andikrueger
commented
8 months ago Could you please share your Version of M365DSC?
Closed rob-valto closed 5 months ago
andikrueger
commented
8 months ago Could you please share your Version of M365DSC?
Borgquite
commented
6 months ago Same issue here trying to renew a certificate - even running the command in the documentation doesn't work
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'}) -AdminConsent -Type Secret
You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.131.2\Modules\M365DSCUtil.psm1:1733 char:9
+ throw $errorText
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (You must specif...int parameters.:String) [], RuntimeException
+ FullyQualifiedErrorId : You must specify either the Credential or ApplicationId, TenantId and CertificateThumbpr
int parameters.This cmdlet used to prompt for login credentials. It's asking for the Credential parameter (tried passing something with Get-Credential, but it didn't work) and it's a bit cruel to request ApplicationId, TenantId and CertificateThumbprint when those are the things that this cmdlet is intended to create.
Microsoft365DSC version 1.24.131.2
RJEMDM
commented
6 months ago Same issue in version 1.24.313.1
Running
$allResources = Get-M365DSCAllResources
$allPermissions = Get-M365DSCCompiledPermissionList -ResourceNameList $allResources -PermissionType Application -AccessType Read
$ApplicationName = "Microsoft365DSC"
$ClientID = "MY_APP_ID"
$TenantID = "MY_TENANT_DOMAIN"
Update-M365DSCAzureAdApplication -ApplicationName $ApplicationName `
-Permissions $allPermissions
-Type Certificate
-AdminConsent
-ApplicationId $ClientID
-TenantId $TenantIDOutput
You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.313.1\Modules\M365DSCUtil.psm1:1801 char:9
+ throw $errorText
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (You must specif...int parameters.:String) [], RuntimeException
+ FullyQualifiedErrorId : You must specify either the Credential or ApplicationId, TenantId and CertificateThumbpr
int parameters.What kind of authentication method do you want to use? Right now, no authentication method is chosen. For application authentication a certificate is missing. For credentials you need to revive the application id and all application authentication related parameters
Borgquite
commented
6 months ago @andikrueger The purpose of the Update-M365AzureADApplication dcmdlet is to create the application ID and self-signed certificate used by Microsoft365DSC - how can we supply those credentials when that is what we are trying to create in the first place? (I.e. this is a chicken/egg situation)
That is why in the documentation, the values that the cmdlet is requesting are not supplied. It used to be that Microsoft365Dsc would put up a standard Azure/M365 login popup. Feels like the underyling authentication library has forgotten that this is what this cmdlet needs, and is now requiring them again for some reason.
andikrueger
commented
6 months ago This looks like the examples are not entirely up to date in the the user guide. We did change the Update-M365DSCAzureAdApplication cmdlet a while ago to use the Microsoft Graph PowerShell module instead of the AZ PowerShell modules. This change improved the dependency situation and allows the creation of an application for M365 by using either Credentials for an Global Admin/Application Admin account or an already existing AAD app to create the new App for M365 DSC within the tenant.
Please review the cmdLets help article for proper examples.
https://microsoft365dsc.com/user-guide/cmdlets/Update-M365DSCAzureAdApplication/
Borgquite
commented
6 months ago @andikrueger OK - so the user guide is out of date & we should be doing something like:
$creds = Get-Credential
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'}) -AdminConsent -Type Secret -Credential $credsor
$creds = Get-Credential
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'}) -AdminConsent -Type Certificate -CreateSelfSignedCertificate -CertificatePath c:\Temp\M365DSC.cer -Credential $credsI've just tested & seems to get me to the login page. I can't test more fully as I've already renewed our certificate manually & don't want to break anything. Does the user guide need updating then?
UPDATE: Sorry I have no idea how I missed the fact that the user doco was updated. But still see below.
Borgquite
commented
6 months ago @andikrueger It's still broken. Tried setting up a new application, but $credential doesn't work with multi-factor authentication.
