search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.59k stars 500 forks source link

Unable to use MSCloudLoginAssistant #1830

Closed DeanGross closed 2 years ago

DeanGross commented 2 years ago

Details of the scenario you tried and the problem that is occurring

trying to export the config for the first time in a long time, i have done this before, but all of the modules have been updated so I did the update

Verbose logs showing the problem

Updating dependency {Microsoft.Graph.Applications} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.DeviceManagement} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.DeviceManagement.Administration} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.DeviceManagement.Enrolment} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.Devices.CorporateManagement} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.Identity.DirectoryManagement} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.Identity.Governance} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.Identity.SignIns} to version {1.9.3}...✅ Updating dependency {Microsoft.Graph.Users} to version {1.9.3}...✅ Connecting to {MicrosoftGraph}...❌ The 'Connect-M365Tenant' command was found in the module 'MSCloudLoginAssistant', but the module could not be loaded.

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy", "AADNamedLocationPolicy", "AADTenantDetails") -Credential $Credential -path 'C:\Users\me\OneDrive - company\Scripts\Output\M365Config'

I did some more testing and got this error: At C:\Users\me\OneDrive -company\ Documents\WindowsPowerShell\ Modules\MSCloudLoginAssistant\1.0.83\ MSCloudLoginAssistant.psm1:1 char:1

The operating system the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

1.21.630.1

andikrueger commented 2 years ago

This script contains malicious content and has been blocked by your antivirus software.

This does not look good. Are there any further details available what causes the AV to stop to script? What kind of AV do you use?

DeanGross commented 2 years ago

No, there are not any further details, We are using Carbon Black Cloud,

andikrueger commented 2 years ago

Could you report the MSCloudAssistant as a false positive to carbon black?

@NikCharlebois do you have any idea, what could cause this issue?

DeanGross commented 2 years ago

I have my IT security team reviewing it now

andikrueger commented 2 years ago

Are there any updates on this issue and did you get feedback from IT sec?

DeanGross commented 2 years ago

Not yet, I will ask them again

Conundrum commented 2 years ago

I'm having the same issue with Defender for endpoint, and can't seem to get defender to allow it. ps module

andikrueger commented 2 years ago

@Conundrum Any chance you could walk through this guide to get more details about the root cause of the issue: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives

Could you share the following details:

# Check if the files are blocked
cd 'C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC'
Get-ChildItem -Recurse | Get-Item * -Stream "Zone.Identifier" -ErrorAction SilentlyContinue

This command should output all information about blocked files within the Microsoft365DSC module. Additionally could you run this command for the MSCloudLoginAssistant:

cd 'C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant'
Get-ChildItem -Recurse | Get-Item * -Stream "Zone.Identifier" -ErrorAction SilentlyContinue

For more information about unblocking files see: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2#example-3-find-and-unblock-scripts

Furthermore could you share the output of the following command:

Get-ExecutionPolicy -List
Conundrum commented 2 years ago

We did go through that document, and defined the following exclusions:

C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\ C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC*\modules*.*

I get no output from the first 2 commands, but I did try to unblock everything earlier.

Also this doesn't happen when trying to use the login, it happens at the import-module Microsoft365DSC command

My execution policy is set to Unrestricted right now

   Scope ExecutionPolicy
    ----- ---------------

MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Unrestricted

Conundrum commented 2 years ago

so turns out this is a bug in defender, updating to 1.361.1492.0 fixed my issue

andikrueger commented 2 years ago

Thanks for the follow up and information.

DeanGross commented 2 years ago

I have done some more research and found that in the C:\Program Files\WIndowsPowerShell\Modules I have MSCloudLoginAssistant is 1.0.53, and in C:\users\myaccount\OneDrive - mycompany\Documents\WindoatwsPowerShell\Modules it is 1.0.83 I am wondering if this could be the cause of my problem. I don't understand why I have 2 separate modules folders. Can someone explain this to me? Is this expected?

andikrueger commented 2 years ago

Usually there shouldn't be two different modules. At the moment M365DSC does not support to be installed in a user scope. Please make sure to install the module as administrator or in global scope.

Additionally you could try to run the following commands to cleanup your current environment and update to the latest versions available.

Update-Module Microsoft365DSC
Update-M365DSCDependencies
Uninstall-M365DSCOutdatedDependencies
DeanGross commented 2 years ago

Thanks, when I run the Uninstall cmdlet I see a lot of the following messages Uninstall-Package: No match was found for the specified search criteria and module names 'Microsoft365DSC'. Uninstall-Package: No match was found for the specified search criteria and module names 'Microsoft365DSC'. Uninstall-Package: No match was found for the specified search criteria and module names 'Microsoft365DSC'..

Is this expected ?

andikrueger commented 2 years ago

That is not expected. Could you share the verbose output of you powershell session when you run the three commands?

DeanGross commented 2 years ago

M365DSCVebose.txt per your request, thanks for your help in advance

andikrueger commented 2 years ago

Thank you for the information.

Could you share the outcome of this cmdLets:

Get-InstalledModule

please use an elevated PowerShell session for doing so.

DeanGross commented 2 years ago

installedModules.txt per your request, thanks for your help in advance

andikrueger commented 2 years ago

I looks like some of your modules are installed within

C:\Program Files\WindowsPowerShell\Modules

which would be the preferred location and some others are within

C:\Users\dgross\OneDrive - Insight\Documents\PowerShell\Modules

Could you try to remove all modules from you personal OneDrive and solely install them within the WindowsPowerShell\Modules folder.

I have seen issues with the setup of modules within the personal scope

DeanGross commented 2 years ago

Thanks for the suggestion, I have been wondering about that but I'm confused. The docs, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_modules?view=powershell-7.2#module-and-dsc-resource-locations-and-psmodulepath state this is the default configuration so I'm a bit nervous about doing this, and also, I'm not really sure how to do it without breaking things and ending up with more problems than I already have.

andikrueger commented 2 years ago

Are you running m365dsc within PowerShell 7.2? Did you try everything within PS 5 or PS 7.1 (which would be the supported versions)

NikCharlebois commented 2 years ago

Closing due to inactivity