFilterPolicy", "EXOMalwareFilterRule", "EXOMobileDeviceMailboxPolicy", "EXOOfflineAddressBook", "EXOOnPremisesOrganization", "EXOOrganizationConfig", "EXOOrganizationRelationship", "EXOOutboundConnector", "EXOOwaMailboxPolicy", "EXOPartnerApplication", "EXOPolicyTipConfig", "EXORemoteDomain", "EXORoleAssignmentPolicy", "EXOSafeAttachmentPolicy", "EXOSafeAttachmentRule", "EXOSafeLinksPolicy", "EXOSafeLinksRule", "EXOSharedMailbox", "EXOSharingPolicy", "EXOTransportRule", "IntuneAppConfigurationPolicy", "IntuneAppProtectionPolicyiOS", "IntuneDeviceCategory", "IntuneDeviceCompliancePolicyAndroid", "IntuneDeviceCompliancePolicyAndroidDeviceOwner", "IntuneDeviceCompliancePolicyAndroidWorkProfile", "IntuneDeviceCompliancePolicyiOs", "IntuneDeviceCompliancePolicyMacOS", "IntuneDeviceCompliancePolicyWindows10", "IntuneDeviceConfigurationPolicyAndroidWorkProfile", "IntuneDeviceConfigurationPolicyiOS", "IntuneDeviceConfigurationPolicyWindows10", "IntuneDeviceEnrollmentLimitRestriction", "IntuneDeviceEnrollmentPlatformRestriction", "O365AdminAuditLogConfig", "O365OrgCustomizationSetting", "ODSettings", "PPTenantSettings", "SCAuditConfigurationPolicy", "SCCaseHoldPolicy", "SCCaseHoldRule", "SCComplianceCase", "SCComplianceSearch", "SCComplianceSearchAction", "SCComplianceTag", "SCDeviceConditionalAccessPolicy", "SCDeviceConfigurationPolicy", "SCDLPCompliancePolicy", "SCDLPComplianceRule", "SCFilePlanPropertyAuthority", "SCFilePlanPropertyCategory", "SCFilePlanPropertyCitation", "SCFilePlanPropertyDepartment", "SCFilePlanPropertyReferenceId", "SCFilePlanPropertySubCategory", "SCLabelPolicy", "SCRetentionCompliancePolicy", "SCRetentionComplianceRule", "SCRetentionEventType", "SCSensitivityLabel", "SCSupervisoryReviewPolicy", "SCSupervisoryReviewRule", "SPOAccessControlSettings", "SPOApp", "SPOBrowserIdleSignout", "SPOHomeSite", "SPOHubSite", "SPOOrgAssetsLibrary", "SPOSearchManagedProperty", "SPOSearchResultSource", "SPOSharingSettings", "SPOSiteDesign", "SPOSiteDesignRights", "SPOSiteScript", "SPOStorageEntity", "SPOTenantCdnEnabled", "SPOTenantCdnPolicy", "SPOTenantSettings", "SPOTheme", "TeamsCallingPolicy", "TeamsChannel", "TeamsChannelsPolicy", "TeamsClientConfiguration", "TeamsEmergencyCallingPolicy", "TeamsEmergencyCallRoutingPolicy", "TeamsGuestCallingConfiguration", "TeamsGuestMeetingConfiguration", "TeamsGuestMessagingConfiguration", "TeamsMeetingBroadcastConfiguration", "TeamsMeetingBroadcastPolicy", "TeamsMeetingConfiguration", "TeamsMeetingPolicy", "TeamsMessagingPolicy", "TeamsPstnUsage", "TeamsTenantDialPlan", "TeamsUpgradeConfiguration", "TeamsUpgradePolicy", "TeamsVoiceRoute", "TeamsVoiceRoutingPolicy")
$list.Values
Output: Application.Read.All Application.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementManagedDevices.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Directory.ReadWrite.All Group.Read.All Group.ReadWrite.All GroupMember.Read.All Policy.Read.All RoleManagement.Read.Directory RoleManagement.ReadWrite.Directory User.Read.All User.ReadBasic.All User.ReadWrite.All Organization.Read.All Organization.ReadWrite.All User.Read Policy.ReadWrite.ApplicationConfiguration DeviceManagementConfiguration.Read.All Application.Read.All Application.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementManagedDevices.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Group.Read.All Group.ReadWrite.All GroupMember.Read.All Policy.Read.All Policy.ReadWrite.ConditionalAccess RoleManagement.Read.Directory RoleManagement.ReadWrite.Directory User.Read.All User.ReadBasic.All User.ReadWrite.All Organization.Read.All Organization.ReadWrite.All User.Read Policy.ReadWrite.ApplicationConfiguration DeviceManagementConfiguration.ReadWrite.All
