Export Teams Configuration with Appplication-ID and Certification Thumbprint - Forbidden - Access denied

donky-bison commented 1 year ago

Description of the issue

Export-M365DSCConfiguration -Components @("TeamsVoiceRoute", "TeamsVoiceRoutingPolicy", "TeamsWorkloadPolicy") -ApplicationId 0aefaf9c-a720-4144-9baa-5e55121af831 -TenantId xx.xxx.xx -CertificateThumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Exporting Microsoft 365 configuration for Components: TeamsVoiceRoute, TeamsVoiceRoutingPolicy, TeamsWorkloadPolicy

Authentication methods specified:

Service Principal with Certificate Thumbprint

Connecting to {MicrosoftTeams}...✅ [1/3] Extracting [TeamsVoiceRoute] using {CertificateThumbprint}...Correlation id for this request : 9bbac2c9-a72a-4f07-88d8-48d228ef4770 ❌ Error Log created at {file://C:/Users/urs.egli/46352-M365DSC-ErrorLog.log} [2/3] Extracting [TeamsVoiceRoutingPolicy] using {CertificateThumbprint}...Correlation id for this request : 3fc46d11-3a89-45a4-a875-4b8ea01936d4 ❌ Error Log created at {file://C:/Users/urs.egli/46352-M365DSC-ErrorLog.log} [3/3] Extracting [TeamsWorkloadPolicy] using {CertificateThumbprint}...Correlation id for this request : 7127eb42-a3f4-409b-8c33-8bcb11e1fc50 ❌ Error Log created at {file://C:/Users/urs.egli/46352-M365DSC-ErrorLog.log} ⌛ Export took {6 seconds}

Destination Path: ./

Microsoft 365 DSC Version

'1.23.1101.1'

Which workloads are affected

Teams

The DSC configuration

@{
    AllNodes = @(
        @{
            NodeName                    = "localhost"
            PSDscAllowPlainTextPassword = $true;
            PSDscAllowDomainUser        = $true;
            #region Parameters
            # Default Value Used to Ensure a Configuration Data File is Generated
            ServerNumber = "0"

        }
    )
    NonNodeData = @(
        @{
            # Tenant's default verified domain name
            OrganizationName = "basnet.onmicrosoft.com"

            # Azure AD Application Id for Authentication
            ApplicationId = "0aefaf9c-a720-4144-9baa-5e55121af831"

            # The Id or Name of the tenant to authenticate against
            TenantId = "xx.xx.xx"

            # Thumbprint of the certificate to use for authentication
            CertificateThumbprint = "63121B859B18B13D386A7BB65C525C21CF65FE68"

        }
    )
}

Verbose logs showing the problem

I get the following Errors
2023.11.05 11:01:00]
{InvalidOperation}
System.Exception: [Forbidden] : Access Denied.
"Error during Export:"
bei Get-CsConfiguration<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\internal\Merged_internal.ps1: Zeile 12845
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\custom\Merged_custom_PsExt.ps1: Zeile 363
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 43971
bei Get-CsOnlineVoiceRoute<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 6353
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\DSCResources\MSFT_TeamsVoiceRoute\MSFT_TeamsVoiceRoute.psm1: Zeile 369
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCReverse.psm1: Zeile 615
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCUtil.psm1: Zeile 1321
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: xxxxx

[2023.11.05 11:01:02]
{InvalidOperation}
System.Exception: [Forbidden] : Access Denied.
"Error during Export:"
bei Get-CsConfiguration<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\internal\Merged_internal.ps1: Zeile 12845
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\custom\Merged_custom_PsExt.ps1: Zeile 363
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 43971
bei Get-CsOnlineVoiceRoutingPolicy<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 6417
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\DSCResources\MSFT_TeamsVoiceRoutingPolicy\MSFT_TeamsVoiceRoutingPolicy.psm1: Zeile 308
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCReverse.psm1: Zeile 615
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCUtil.psm1: Zeile 1321
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: xxxxx

[2023.11.05 11:01:03]
{InvalidOperation}
System.Exception: [Forbidden] : Access Denied.
"Error during Export:"
bei Get-CsConfiguration<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\internal\Merged_internal.ps1: Zeile 12845
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\custom\Merged_custom_PsExt.ps1: Zeile 363
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 43971
bei Get-CsTeamsWorkLoadPolicy<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 11322
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\DSCResources\MSFT_TeamsWorkloadPolicy\MSFT_TeamsWorkloadPolicy.psm1: Zeile 401
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCReverse.psm1: Zeile 615
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCUtil.psm1: Zeile 1321
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: xxxx

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-Bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : de-DE
OsMuiLanguages       : {de-DE}

Name                           Value
----                           -----
PSVersion                      5.1.22621.1778
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.1778
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

andikrueger commented 1 year ago

Did you assign any permission role to the application? see: https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#setup-application-based-authentication

and for the roles:

https://learn.microsoft.com/en-us/microsoftteams/using-admin-roles#teams-roles-and-capabilities

RohitRaj-18 commented 9 months ago

Hello @andikrueger I am also getting the similar error while exporting the configuration Export-M365DSCConfiguration -Components @("TeamsVoiceRoute", "TeamsVoiceRoutingPolicy", "TeamsWorkloadPolicy") -ApplicationId 0aefaf9c-a720-4144-9baa-5e55121af831 -TenantId xx.xxx.xx -CertificateThumbprint.

The Permission Roles which has been assigned to the Azure AD App are as below :

Organization.Read.All User.Read.All Group.Read.All AppCatalog.Read.All TeamSettings.Read.All Channel.ReadBasic.All ChannelSettings.Read.All ChannelMember.Read.All

However regarding the role i have assigned "Global Reader" & "Security Reader" to the Azure AD App.

microsoft / Microsoft365DSC