$M365DSCRequiredPermissionsList = Get-M365DSCCompiledPermissionList -ResourceNameList @('AADAdministrativeUnit', 'AADGroup', 'AADUser', 'EXODistributionGroup', 'EXOManagementRoleAssignment') -PermissionType 'Application' -AccessType 'Update'
$M365DSCCredential = Get-Credential
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSCTest123' -Permissions $M365DSCRequiredPermissionsList -AdminConsent -Type 'Certificate' -MonthsValid 24 -CreateSelfSignedCertificate -CertificatePath "C:\M365DSC123.cer" -Credential $M365DSCCredential cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
2024-03-20 09:48:42 - Checking specified parameters
2024-03-20 09:48:42 - Using a Certificate as credential
2024-03-20 09:48:42 -
2024-03-20 09:48:42 - Make sure your certificate has the following prerequisites:
2024-03-20 09:48:42 - KeySpec : Signature
2024-03-20 09:48:42 - KeyLength : 2048
2024-03-20 09:48:42 - KeyAlgorithm : RSA
2024-03-20 09:48:42 - HashAlgorithm : SHA256 or SHA1
2024-03-20 09:48:42 - Enhanced Key Uses : Client Authentication and Server Authentication
2024-03-20 09:48:42 - And the entire certificate chain is available!
2024-03-20 09:48:42 -
2024-03-20 09:48:43 -
2024-03-20 09:48:43 - Checking existance of AD Application
2024-03-20 09:48:43 - New Azure AD application 'Microsoft365DSCTest123' created!
2024-03-20 09:48:43 -
2024-03-20 09:48:43 - Checking app permissions
2024-03-20 09:48:43 - Checking permission 'Graph\Organization.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\AdministrativeUnit.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\AdministrativeUnit.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Application.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Device.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Group.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\RoleManagement.Read.Directory'
2024-03-20 09:48:43 - Checking permission 'Graph\User.Read.All'
2024-03-20 09:48:43 - Checking permission 'Graph\Group.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Graph\RoleManagement.ReadWrite.Directory'
2024-03-20 09:48:43 - Checking permission 'Graph\ReportSettings.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Graph\User.ReadWrite.All'
2024-03-20 09:48:43 - Checking permission 'Exchange\Exchange.ManageAsApp'
2024-03-20 09:48:44 - Permission updated for application
2024-03-20 09:48:44 -
2024-03-20 09:48:44 - Waiting 10 seconds for application creation
2024-03-20 09:48:44 - ...
2024-03-20 09:48:54 -
2024-03-20 09:48:54 - Providing Admin Consent for application permissions
Invoke-RestMethod : {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must
use multi-factor authentication to access '<redacted>'. Trace ID: 1dc6364c-0bc7-448f-88db-d554da521000 Correlation ID: b5ae7e11-9135-4e6a-afff-468e353391fb Timestamp:
2024-03-20 09:48:54Z","error_codes":[50076],"timestamp":"2024-03-20 09:48:54Z","trace_id":"1dc6364c-0bc7-448f-88db-d554da521000","correlation_id":"b5ae7e11-9135-4e6a-afff-468e353391fb","error_uri
":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCPermissions.psm1:1605 char:26
+ $token = Invoke-RestMethod $uri `
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
2024-03-20 09:48:54 - [ERROR] [ERROR] Error while providing consent to the requested permissions. Please make sure you provide consent via the Azure AD Admin Portal.
2024-03-20 09:48:54 - Error details: The remote server returned an error: (401) Unauthorized.
2024-03-20 09:48:54 -
2024-03-20 09:48:54 - Checking app credentials
2024-03-20 09:48:54 - Uploading App Certificate
2024-03-20 09:48:54 - CreateSelfSignedCertificate specified, generating new Self Signed Certificate
2024-03-20 09:48:55 - Certificate exported to C:\M365DSC123.cer
2024-03-20 09:48:55 - Certificate details: CN=Microsoft365DSCTest123 (<redacted>)
2024-03-20 09:48:55 -
2024-03-20 09:48:55 - Application Id: <redacted>
2024-03-20 09:48:55 -
2024-03-20 09:48:55 - NOTE: Make sure you add the application to the required Microsoft 365 (e.g. Global Admin) or Exchange (e.g. Organization Management) role groups as well!
2024-03-20 09:48:55 - See the documentation for any required permissions.What kind of authentication method do you want to use? Right now, no authentication method is chosen. For application authentication a certificate is missing. For credentials you need to revive the application id and all application authentication related parameters
@andikrueger Retrying the workflow having set the required parameters to support Certificate Thumbprint authentication to an existing Service Principal and using an existing auth certificate (Generated and then store in LocalMachine keystore), returns the same error.