Final command to give permissions for a default export with Microsoft 365 DSC:
connect-mggraph -scopes "Application.Read.All","Application.ReadWrite.All","Directory.AccessAsUser.All","Directory.Read.All","DeviceManagementApps.Read.All","DeviceManagementApps.ReadWrite.All","DeviceManagementManagedDevices.Read.All","DeviceManagementManagedDevices.ReadWrite.All","DeviceManagementServiceConfig.Read.All","DeviceManagementServiceConfig.ReadWrite.All","Directory.ReadWrite.All","Group.Read.All","Group.ReadWrite.All","GroupMember.Read.All","Policy.Read.All","RoleManagement.Read.Directory","RoleManagement.ReadWrite.Directory","User.Read.All","User.ReadBasic.All","User.ReadWrite.All","Organization.Read.All","Organization.ReadWrite.All","User.Read","Policy.ReadWrite.ApplicationConfiguration","DeviceManagementConfiguration.Read.All","Application.Read.All","Application.ReadWrite.All","Directory.AccessAsUser.All","Directory.Read.All","Directory.ReadWrite.All","DeviceManagementApps.Read.All","DeviceManagementApps.ReadWrite.All","DeviceManagementManagedDevices.Read.All","DeviceManagementManagedDevices.ReadWrite.All","DeviceManagementServiceConfig.Read.All","DeviceManagementServiceConfig.ReadWrite.All","Group.Read.All","Group.ReadWrite.All","GroupMember.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","RoleManagement.Read.Directory","RoleManagement.ReadWrite.Directory","User.Read.All","User.ReadBasic.All","User.ReadWrite.All","Organization.Read.All","Organization.ReadWrite.All","User.Read","Policy.ReadWrite.ApplicationConfiguration","DeviceManagementConfiguration.ReadWrite.All"
Details of the scenario you tried and the problem that is occurring
I've just started to work with Microsoft365DSC and need to export the configuration of a tailored demo tenant that should later be used as template for every new deployment of new customers.
When executing Export-M365DSCConfiguration, after having obtained the code from the WebUI and logging in with Global Tenant Admin credentials, I get the below error message:
Verbose logs showing the problem
cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential Connecting to {ExchangeOnline}...✅ Connecting to {MicrosoftGraph}...✅ Connecting to {MicrosoftTeams}...✅ Connecting to {PnP}...❌ Exception setting "Connect": "Cannot set the Value property for PSMemberInfo object of type "System.Management.Automation.PSMethod"." Partial Export file was saved at: C:\Users\CHNRTH~1\AppData\Local\Temp\2\4a5c5286-5411-4e56-b314-2ef2db7c5462.partial.ps1
Suggested solution to the issue
The DSC configuration that is used to reproduce the issue (as detailed as possible)
Demo tenant created in cdx.transform.microsoft.com, with no modification to defaults, running O365 E5 licences.
The operating system the target node is running
OsName : Microsoft Windows Server 2022 Datacenter Azure Edition OsOperatingSystemSKU : 407 OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500 OsLanguage : en-US OsMuiLanguages : {en-US} -->
Version of the DSC module that was used ('dev' if using current dev branch)
1.21.1117.2