search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.59k stars 500 forks source link

EXOTransportConfig: When using ManagedIdentity it throws 'Insufficient access rights to perform the operation' #3648

Open raandree opened 1 year ago

raandree commented 1 year ago

Description of the issue

Using the EXOTransportConfig resource with managed identity throws Insufficient access rights to perform the operation even if all required permissions are available. When setting the transport config manually using the cmdlet Set-TransportConfig after creating a connection in the context of the managed identity (Connect-ExchangeOnline -ManagedIdentity), things are working fine.

It seems that the issue is here in the MSCloudLoginAssistant module. When connecting to Exchange Online by providing the organization's "flat name" ($Global:MSCloudLoginConnectionProfile.OrganizationName), we are running into the issue. When providing the full domain name ($Global:MSCloudLoginConnectionProfile.ExchangeOnline.TenantId), things work.

What do you think about this? Would using the full domain name cause other things to fail?

Microsoft 365 DSC Version

1.23.830.1

Which workloads are affected

Exchange Online

The DSC configuration

configuration ExchangeTest1
{
    Import-DscResource -ModuleName Microsoft365DSC

    EXOTransportConfig TransportConfig
    {
        MaxRecipientEnvelopeLimit = 600
        AddressBookPolicyRoutingEnabled = $false
        ManagedIdentity = $true
        TenantId = 'MngEnvMCAP123456.onmicrosoft.com'
        IsSingleInstance = 'Yes'
    }
}

Verbose logs showing the problem

TenantId=***
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Target Values: AddressBookPolicyRoutingEnabled=False
IsSingleInstance=Yes
ManagedIdentity=True
MaxRecipientEnvelopeLimit=600
TenantId=***
Verbose=True
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Test-TargetResource returned False
VERBOSE: [LcmDev]: LCM:  [ End    Test     ]  [[EXOTransportConfig]TransportConfig]  in 28.2650 seconds.
VERBOSE: [LcmDev]: LCM:  [ Start  Set      ]  [[EXOTransportConfig]TransportConfig]
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Setting EXOTransportConfig
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Setting EXOTransportConfig with values: AddressBookPolicyRoutingEnabled=
False
IsSingleInstance=Yes
ManagedIdentity=True
MaxRecipientEnvelopeLimit=600
TenantId=***
Verbose=True
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Returning precomputed version info: 3.2.0
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] POST https://outlook.office365.com/adminapi/beta/b246c1af-87ab-41d8-9812
-83cd5ff534cb/InvokeCommand with -1-byte payload
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Query 1 failed.
VERBOSE: [LcmDev]:                            [[EXOTransportConfig]TransportConfig] Getting message from error object
|Microsoft.Exchange.Data.Directory.InsufficientPermissionsException|Source server:LO6P265MB6158.GBRP265.PROD.OUTLOOK.COM doesn't have write permission to 
target DC:CY4PR05A09DC004.NAMPR05A009.PROD.OUTLOOK.COM. Usually it indicates that target forest isn't an account partition of source forest. Additional 
information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : [Server=LO6P265MB6158,RequestId=759cae50-9230-6f0d-7fdf-6aaac60889f9,TimeStamp=Tue, 05 Sep 2023 15:23:38 GMT],Write-ErrorMes 
   sage
    + PSComputerName        : localhost

VERBOSE: [LcmDev]: LCM:  [ End    Set      ]  [[EXOTransportConfig]TransportConfig]  in 14.2810 seconds.
The PowerShell DSC resource '[EXOTransportConfig]TransportConfig' with SourceInfo 'C:\Users\Install\Desktop\Untitled2.ps1::5::5::EXOTransportConfig' threw 
one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called 
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [LcmDev]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 42.949 seconds

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value                                                                                                                       
----                           -----                                                                                                                       
PSVersion                      5.1.20348.1850                                                                                                              
PSEdition                      Desktop                                                                                                                     
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                     
BuildVersion                   10.0.20348.1850                                                                                                             
CLRVersion                     4.0.30319.42000                                                                                                             
WSManStackVersion              3.0                                                                                                                         
PSRemotingProtocolVersion      2.3                                                                                                                         
SerializationVersion           1.1.0.1
raandree commented 6 months ago

This seems to be caused by a bug in MSCloudLoginAssistant. I have created the issue Microsoft/MSCloudLoginAssistant#172. As nobody else seem to have the problem I am wondering if this is really a bug or of just nobody uses Microsoft365DSC to configure EXO.