My use of Update-M365DSCAzureAdApplication is to set necessary permissions on the Service Principal to allow Start-DSCConfiguration to import updated tenant configuration MOF file. This is failing due to inadequate permissions defined on the Service Principal for App-Only access.
For transparency, this script in being invoked and executed as part of a GitHub hosted Windows runner workflow
Script:
param([switch]$_restart)
if (-not $_restart) {
powershell -Version 5.1 -File $MyInvocation.MyCommand.Definition -_restart
exit
}
$PSVersionTable
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies
winrm invoke Restore winrm/Config
winrm quickconfig -quiet
Set-WSManInstance -ValueSet @{MaxEnvelopeSizekb = "1000"} -ResourceURI winrm/config
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("$pwd\cert.pfx", "Rewrite-Luncheon-Attendant0", $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
#Connect to Microsoft Graph using Certificate Thumbprint
$ApplicationName = "Microsoft365DSC"
$ClientID = "MY_APP_ID"
$TenantID = "MY_TENANT_DOMAIN"
Connect-MgGraph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $Certificate.Thumbprint
#Set Application permissions
$allResources = Get-M365DSCAllResources
$allPermissions = Get-M365DSCCompiledPermissionList -ResourceNameList $allResources -PermissionType Application -AccessType Read
$CertificatePath = "$pwd\cert.pfx"
Update-M365DSCAzureAdApplication -ApplicationName $ApplicationName `
-Permissions $allPermissions `
-Type Certificate
-TenantId $TenantID
-CertificatePath $CertificatePath
-CertificateThumbprint $Certificate.Thumbprint
-AdminConsentContinues to fail to call the defined parameters within the authentication workflow.
Output
You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.313.1\Modules\M365DSCUtil.psm1:1801 char:9
+ throw $errorText
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (You must specif...int parameters.:String) [], RuntimeException
+ FullyQualifiedErrorId : You must specify either the Credential or ApplicationId, TenantId and CertificateThumbpr
int parameters.@RJEMDM Your provided script doesn't include ApplicationId in the Update-M365DscAzureAdApplication call? Do you need to set that to $ClientID?
andikrueger
commented
6 months ago Update-M365DSCAzureAdApplication is still missing “-ApplicationId
Borgquite
commented
6 months ago @andikrueger Can you help with the fact that -Credential doesn't work for multi-factor authentication accounts? (See above).
RJEMDM
commented
6 months ago Thanks @Borgquite. Appended script with -ApplicationId as noted and hard coded the parameter values, however the workflow continues to fail.
Am I missing anything else?
Script
param([switch]$_restart)
if (-not $_restart) {
powershell -Version 5.1 -File $MyInvocation.MyCommand.Definition -_restart
exit
}
$PSVersionTable
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies
winrm invoke Restore winrm/Config
winrm quickconfig -quiet
Set-WSManInstance -ValueSet @{MaxEnvelopeSizekb = "1000"} -ResourceURI winrm/config
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("$pwd\cert.pfx", "Rewrite-Luncheon-Attendant0", $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
#Connect to Microsoft Graph using Certificate Thumbprint
$ApplicationName = "Microsoft365DSC"
$ClientID = "MY_APP_ID"
$TenantID = "MY_TENANT_DOMAIN"
Connect-MgGraph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $Certificate.Thumbprint
#Set Application permissions
$allResources = Get-M365DSCAllResources
$allPermissions = Get-M365DSCCompiledPermissionList -ResourceNameList $allResources -PermissionType Application -AccessType Read
#$CertificatePath = "$pwd\cert.pfx"
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' `
-Permissions $allPermissions `
-Type Certificate
-TenantId 'MY_TENANT_DOMAIN'
-ApplicationId 'MY_APP_ID'
-CertificatePath "$pwd\cert.pfx"
-CertificateThumbprint 'MY_CERT_THUMBPRINT'
-AdminConsentOutput
You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.313.1\Modules\M365DSCUtil.psm1:1801 char:9
+ throw $errorText
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (You must specif...int parameters.:String) [], RuntimeException
+ FullyQualifiedErrorId : You must specify either the Credential or ApplicationId, TenantId and CertificateThumbpr
int parameters.Inspecting the offending M365DSCUtil.psm1 script, from line 1930, the addition of $InboundParameters.CertificatePassword being mentioned as a required parameter value for Connect-M365Tenant. Assume the defined CertificateThumbprint authentication parameter value likely is decoded with the password being passed through to the next function in the workflow. That being Connect-M365Tenant?
