Export-M365DSCConfiguration broken with secret and appid

[stssc22]

Details of the scenario you tried and the problem that is occurring

When exporting my intune config with the command Export-M365DSCConfiguration using a secret I get a message "Could not determine authentication method"
Export-M365DSCConfiguration -TenantId 'DDDD.icrosoft.com' -ApplicationId 'DDDDD' -ApplicationSecret 'DDDDDD' -Components @('IntuneApplicationControlPolicyWindows10') -Path 'C:\temp' -FileName 'dddd.txt'

I also tested to pass the secret in PSCredential instead of a string and got the same error

I am using Microsoft365DSC version : 1.22.1005.1 Note: It was working with the version 1.22.921.1

I installed the new module yesterday and update the dependencies Install-Module -Name Microsoft365DSC -Force Update-M365DSCDependencies

Modules and versions DSCParser 1.3.0.6 ExchangeOnlineManagement 3.0.0
Microsoft.Graph.Applications 1.12.3
Microsoft.Graph.Authentication 1.12.3
Microsoft.Graph.DeviceManagement 1.12.3
Microsoft.Graph.DeviceManagement.Administration 1.12.3
Microsoft.Graph.DeviceManagement.Enrolment 1.12.3
Microsoft.Graph.Devices.CorporateManagement 1.12.3
Microsoft.Graph.Groups 1.12.3
Microsoft.Graph.Identity.DirectoryManagement 1.12.3
Microsoft.Graph.Identity.Governance 1.12.3
Microsoft.Graph.Identity.SignIns 1.12.3
Microsoft.Graph.Planner 1.12.3
Microsoft.Graph.Teams 1.12.3
Microsoft.Graph.Users 1.12.3
Microsoft.Graph.Users.Actions 1.12.3
Microsoft.PowerApps.Administration.PowerShell 2.0.153 Microsoft365DSC 1.22.1005.1 MicrosoftTeams 4.7.0
MSCloudLoginAssistant 1.0.94
PnP.PowerShell 1.11.0
PSWindowsUpdate 2.2.0.3 ReverseDSC 2.0.0.12

Verbose logs showing the problem

here is the output of Export-M365DSCConfiguration -TenantId 'DDDD.icrosoft.com' -ApplicationId 'DDDDD' -ApplicationSecret 'DDDDDD' -Components @('IntuneApplicationControlPolicyWindows10') -Path 'C:\temp' -FileName 'dddd.txt'

Exporting Microsoft 365 configuration for Components: IntuneApplicationControlPolicyWindows10

Authentication methods specified:

• Service Principal with Application Secret

Could not determine authentication method

Suggested solution to the issue

N/A

The DSC configuration that is used to reproduce the issue (as detailed as possible)

N/A

The operating system the target node is running

OsName : Microsoft Windows 10 Enterprise OsOperatingSystemSKU : EnterpriseEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406 OsLanguage : en-US OsMuiLanguages : {en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

Microsoft365DSC version : 1.22.1005.1

[andikrueger]

Please run uninstall-m365dscoutdateddependencies to remove old versions of the dependencies.

[stssc22]

Hi Andy, thanks for the quick answer, I tried it and I got the same message when i ran my Export-M365DSCConfiguration command : Authentication methods specified:

• Service Principal with Application Secret Could not determine authentication method

any other ideas?

[ReneRebsdorf]

@stssc22 We are also experiencing issues with appId and Secret, but when compiling the DSC files. I will put up a different issue, if it does not relate to your problem, but given the date (first seen this week, was working last weekend on a scheduled run without any changes to our code), and that it relates to app Secret, I think it might be related, and thus might provide insight to this issue.

Do you see similar to the below error message, maybe it can be of help?

Repro steps:

$splat = @{
    ApplicationId     = '<guid of applicationId>'
    ApplicationSecret = '<secret in clear text>'
    TenantID          = '<tenant Id guid>'
}
$DSCCompileTempFile = & $DSCCompileFile.FullName @splat

Error:

Exception calling "ValidateInstanceText" with "1" argument(s): "Convert property 'ApplicationSecret' value from type 'STRING' to type 'INSTANCE'

DSC File parsed in repro step:

param(
    [Parameter(Mandatory)]
    [String]
    $ApplicationId,

    [Parameter(Mandatory)]
    [String]
    $ApplicationSecret,

    [Parameter(Mandatory)]
    [String]
    $TenantId
)

Configuration AzureAD
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $ApplicationSecret,

        [Parameter()]
        [System.String]
        $TenantId
    )

    Import-DscResource -ModuleName 'Microsoft365DSC'

