search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.64k stars 504 forks source link

Creating report O365OrgSettings & O365SearchAndIntelligenceConfigurations with CertificateThumbprint throws error #3617

Closed jonathanhotono closed 1 year ago

jonathanhotono commented 1 year ago

Description of the issue

Tried executing: Export-M365DSCConfiguration -Components @("O365OrgSettings", "O365SearchAndIntelligenceConfigurations") -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId

With all READ permission set as per settings.json: https://raw.githubusercontent.com/microsoft/Microsoft365DSC/Dev/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json

"read": [
                    {
                        "name": "Application.Read.All"
                    },
                    {
                        "name": "ReportSettings.Read.All"
                    },
                    {
                        "name": "OrgSettings-Forms.Read.All"
                    },
                    {
                        "name": "OrgSettings-Todo.Read.All"
                    },
                    {
                        "name": "OrgSettings-AppsAndServices.Read.All"
                    },
                    {
                        "name": "OrgSettings-DynamicsVoice.Read.All"
                    },
                    {
                        "name": "Tasks.ReadWrite.All"
                    }
                ]

Not sure why Tasks needs to have ReadWrite but I followed the json. The rest of the export report feature works.

Microsoft 365 DSC Version

1.23.823.1

Which workloads are affected

Office 365 Admin

The DSC configuration

Export-M365DSCConfiguration -Components @("O365OrgSettings", "O365SearchAndIntelligenceConfigurations") -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId

Verbose logs showing the problem

[2023/08/29 07:13:45] {ProtocolError} Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied: ((TokenTypeAuthorizationRequirement(UserActAs, AppOnly)&ScopeAuthorizationRequirement(OrganizationSettings.Read, OrganizationSettings.ReadWrite, OrganizationSettings.Read, OrganizationSettings.ReadWrite))|WidsAuthorizationRequirement(62e90394-69f5-4237-9190-012177145e10,29232cdf-9323-42fd-ade2-1d097af3e4de,69091246-20e8-4a56-aa4d-066075b2a7a8,eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c)). at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet2.HandleErrorResponse(HttpResponseMessage response, String settingsName) at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet2.MakeAndSendGetRequest[T](String settingsName, Uri uri) at Microsoft.Exchange.Management.RestApiClient.Briefing.GetDefaultTenantBriefingConfig.InternalProcessRecord() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet2.<ProcessRecord>b__34_0() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet2.ExecuteWithExceptionHandling(Action action, Exception& exception) "Error retrieving data:" at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 230 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1047 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCReverse.psm1: line 615 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 1310 at , : line 1 TenantId: ##.onmicrosoft.com

[2023/08/29 07:13:46] {InvalidOperation} System.Management.Automation.RuntimeException: You cannot call a method on a null-valued expression. at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction2.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0) at System.Management.Automation.PSScriptCmdlet.RunClause(Action1 clause, Object dollarUnderbar, Object inputToProcess) at System.Management.Automation.PSScriptCmdlet.DoEndProcessing() at System.Management.Automation.CommandProcessorBase.Complete() "Error during Export:" at Get-M365DSCExportContentForResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 3296 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1052 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCReverse.psm1: line 615 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 1310 at , : line 1 TenantId: ##.onmicrosoft.com

[2023/08/29 07:14:48] {ProtocolError} Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied: ((TokenTypeAuthorizationRequirement(UserActAs, AppOnly)&ScopeAuthorizationRequirement(OrganizationSettings.Read, OrganizationSettings.ReadWrite, OrganizationSettings.Read, OrganizationSettings.ReadWrite))|WidsAuthorizationRequirement(62e90394-69f5-4237-9190-012177145e10,29232cdf-9323-42fd-ade2-1d097af3e4de,69091246-20e8-4a56-aa4d-066075b2a7a8,eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c)). at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet2.HandleErrorResponse(HttpResponseMessage response, String settingsName) at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet2.MakeAndSendGetRequest[T](String settingsName, Uri uri) at Microsoft.Exchange.Management.RestApiClient.Briefing.GetDefaultTenantBriefingConfig.InternalProcessRecord() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet2.<ProcessRecord>b__34_0() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet2.ExecuteWithExceptionHandling(Action action, Exception& exception) "Error retrieving data:" at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 230 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1047 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCReverse.psm1: line 615 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 1310 at , : line 1 TenantId: ##.onmicrosoft.com

[2023/08/29 07:14:49] {InvalidOperation} System.Management.Automation.RuntimeException: You cannot call a method on a null-valued expression. at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction2.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0) at System.Management.Automation.PSScriptCmdlet.RunClause(Action1 clause, Object dollarUnderbar, Object inputToProcess) at System.Management.Automation.PSScriptCmdlet.DoEndProcessing() at System.Management.Automation.CommandProcessorBase.Complete() "Error during Export:" at Get-M365DSCExportContentForResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 3296 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1052 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCReverse.psm1: line 615 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 1310 at , : line 1 TenantId: ##.onmicrosoft.com