M365DSCUtil.psm1
# Case only the ServicePrincipal with Thumbprint parameters are specified
elseif ($null -eq $InboundParameters.Credential -and `
-not [System.String]::IsNullOrEmpty($InboundParameters.ApplicationId) -and `
-not [System.String]::IsNullOrEmpty($InboundParameters.TenantId) -and `
-not [System.String]::IsNullOrEmpty($InboundParameters.CertificatePath) -and `
$null -ne $InboundParameters.CertificatePassword)
{
if ([System.String]::IsNullOrEmpty($url))
{
Write-Verbose -Message 'ApplicationId, TenantId, CertificatePath & CertificatePassword were specified. Connecting via Service Principal'
Connect-M365Tenant -Workload $Workload `
-ApplicationId $InboundParameters.ApplicationId `
-TenantId $InboundParameters.TenantId `
-CertificatePassword $InboundParameters.CertificatePassword.Password `
-CertificatePath $InboundParameters.CertificatePath `
-SkipModuleReload $Global:CurrentModeIsExport
if (-not $Script:M365ConnectedToWorkloads -contains "$Workload-ServicePrincipalWithPath")
{
$data.Add('ConnectionType', 'ServicePrincipalWithPath')
if (-not $data.ContainsKey('Tenant'))
{
$data.Add('Tenant', $InboundParameters.TenantId)
}
Add-M365DSCTelemetryEvent -Data $data -Type 'Connection'
$Script:M365ConnectedToWorkloads += "$Workload-ServicePrincipalWithPath"
}
return 'ServicePrincipalWithPath'
}
#endregionNow working for me. How I had structured the switch parameters and values underneath the main function meant the function was unable to see or parse the parameters.
Previous script code
#Set Application permissions
$allResources = Get-M365DSCAllResources
$allPermissions = Get-M365DSCCompiledPermissionList -ResourceNameList $allResources -PermissionType Application -AccessType Read
#$CertificatePath = "$pwd\cert.pfx"
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' `
-Permissions $allPermissions `
-Type Certificate
-TenantId 'MY_TENANT_DOMAIN'
-ApplicationId 'MY_APP_ID'
-CertificatePath "$pwd\cert.pfx"
-CertificateThumbprint 'MY_CERT_THUMBPRINT'
-AdminConsentI omitted -AdminConsent switch as it invokes a credentials prompt for which the GitHub runner cannot render. Also, it isn't needed for my purpose of using Update-M365DSCAzureAdApplication.
Amended script code
#Set Application permissions
$allResources = Get-M365DSCAllResources
$allPermissions = Get-M365DSCCompiledPermissionList -ResourceNameList $allResources -PermissionType Application -AccessType Read
$CertificatePath = "Cert:\LocalMachine\Root\MY_CERT_THUMBPRINT"
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions $allPermissions -Type Certificate -TenantId 'MY_TENANT_DOMAIN' -ApplicationId 'MY_APP_ID' -CertificatePath $CertificatePath -CertificateThumbprint 'MY_CERT_THUMBPRINT'Output
2024-03-20 16:12:18 - Checking specified parameters
2024-03-20 16:12:18 - Using a Certificate as credential
2024-03-20 16:12:18 -
2024-03-20 16:12:18 - Make sure your certificate has the following prerequisites:
2024-03-20 16:12:18 - KeySpec : Signature
2024-03-20 16:12:18 - KeyLength : 2048
2024-03-20 16:12:18 - KeyAlgorithm : RSA
2024-03-20 16:12:18 - HashAlgorithm : SHA256 or SHA1
2024-03-20 16:12:18 - Enhanced Key Uses : Client Authentication and Server Authentication
2024-03-20 16:12:18 - And the entire certificate chain is available!
