PnP authentication error for GCC High wrong URL

[CraigHume]

Details of the scenario you tried and the problem that is occurring

Getting following Error: System.Net.WebException: The remote name could not be resolved: TENANT-admin.sharepoint.com. when attempting both user and certificate-based authentication. Noticed that URL should be TENANT-admin.sharepoint.us and also needs parameter for AzureEnvionment. Interestingly, even the official documentation in pnp website for GCC high is wrong (using .com). Successfully tested, by running: Connect-PnPOnline "$tenant-admin.sharepoint.us" -ClientId $ApplicationId -Tenant "$tenant.onmicrosoft.com" -AzureEnvironment USGovernment -Thumbprint $CertificateThumbprint, and then run the individual cmdlets extracted from the ODSettings resource. Same issue applies to all the SPO resources. Tested from Win10 with 1.0.120 MSCloudLoginAssistant and 1.23.906.1 Microsoft365DSC

Verbose logs showing the problem

Suggested solution to the issue

Check for azure cloud type (global, gcc, gcc high etc). If using GCC High, update pnp connectiotion to use parameters -Tenant $tenant-admin.sharepoint.us -AzureEnvironment USGovernment

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName : Microsoft Windows 11 Enterprise OsOperatingSystemSKU : EnterpriseEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250 OsLanguage : en-GB OsMuiLanguages : {en-GB, en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.906.1

[andikrueger]

@desmay Do you have an idea about this issue?

[desmay]

This must be a regression bug as this should handle the .us endpoints in GCCH. I will do some testing tomorrow

[desmay]

I can no longer connect as well using service principal with cert thumbprint. Its failing in M365DSCUtil. @CraigHume Can you post a screenshot or details of error message you get?

Get-MgBetaOrganization : Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-09-13T13:03:59 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : a92a6624-4778-4bcf-bbb9-bd5a0437e540 client-request-id : 987a1cc5-5b15-48ed-8f95-94d59aa1b0f1 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"PH1NEPF00008CCB"}} Cache-Control : no-cache Date : Wed, 13 Sep 2023 13:03:58 GMT At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.906.1\modules\M365DSCUtil.psm1:1515 char:13

• $tenantDetails = Get-MgBetaOrganization -ErrorAction 'Sto ...

• 
  + CategoryInfo          : InvalidOperation: ({ Top = , Skip ...ndProperty =  }:<>f__AnonymousType34`8) [Get-MgBeta
  Organization_List], Exception
  + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaOrganizatio
  n_List 

[desmay]

@CraigHume What happens when you try the following: Connect-M365Tenant -Workload PnP -TenantId tenant.onmicrosoft.us -ApplicationId XXXX -CertificateThumbprint XXXX

I can connect no issues to GCCH via PNP

[CraigHume]

It just returns nothing (even if I add -verbose). Fails to connect. Please note that I have successfully connected using: Connect-PnPOnline "$tenant-admin.sharepoint.us" -ClientId $ApplicationId -Tenant "$tenant.onmicrosoft.com" -AzureEnvironment USGovernment -Thumbprint $CertificateThumbprint. So I suspect you either don't have the -admin part for the URL or are missing the -AzureEnvironment parameter in the Connect-M365Tenant resource.

[desmay]

The Connect-M365Tenant snippet above doesn't return anything when you run it, but you should be able to execute Get-PnPTenant after you run command. Also if you run $global:MSCloudLoginConnectionProfile.PnP after Connect-M365Tenant -Workload PnP -TenantId tenant.onmicrosoft.us -ApplicationId XXXX -CertificateThumbprint XXXX it should show endpoints, admin url etc

[desmay]

I can no longer connect as well using service principal with cert thumbprint. Its failing in M365DSCUtil. @CraigHume Can you post a screenshot or details of error message you get?

Get-MgBetaOrganization : Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2023-09-13T13:03:59 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : a92a6624-4778-4bcf-bbb9-bd5a0437e540 client-request-id : 987a1cc5-5b15-48ed-8f95-94d59aa1b0f1 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"PH1NEPF00008CCB"}} Cache-Control : no-cache Date : Wed, 13 Sep 2023 13:03:58 GMT At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.906.1\modules\M365DSCUtil.psm1:1515 char:13

•       $tenantDetails = Get-MgBetaOrganization -ErrorAction 'Sto ...

•       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • CategoryInfo : InvalidOperation: ({ Top = , Skip ...ndProperty = }:<>f__AnonymousType34`8) [Get-MgBeta Organization_List], Exception
  • FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaOrganizatio n_List

This was an issue on my part permissions not granted in Graph. I can't repro this issue in my GCCH environment everything works as expected with latest build in PowerShell 5.1

[CraigHume]

Here's some screenshots. When using connect-M365Tenant, I am seeing relevant (and correct) data via $global:MSCloudLoginConnectionProfile.PnP. However, running Get-PnPTenant returns nothing. The second screenshot show how after disconnecting and reconnecting via the native Connect-PnPOnline , when I run Get-PnPTenant, I get all the correct data.

[CraigHume]

Noticed that the test you asked me to do is for tenant x.omicrosoft.us (which fails), but the native connect-pnp command that succeeds is using -tenant x.onmicrosoft.com. It is only the admin url that has a .us

[desmay]

Sorry for late reply. So, if you change tenant to proper endpoint with .com what details are populated in the $global:MSCloudLoginConnectionProfile.PnP ?

Connect-M365Tenant -Workload PnP -TenantId tenant.onmicrosoft.com -ApplicationId XXXX -CertificateThumbprint XXXX