    Node localhost
    {
        AADGroupsNamingPolicy 'AADGroupsNamingPolicy' {
            ApplicationId                 = $ApplicationId;
            ApplicationSecret             = $ApplicationSecret;
            CustomBlockedWordsList        = @();
            Ensure                        = "Present";
            IsSingleInstance              = "Yes";
            PrefixSuffixNamingRequirement = "";
            Managedidentity               = $false 
            TenantId                      = $TenantId;
        }
        AADGroupsSettings 'AADGroupsSettings' {
            ApplicationId             = $ApplicationId;
            ApplicationSecret         = $ApplicationSecret;
            IsSingleInstance          = "Yes"
            AllowGuestsToAccessGroups = $True
            AllowGuestsToBeGroupOwner = $False
            UsageGuidelinesUrl        = ""
            GuestUsageGuidelinesUrl   = ""
            AllowToAddGuests          = $True
            EnableGroupCreation       = $True
            Ensure                    = "Present"
            Managedidentity           = $false 
            TenantId                  = $TenantId;
        }
    }
}

$ConfigurationData = @{
    AllNodes = @(
        @{
            NodeName                    = "localhost"
            PSDscAllowPlainTextPassword = $true;
            PSDscAllowDomainUser        = $true;
            #region Parameters
            # Default Value Used to Ensure a Configuration Data File is Generated
            ServerNumber                = "0"
        }
    )
}
AzureAD -ConfigurationData $ConfigurationData -ApplicationId $ApplicationId -ApplicationSecret $ApplicationSecret -TenantId $TenantId

[andikrueger]

What version of Microsoft365DSC are you using. The latest release has several breaking changes. ApplicationSecrets need to be of Type PSCredential.

[ReneRebsdorf]

What version of Microsoft365DSC are you using. The latest release has several breaking changes. ApplicationSecrets need to be of Type PSCredential.

@andikrueger thank you for getting back to quickly.

I thought that might have been the reason, so I've been working on a branch to convert to PSCredential, but with little success - probably because I am doing something wrong, as I've read somewhere that the tenantId should be suffixed to the applicationId (the docs mention username, but I expect it is the same?), instead of being parsed as a separate property?

Two questions:

• Is it described somewhere how to use app registrations with PSCredential? Authentication and Permissions and Authentication Examples does not appear up to date
• Is there anywhere we can keep up to date with breaking changes before they are merged, so we can be prepared?

[ReneRebsdorf]

In continuation of the above, azure devops logs mention this:

2022-10-09T02:42:18.7458431Z  
2022-10-09T02:42:18.7467525Z Authentication methods specified:
2022-10-09T02:42:18.7529742Z - Credentials
2022-10-09T02:42:18.7540817Z  
2022-10-09T02:42:22.0682226Z Connecting to {MicrosoftGraph}...WARNING: Unable to retrieve AccessToken. Have you registered the 'Microsoft Graph PowerShell' application already? 
2022-10-09T02:42:22.0696332Z Please run 'Connect-MgGraph -Scopes Domain.Read.All' and logon using 
2022-10-09T02:42:22.0710660Z '***@37732f27-626b-4ead-bb86-76f576b129b1'
2022-10-09T02:42:22.0728889Z ✅
2022-10-09T02:42:23.5948295Z Connecting to {PnP}...WARNING: Unable to retrieve AccessToken. Have you registered the 'Microsoft Graph PowerShell' application already? 
2022-10-09T02:42:23.5977751Z Please run 'Connect-MgGraph -Scopes Domain.Read.All' and logon using 
2022-10-09T02:42:23.5989700Z '***@37732f27-626b-4ead-bb86-76f576b129b1'
2022-10-09T03:36:31.6980373Z ##[error]The operation was canceled.
2022-10-09T03:36:31.6998143Z ##[section]Finishing: Microsoft365DSC Dev Tenant

And our app registration has the mentioned permission:

[ReneRebsdorf]

OK, so for anyone else reading. I did some RTFM:

• Breaking changes - TL;DR: April & October
• The above PnP auth relates to this regarding SharePoint auth, the, this is not a requirement for us to configure at this time, so I didn't dive deeper, but what I did find:
  • Run Install-Module -Name PnP.PowerShell (Works with Pwsh Core)
  • Run Register-PnPManagementShellAccess and logon with an account which is a direct member of the Azure AD, using -TenantName and -ShowConsentUrl didn't work for me - but might have been due to the above

I conclude my issue has not directly related to @stssc22's post, and will create a new thread if I run in to new issues. @stssc22 perhaps the above is of use to you, in relation to your issue?

[yoinuma]

I ran into the same problem as stssc22. Since upgrading to 1.22.1005.1, the Export-M365DSCConfiguration command has been failing with the same error "Could not determine authentication method". Is there any solution?

[andikrueger]

@ReneRebsdorf In regards to changes of the module:

Additionally could refence this Blog for any news about breaking changes: https://microsoft365dsc.com/blog/october-2022-major-release/ A further resource would be the changelog of every release. https://github.com/microsoft/Microsoft365DSC/releases

Furthermore it is worth to mention to have fixed versions in production to reduce the risk of running into these changes.

This issue is something that is most likely to be caused by the BR change release. The usage of the Application Secret is described in the blog article.

This issue needs to be investiaged.

[andikrueger]

This issue was already raised in #2374. A fix for this issue is within this PR #2378