2024-03-20 16:12:18 -
2024-03-20 16:12:25 -
2024-03-20 16:12:25 - Checking existance of AD Application
2024-03-20 16:12:26 - Application 'Microsoft365DSC' already exists!
2024-03-20 16:12:26 -
2024-03-20 16:12:26 - Checking app permissions
2024-03-20 16:12:26 - Checking permission 'Graph\Organization.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\AdministrativeUnit.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\RoleManagement.Read.Directory'
2024-03-20 16:12:26 - Checking permission 'Graph\Application.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\CustomSecAttributeDefinition.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Policy.Read.ConditionalAccess'
2024-03-20 16:12:26 - Checking permission 'Graph\Policy.ReadWrite.AuthenticationMethod'
2024-03-20 16:12:26 - Checking permission 'Graph\Policy.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Agreement.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Group.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\User.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\EntitlementManagement.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\ReportSettings.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Directory.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\RoleEligibilitySchedule.Read.Directory'
2024-03-20 16:12:26 - Checking permission 'Graph\RoleManagementPolicy.Read.Directory'
2024-03-20 16:12:26 - Checking permission 'Graph\IdentityProvider.Read.All'
2024-03-20 16:12:26 - Checking permission 'Exchange\Exchange.ManageAsApp'
2024-03-20 16:12:26 - Checking permission 'Graph\DeviceManagementConfiguration.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\DeviceManagementApps.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\DeviceManagementManagedDevices.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\DeviceManagementServiceConfig.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\DeviceManagementRBAC.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\OrgSettings-Microsoft365Install.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\OrgSettings-Forms.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\OrgSettings-Todo.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\OrgSettings-AppsAndServices.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\OrgSettings-DynamicsVoice.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Tasks.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Domain.Read.All'
2024-03-20 16:12:26 - Checking permission 'SharePoint\Sites.FullControl.All'
2024-03-20 16:12:26 - Checking permission 'SharePoint\User.Read.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Group.ReadWrite.All'
2024-03-20 16:12:26 - Checking permission 'Graph\AppCatalog.ReadWrite.All'
2024-03-20 16:12:26 - Checking permission 'Graph\TeamSettings.ReadWrite.All'
2024-03-20 16:12:26 - Checking permission 'Graph\Channel.Delete.All'
2024-03-20 16:12:26 - Checking permission 'Graph\ChannelSettings.ReadWrite.All'
2024-03-20 16:12:26 - Checking permission 'Graph\ChannelMember.ReadWrite.All'
2024-03-20 16:12:26 - Checking permission 'Graph\ChannelSettings.Read.All'
2024-03-20 16:12:26 - Permission updated for application
2024-03-20 16:12:26 -
2024-03-20 16:12:26 - Checking app credentials
2024-03-20 16:12:26 - CertificatePath specified 'D:\a\Microsoft365DSC\Microsoft365DSC\cert_base64.crt', using that certificate
2024-03-20 16:12:26 - Specified certificate does not exist in the app, uploading now
2024-03-20 16:12:26 - Certificate details: CN=MY_CERT_DOMAIN (MY_CERT_THUMBPRINT)
2024-03-20 16:12:27 - Application Id: MY_APP_ID
2024-03-20 16:12:27 - NOTE: Make sure you add the application to the required Microsoft 365 (e.g. Global Admin) or Exchange (e.g. Organization Management) role groups as well!
2024-03-20 16:12:27 - See the documentation for any required permissions.
Hello,
Hoping someone can help, I'm having problems using the Update-M365DSCAzureAdApplication cmdlet to get a service principle setup with all of the permisisons so I can do large export/imports.
Rather than getting a log in box pop up after executing the command, I get errors in powershell. i'm running PS as an admin. I've tried granular permissions but always get prompted for the permissions params. Any help would be appreciated. Tempted to try this on another machine.
Here's what i'm running
Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC-F365C' -AdminConsent -Type Certificate -CreateSelfSignedCertificate -CertificatePath c:\Temp\M365DSC.cer -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Update)
I get this error in Powershell
_File settings.json was not found for resource {Get-M365DSCAllResources} You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters. At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.726.1\modules\M365DSCUtil.psm1:1732 char:9