search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.59k stars 500 forks source link

Export-M365DSCConfiguration: "SPOSite" export fails #2592

Closed leitzler closed 1 year ago

leitzler commented 1 year ago

Details of the scenario you tried and the problem that is occurring

I tried to export component SPOSite from within a mcr.microsoft.com/powershell:7.1.5-windowsservercore-ltsc2022 container.

There are three separate issues here, let me know if I should split this issue into multiple ones. 1) Import-Module fails for PnP.PowerShell. Running Import-Module -Name PnP.PowerShell only from the prompt works.

2) Connect-MgGraph fails because it can't locate Newtonsoft.Json.

3) The export itself fails due to: Device code terminal timed-out after 120 seconds.. I never get any device code terminal so that output is probably suppressed.

Verbose logs showing the problem

PS C:\> Install-Module Microsoft365DSC
[...]
PS C:\> Update-M365DSCDependencies
Installing DSCParser version {1.3.0.6}
Installing ExchangeOnlineManagement version {3.0.0}
Installing Microsoft.Graph.Applications version {1.17.0}
Installing Microsoft.Graph.DeviceManagement.Enrolment version {1.17.0}
Installing Microsoft.Graph.Devices.CorporateManagement version {1.17.0}
Installing Microsoft.Graph.Groups version {1.17.0}
Installing Microsoft.Graph.Identity.DirectoryManagement version {1.17.0}
Installing Microsoft.Graph.Identity.Governance version {1.17.0}
Installing Microsoft.Graph.Identity.SignIns version {1.17.0}
Installing Microsoft.Graph.Planner version {1.17.0}
Installing Microsoft.Graph.Teams version {1.17.0}
Installing Microsoft.Graph.Users version {1.17.0}
Installing Microsoft.Graph.Users.Actions version {1.17.0}
Installing Microsoft.PowerApps.Administration.PowerShell version {2.0.154}
Installing MicrosoftTeams version {4.9.1}
Installing MSCloudLoginAssistant version {1.0.98}
Installing PnP.PowerShell version {1.12.0}
Installing ReverseDSC version {2.0.0.13}
PS C:\> Export-M365DSCConfiguration -Credential $Cred -GenerateInfo:$true -Components @("SPOSite")
Exporting Microsoft 365 configuration for Components: SPOSite

Authentication methods specified:
- Credentials

Connecting to {PnP}...Import-Module: C:\Program Files\PowerShell\Modules\MSCloud
                                                                               dLoginAssistant\1.0.98\Workloads\PnP.psm1:34
Line |
  34 |  …             Import-Module PnP.PowerShell -UseWindowsPowerShell -Globa
                                                                                …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Failure from remote command: Import-Module -Name
     | 'PnP.PowerShell': The specified module 'PnP.PowerShell' was
     | not loaded because no valid module file was found in any
     | module directory.

Connect-MgGraph: C:\Program Files\PowerShell\Modules\MSCloudLoginAssistant\1.0.9
                                                                               98\Workloads\MicrosoftGraph.psm1:181
Line |
 181 |              Connect-MgGraph -AccessToken $AccessToken | Out-Null
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Could not load file or assembly 'Newtonsoft.Json,
     | Version=13.0.0.0, Culture=neutral,
     | PublicKeyToken=30ad4fe6b2a6aeed'. The system cannot find the
     | file specified.

❌
Device code terminal timed-out after 120 seconds. Please try again.
Partial Export file was saved at: C:\Users\ContainerAdministrator\AppData\Local\
                                                                               \Temp\9734c309-131f-465d-ab95-486e3aface64.partial.ps1

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

N/A, default.

The operating system the target node is running

PS C:\> Get-ComputerInfo -Property @("OsName", "OsOperatingSystemSKU", "OsArchitecture", "WindowsVersion", "WindowsBuildLabEx", "OsLanguage", "OsMuiLanguages")

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

PS C:\> (Get-Module -Name Microsoft365DSC).Version

Major  Minor  Build  Revision
-----  -----  -----  --------
1      22     1123   1
leitzler commented 1 year ago

as per https://github.com/microsoft/Microsoft365DSC/issues/2594#issuecomment-1327183498:

In the past I used a windows server core too and was able to run M365DSC successfully. As soon as you need interactive windows, you won't be able to do so. Please try to use an account without MFA or a service principal.

Thanks for the response. If I understand it correctly I might be able to authenticate using Connect-MgGraph before running the export to get around the MFA issue?

But that won't work due to the Newtonsoft.Json failure, and from what I found it seems like the root cause of that issue is that Microsoft356DSC uses a version of Microsoft.Graph that require a newer version of Newtonsoft.Json (see https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1439#issue-1329706224).

The resolution is to use PowerShell v7.2.5+ (https://github.com/PowerShell/PowerShell/pull/15084) due to a security vulnerability.

However Microsoft365DSC lists v7.1 as requirement and doesn't have official support for v7.2 😅.

I'm going to give it a go with v7.2 despite the fact that it isn't officially supported and might end up filing additional issues for reference.

leitzler commented 1 year ago

For reference, running v7.3 (with manual call to Connect-MgGraph before the export) fails too:

TenantId must be in format contuse.onmicrosoft.com
andikrueger commented 1 year ago

Yes, we still limited to PS 5.1 and PS 7.1. This is due to the dependencies on the various modules like Graph, Teams, Exchange,... The module itself would need some rework to.

What is your use case that you want to meet with the container version of M365DSC?

leitzler commented 1 year ago

Yes, we still limited to PS 5.1 and PS 7.1. This is due to the dependencies on the various modules like Graph, Teams, Exchange,... The module itself would need some rework to.

Got it, you don't happen to have a roadmap or rough estimate when that could happen?

What is your use case that you want to meet with the container version of M365DSC?

I'm investigating if it is possible to use M365DSC without access to an actual Windows host, and if there are any limitations. The idea would be to run it as a plain Azure container or using AKS. So far I haven't found a combination of version(s) that works fully so any suggestions would be highly appreciated!

andikrueger commented 1 year ago

I went through this process a while ago and opted for an Azure Runbook. The container provisioning times were way to long and the issues around the container to challenging. With a PS runbook in V5.1 you mitigate the issues and still get the full set of features.

leitzler commented 1 year ago

Ah, runbooks are a new concept to me, I'll look into if that route fits my use case. Thank you!