[2023/08/29 07:27:23] {ProtocolError} Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied: ((TokenTypeAuthorizationRequirement(UserActAs, AppOnly)&ScopeAuthorizationRequirement(OrganizationSettings.Read, OrganizationSettings.ReadWrite, OrganizationSettings.Read, OrganizationSettings.ReadWrite))|WidsAuthorizationRequirement(62e90394-69f5-4237-9190-012177145e10,29232cdf-9323-42fd-ade2-1d097af3e4de,69091246-20e8-4a56-aa4d-066075b2a7a8,eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c)). at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet2.HandleErrorResponse(HttpResponseMessage response, String settingsName) at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet2.MakeAndSendGetRequest[T](String settingsName, Uri uri) at Microsoft.Exchange.Management.RestApiClient.Briefing.GetDefaultTenantBriefingConfig.InternalProcessRecord() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet2.<ProcessRecord>b__34_0() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet2.ExecuteWithExceptionHandling(Action action, Exception& exception) "Error retrieving data:" at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 230 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1047 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCReverse.psm1: line 615 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 1310 at , : line 1 TenantId: ##.onmicrosoft.com

[2023/08/29 07:27:24] {InvalidOperation} System.Management.Automation.RuntimeException: You cannot call a method on a null-valued expression. at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction2.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0) at System.Management.Automation.PSScriptCmdlet.RunClause(Action1 clause, Object dollarUnderbar, Object inputToProcess) at System.Management.Automation.PSScriptCmdlet.DoEndProcessing() at System.Management.Automation.CommandProcessorBase.Complete() "Error during Export:" at Get-M365DSCExportContentForResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 3296 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1052 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCReverse.psm1: line 615 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.823.1\modules\M365DSCUtil.psm1: line 1310 at , : line 1 TenantId: ##.onmicrosoft.com

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PSVersion                      5.1.22621.1778
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.1778
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
NikCharlebois commented 1 year ago

Based on the official Exchange Online PowerShell module’s documentation, you will need to assign one of the Azure AD supported roles below to your app in order to be able to using via app-only auth:

App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell | Microsoft Learn

Thanks

jonathanhotono commented 1 year ago

@NikCharlebois The app was initially already assigned Global reader role and it shows that error. Then I tried to assign Global Admin role with full 'Update' api permission, and it stills showing the same error message. Any thoughts?

getazcloud commented 1 year ago

@jonathanhotono If I assign Exchange Administrator to the app, it runs without an error on my side.

NikCharlebois commented 1 year ago

@jonathanhotono as mentioned above, it needs one of the official EXO Manage as app role. EXO Admin being one. I will be closing this for the moment. If you are still facing the issue after assigning a valid role, please let me know. Thanks

SAL-3000 commented 8 months ago

@NikCharlebois So I too am having same exact issue: what is odd is this: on 15-feb 2024 exporting the O365OrgSettings worked like a champ, starting this week after returning from vacation, it errors out with same error as above

Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied:

API Perms needed per Get-M365DSCCompiledPermissionList

Get-M365DSCCompiledPermissionList -ResourceNameList @("O365AdminAuditLogConfig", "O365OrgCustomizationSetting", "O365OrgSettings", "O365SearchAndIntelligenceConfigurations") -PermissionType Application -AccessType Read

Name Value

API Graph

PermissionName Organization.Read.All

API Exchange

PermissionName Exchange.ManageAsApp

API Graph

PermissionName Application.Read.All

API Graph

PermissionName ReportSettings.Read.All

API Graph

PermissionName OrgSettings-Forms.Read.All

API Graph

PermissionName OrgSettings-Todo.Read.All

API Graph

PermissionName OrgSettings-AppsAndServices.Read.All

API Graph

PermissionName OrgSettings-DynamicsVoice.Read.All

API Graph

PermissionName Tasks.Read.All

API Perms assigned to the App Registration

image

Roles Assigned to App Registration: Exchange Administrator

Version of DSC Tool installed: 1.24.228.1 Microsoft365DSC

Any suggestions ?

OhhHellooow commented 8 months ago

Based on the official Exchange Online PowerShell module’s documentation, you will need to assign one of the Azure AD supported roles below to your app in order to be able to using via app-only auth:

App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell | Microsoft Learn

Thanks

What permissions are able to be assigned for a pull resources only? I see a few generic links to MS, however, I cannot find M365DSC's documentation on what is required for example if I want to ReadOnly all EXO* resources.