search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.53k stars 465 forks source link

SCAutoSensitivityLabelPolicy, SCAutoSensitivityLabelRule: Cmdlets Set-AutoSensitivityLabelRule and Get-AutoSensitivityLabelPolicy not found #3313

Closed GruberMarkus closed 1 year ago

GruberMarkus commented 1 year ago

Details of the scenario you tried and the problem that is occurring

SCAutoSensitivityLabelPolicy andSCAutoSensitivityLabelRule can not be exported because PowerShell Cmdlets can not be found. All other security and compliance ressources work fine.

Verbose logs showing the problem

Exporting Microsoft 365 configuration for Components: SCAutoSensitivityLabelPolicy, SCAutoSensitivityLabelRule

Authentication methods specified:
- Service Principal with Certificate Thumbprint
[...]
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\DSCResources\MSFT_SCAutoSensitivityLabelPolicy\MSFT_SCAutoSe
nsitivityLabelPolicy.psm1" geladen.
AUSFÜHRLICH: Funktion "Export-TargetResource" wird importiert.
AUSFÜHRLICH: Funktion "Get-TargetResource" wird importiert.
AUSFÜHRLICH: Funktion "Set-TargetResource" wird importiert.
AUSFÜHRLICH: Funktion "Test-TargetResource" wird importiert.
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\DSCResources\MSFT_SCAutoSensitivityLabelRule\MSFT_SCAutoSens
itivityLabelRule.psm1" geladen.
AUSFÜHRLICH: Funktion "Export-TargetResource" wird importiert.
AUSFÜHRLICH: Funktion "Get-TargetResource" wird importiert.
AUSFÜHRLICH: Funktion "Set-TargetResource" wird importiert.
AUSFÜHRLICH: Funktion "Test-TargetResource" wird importiert.
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program
[...]
AUSFÜHRLICH: Attempting connection to {MicrosoftGraph} with:
AUSFÜHRLICH:
Name                           Value

----                           -----

CertificateThumbprint          <guid>

TenantId                       <tenant>

CertificatePath

ApplicationId                  <guid>

ApplicationSecret

AUSFÜHRLICH: Dependencies were already successfully validated.
AUSFÜHRLICH: ApplicationId, TenantId, CertificateThumbprint were specified. Connecting via Service Principal
Connecting to {SecurityComplianceCenter}...Creating a new Remote PowerShell session using Modern Authentication for implicit remoting of "Get-ComplianceSearch" command ...
✅
[1/2] Extracting [SCAutoSensitivityLabelPolicy] using {CertificateThumbprint}...AUSFÜHRLICH: Attempting connection to {SecurityComplianceCenter} with:
AUSFÜHRLICH:
Name                           Value

----                           -----

CertificateThumbprint          <guid>

TenantId                       <guid>

ApplicationId                  <guid>

AUSFÜHRLICH: Dependencies were already successfully validated.
AUSFÜHRLICH: ApplicationId, TenantId, CertificateThumbprint were specified. Connecting via Service Principal
❌
Error Log created at {file://C:/ALexclude/DSC/exports/8892-M365DSC-ErrorLog.log}
[2/2] Extracting [SCAutoSensitivityLabelRule] using {CertificateThumbprint}...AUSFÜHRLICH: Attempting connection to {SecurityComplianceCenter} with:
AUSFÜHRLICH:
Name                           Value

----                           -----

CertificateThumbprint          <guid>

TenantId                       <guid>

ApplicationId                  <guid>

AUSFÜHRLICH: Dependencies were already successfully validated.
AUSFÜHRLICH: ApplicationId, TenantId, CertificateThumbprint were specified. Connecting via Service Principal
❌
Error Log created at {file://C:/ALexclude/DSC/exports/8892-M365DSC-ErrorLog.log}
⌛ Export took {36 seconds}

End script @2023-05-16T12:16:32+02:00@
PS C:\ALexclude\DSC\exports>
[2023.05.16 12:16:19]
{ObjectNotFound}
System.Management.Automation.CommandNotFoundException: Die Benennung "Get-AutoSensitivityLabelPolicy" wurde nicht als Name eines Cmdlet, einer Funktion, einer Skriptdatei oder eines ausführbaren Programms erkannt. Überprüfen Sie die Schreibweise des Namens, oder ob der Pfad korrekt ist (sofern enthalten), und wiederholen Sie den Vorgang.
   bei System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   bei System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   bei System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   bei System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
"Error during Export:"
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\DSCResources\MSFT_SCAutoSensitivityLabelPolicy\MSFT_SCAutoSensitivityLabelPolicy.psm1: Zeile 816
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\modules\M365DSCReverse.psm1: Zeile 619
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\modules\M365DSCUtil.psm1: Zeile 1288
bei <ScriptBlock>, C:\ALexclude\DSC\dsc.ps1: Zeile 155
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: <tenant>

