search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.59k stars 500 forks source link

Teams > TeamsFederationConfiguration: not cloning #2576

Closed archeedev closed 1 year ago

archeedev commented 1 year ago

Trying to clone Teams settings. I am using credentials-based auth as it is unclear whether certificate/thumbprint should or should not work. It probably should according to the table https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/ but then there are posts here saying that not all functions are implemented, Graph API, etc.

I am mostly interested in TeamsFederationConfiguration workload. In the source tenant I have some domains defined. Destination is an empty tenant.

I am able to dump the source. Compile MOF with dest credentails.

No errors on start-dsc.

I see config drift between tenants - which is correct:

Verbose logs showing the problem

<M365DSCEvent>
    <ConfigurationDrift Source="MSFT_TeamsFederationConfiguration">
        <ParametersNotInDesiredState>
            <Param Name="AllowPublicUsers"><CurrentValue>True</CurrentValue><DesiredValue>False</DesiredValue></Param>
            <Param Name="AllowTeamsConsumerInbound"><CurrentValue>True</CurrentValue><DesiredValue>False</DesiredValue></Param>
            <Param Name="AllowedDomains"><CurrentValue>AllowAllKnownDomains</CurrentValue><DesiredValue>Domain=swisscom.ch,Domain=facebook.com,Domain=gmail.com</DesiredValue></Param>
        </ParametersNotInDesiredState>
    </ConfigurationDrift>
    <DesiredValues>
        <Param Name ="Identity">Global</Param>
        <Param Name ="AllowFederatedUsers">True</Param>
        <Param Name ="AllowedDomains">Domain=swisscom.ch,Domain=facebook.com,Domain=gmail.com</Param>
        <Param Name ="BlockedDomains">$null</Param>
        <Param Name ="AllowPublicUsers">False</Param>
        <Param Name ="AllowTeamsConsumer">True</Param>
        <Param Name ="AllowTeamsConsumerInbound">False</Param>
        <Param Name ="Credential">System.Management.Automation.PSCredential</Param>
        <Param Name ="Verbose">True</Param>
    </DesiredValues>
</M365DSCEvent>

Problem

1 Nothing gets applied to the destination tenant. Expected: external domains are added in the Teams Admin panel > Users > External access > Teams and Skype for Business users in external organizations ...

2 Does not work with credentials

3. Does not work with cert/thumbprint (Security Principal scenario)

4 I do not know if I have correct permissions set on Security Principal because

image

My question Should that work? (with creds or certs / etc?) Should Teams settings be applied?

The operating system the target node is running

OsName               : Microsoft Windows Server 2022 Standard Evaluation
OsOperatingSystemSKU : 79
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

Version     Name
-------     ----
1.3.0.6     DSCParser
3.0.0       ExchangeOnlineManagement
1.17.0      Microsoft.Graph.Applications
1.17.0      Microsoft.Graph.Authentication
1.17.0      Microsoft.Graph.DeviceManagement
1.17.0      Microsoft.Graph.DeviceManagement.Administration
1.17.0      Microsoft.Graph.DeviceManagement.Enrolment
1.17.0      Microsoft.Graph.Devices.CorporateManagement
1.17.0      Microsoft.Graph.Groups
1.17.0      Microsoft.Graph.Identity.DirectoryManagement
1.17.0      Microsoft.Graph.Identity.Governance
1.17.0      Microsoft.Graph.Identity.SignIns
1.17.0      Microsoft.Graph.Planner
1.17.0      Microsoft.Graph.Teams
1.17.0      Microsoft.Graph.Users
1.17.0      Microsoft.Graph.Users.Actions
2.0.154     Microsoft.PowerApps.Administration.PowerShell
1.22.1116.1 Microsoft365DSC
4.9.1       MicrosoftTeams
1.0.98      MSCloudLoginAssistant
1.12.0      PnP.PowerShell
2.0.0.13    ReverseDSC

LCM

image

andikrueger commented 1 year ago

This resource uses the Teams PowerShell to get and set the data. Recently the option to use a service principal was added to MS Teams. At the moment, service principal and credential based auth should be supported. I would go with credential based authentication (global admin) for this setting.

Did you use the global admin account for that?

archeedev commented 1 year ago

Yes GA on both sides.