[2023.05.16 12:16:19]
{ObjectNotFound}
System.Management.Automation.CommandNotFoundException: Die Benennung "Get-AutoSensitivityLabelRule" wurde nicht als Name eines Cmdlet, einer Funktion, einer Skriptdatei oder eines ausführbaren Programms erkannt. Überprüfen Sie die Schreibweise des Namens, oder ob der Pfad korrekt ist (sofern enthalten), und wiederholen Sie den Vorgang.
   bei System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   bei System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   bei System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   bei System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
"Error during Export:"
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\DSCResources\MSFT_SCAutoSensitivityLabelRule\MSFT_SCAutoSensitivityLabelRule.psm1: Zeile 1087
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\modules\M365DSCReverse.psm1: Zeile 619
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.510.1\modules\M365DSCUtil.psm1: Zeile 1288
bei <ScriptBlock>, C:\ALexclude\DSC\dsc.ps1: Zeile 155
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: <tenant>

Suggested solution to the issue

No suggestion.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# Generated with Microsoft365DSC version 1.23.510.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
)

Configuration <tenant>_20230516T1015Z
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.510.1'

    Node localhost
    {

        # For information on how to use this resource, please refer to:
        # https://github.com/microsoft/Microsoft365DSC/wiki/SCAutoSensitivityLabelPolicy

        # For information on how to use this resource, please refer to:
        # https://github.com/microsoft/Microsoft365DSC/wiki/SCAutoSensitivityLabelRule
    }
}

<tenant>_20230516T1015Z -ConfigurationData .\ConfigurationData.psd1

The operating system the target node is running

OsName : Microsoft Windows 10 Enterprise OsOperatingSystemSKU : EnterpriseEdition OsArchitecture : 64-Bit WindowsVersion : 2009 WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406 OsLanguage : de-DE OsMuiLanguages : {de-DE}

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.510.1

NikCharlebois commented 1 year ago

Let's walk through the authentication stack. If you try the following command (replace the variables by your values):

Connect-IPPSsession -AppId $appId -CertificateThumbprint $thumbprint -Organization $tenantId
Get-AutoSensitivityLabelPolicy

Are you getting the same error? If so, then that is either a permission or a licensing issue.

GruberMarkus commented 1 year ago

The test commands always worked, Get-AutoSensitivityLabelPolicy only failed in M365DSC.

Upgrading to the newest version solved the issue immediately, although I do not see why.

You can close this issue.

Thanks for your support!

andikrueger commented 1 year ago

Thanks for the feedback!

Northism commented 1 year ago

Hi Guys Thanks for you guys great work on this. I am getting the same error and not sure that it is resolved. I have run this as Global Administrator (including explicit Compliance Administrator role).

I have followed @NikCharlebois suggestion of;

_Let's walk through the authentication stack. If you try the following command (replace the variables by your values):

Connect-IPPSsession -AppId $appId -CertificateThumbprint $thumbprint -Organization $tenantId Get-AutoSensitivityLabelPolicy Are you getting the same error? If so, then that is either a permission or a licensing issue._

....and can confirm I cannot see it. I work for an organisation that has A5 licencing.

I can confirm that I have access to this data through the Purview portal itself. What other permission is\can be required?

Many thanks

andikrueger commented 1 year ago

What m365dsc version are you using and could run Update-M365DSCDependencies and Uninstall-M365DSCOutdatedDependencies to confirm your machine’s setup?

Northism commented 1 year ago

Hi @andikrueger - that was quick thank you.

M365DSC version is 1.23.621.1 ExchangeOnlineManagement version is 3.2.0

I updated this morning :)

andikrueger commented 1 year ago

Are there any other versions of EXOManagementShell on your system?

Northism commented 1 year ago

Hi Andi

No. The exchange module is also installed under the AllUsers scope - C:\Program Files\WindowsPowerShell\Modules.

@andikrueger & @NikCharlebois, can you confirm that the license (A5) and Global Administrator (including explicit Compliance Administrator role) permission should be sufficient get access to these to resources?

Thanks again for your time :)

From: Andi Krüger @.> Sent: Friday, 23 June 2023 3:27 PM To: microsoft/Microsoft365DSC @.> Cc: Northism @.>; Comment @.> Subject: Re: [microsoft/Microsoft365DSC] SCAutoSensitivityLabelPolicy, SCAutoSensitivityLabelRule: Cmdlets Set-AutoSensitivityLabelRule and Get-AutoSensitivityLabelPolicy not found (Issue #3313)

Are there any other versions of EXOManagementShell on your system?

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/Microsoft365DSC/issues/3313#issuecomment-1603851597, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACG75ZCURAJXEE4VYELUEB3XMVAO7ANCNFSM6AAAAAAYDN55XQ. You are receiving this because you commented.Message ID: @.***>

Northism commented 1 year ago

FYI

I have opened up a ticket with MS and will provide feedback here once I have a resolution.

andikrueger commented 1 year ago

@Northism Did you have a chance to review this section of our documentation: https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#security-and-compliance-center-permissions @NikCharlebois added this section a few days ago.

Northism commented 1 year ago

@andikrueger - I hadn't seen it. Thanks for the update.

I have had feedback from MS. The issue I have is a licensing issue. My version of A5 license doesn't have the auto-labelling available in my Non-Prod tenant.

Thanks you for your support.