search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.56k stars 487 forks source link

AADAdministrativeUnit with dynamic MembershipType works only at creation #4087

Open gibi916 opened 9 months ago

gibi916 commented 9 months ago

Description of the issue

When I deploy for the first time a dynamic Administrative Unit with the following parameters:

    AADAdministrativeUnit $OrganizationalRelationship.DisplayName {
                 DisplayName = "Test-Dynamic-Unit-DSC"
                 Description = "Description"
                 MembershipRule = '(user.userPrincipalName -contains "@xxx.com")'
                 MembershipRuleProcessingState = "On"
                 MembershipType = "Dynamic"
                 Ensure = "Present"
                 ApplicationId = $ApplicationId
                 TenantId = $TenantId
                 CertificateThumbprint = $Thumbprint
             }

Everything goes well and the administrative unit is created correctly, dynamic and membership is also correct.

But, when I deploy the same configuration again via my pipeline, the DSC configuration will first retrieve all the members and then end up with the following error:

    A parameter cannot be found that matches parameter name 'membershipType'.
         + CategoryInfo: InvalidArgument: (:) [], CimException
         + FullyQualifiedErrorId: NamedParameterNotFound,Update-MgBetaDirectoryAdministrativeUnit
         + PSComputerName: localhost

    VERBOSE: [fv-az390-40]: LCM: [ End Set ]
    [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] in 223.7350 seconds.
    The PowerShell DSC resource '[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration' with
    SourceInfo 'D:\a\1\s\M365Config\0.0.1\DSCResources\EntraID\EntraID.schema.psm1::28::17::AADAdministrativeUnit' threw
    one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the
    ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
         + CategoryInfo: InvalidOperation: (:) [], CimException
         + FullyQualifiedErrorId: NonTerminatingErrorFromProvider
         + PSComputerName: localhost

    VERBOSE: [fv-az390-40]: LCM: [ End Set ]
    The SendConfigurationApply function did not succeed.
         + CategoryInfo: NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
         + FullyQualifiedErrorId: MI RESULT 1
         + PSComputerName: localhost

    VERBOSE: Operation 'Invoke CimMethod' complete.

I want to deploy dynamic administrative unit and ensure their value through my pipeline. But it seems to work only for creation.

Thanks for your help.

Microsoft 365 DSC Version

1.23.1220.1

Which workloads are affected

Azure Active Directory

The DSC configuration

AADAdministrativeUnit $OrganizationalRelationship.DisplayName {
                     DisplayName = "Test-Dynamic-Unit-DSC"
                     Description = "Description"
                     MembershipRule = '(user.userPrincipalName -contains "@xxx.com")'
                     MembershipRuleProcessingState = "On"
                     MembershipType = "Dynamic"
                     Ensure = "Present"
                     ApplicationId = $ApplicationId
                     TenantId = $TenantId
                     CertificateThumbprint = $Thumbprint
                 }

Verbose logs showing the problem

[[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration]
VERBOSE: [fv-az390-40]: LCM:  [ Start  Test     ]  
[[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration]
VERBOSE: [fv-az390-40]:                            
[[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] Testing configuration of the Azure AD 
Administrative Unit with Id {b9948da3-d097-4b2a-b228-f429000e35ad} and DisplayName {Test-Dynamic-Unit-DSC}
VERBOSE: [fv-az390-40]:                            
[[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] An Azure AD Administrative Unit with Id 
{b9948da3-d097-4b2a-b228-f429000e35ad} and DisplayName {Test-Dynamic-Unit-DSC} was found.
VERBOSE: [fv-az390-40]:                            
[[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] AU {Test-Dynamic-Unit-DSC} 
MembershipType {}
VERBOSE: [fv-az390-40]:                            
[[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] AU {Test-Dynamic-Unit-DSC} get Members
VERBOSE: [fv-az390-40]:                            

-------------------------------      
A parameter cannot be found that matches parameter name 'membershipType'.
             + CategoryInfo: InvalidArgument: (:) [], CimException
             + FullyQualifiedErrorId: NamedParameterNotFound,Update-MgBetaDirectoryAdministrativeUnit
             + PSComputerName: localhost

        VERBOSE: [fv-az390-40]: LCM: [ End Set ]
        [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] in 223.7350 seconds.
        The PowerShell DSC resource '[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration' with
        SourceInfo 'D:\a\1\s\M365Config\0.0.1\DSCResources\EntraID\EntraID.schema.psm1::28::17::AADAdministrativeUnit' threw
        one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the
        ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
             + CategoryInfo: InvalidOperation: (:) [], CimException
             + FullyQualifiedErrorId: NonTerminatingErrorFromProvider
             + PSComputerName: localhost

        VERBOSE: [fv-az390-40]: LCM: [ End Set ]
        The SendConfigurationApply function did not succeed.
             + CategoryInfo: NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
             + FullyQualifiedErrorId: MI RESULT 1
             + PSComputerName: localhost

        VERBOSE: Operation 'Invoke CimMethod' complete.

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.20348.2110
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.20348.2110
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion
gibi916 commented 4 months ago

It seems I don't have the issue in the last version of M365 DSC but it still retrieve all members of the admin unit... 

2024-05-22T07:51:50.5295661Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] GET 
2024-05-22T07:51:50.5302636Z https://graph.microsoft.com/v1.0/directoryobjects/3cfc3b6e-3bad-476a-8a23-eeae9f731015 with 0-byte payload
2024-05-22T07:51:50.5653597Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.5671419Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] received 403-byte response of content 
2024-05-22T07:51:50.5676066Z type application/json
2024-05-22T07:51:50.5684868Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.5693265Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] AU {Test-Dynamic-Unit-DSC} member found:
2024-05-22T07:51:50.5701192Z  Type 'User' identity 'xxx@xxx.com'
2024-05-22T07:51:50.5708295Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.5715484Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] GET 
2024-05-22T07:51:50.5722362Z https://graph.microsoft.com/v1.0/directoryobjects/37321d6d-2ef4-4d08-a6a9-a54d0674684a with 0-byte payload
2024-05-22T07:51:50.6025143Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.6041054Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] received 426-byte response of content 
2024-05-22T07:51:50.6046533Z type application/json
2024-05-22T07:51:50.6054653Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.6062094Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] AU {Test-Dynamic-Unit-DSC} member found:
2024-05-22T07:51:50.6069104Z  Type 'User' identity 'xxx@xxx.com'
2024-05-22T07:51:50.6075873Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.6082670Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] GET 
2024-05-22T07:51:50.6089792Z https://graph.microsoft.com/v1.0/directoryobjects/0a2b7503-2f93-4824-95d4-be0e192160d2 with 0-byte payload
2024-05-22T07:51:50.6348480Z VERBOSE: [fv-az516-242]:                            
2024-05-22T07:51:50.6365957Z [[AADAdministrativeUnit]Test-Dynamic-Unit-DSC::[EntraID]EntraID_Configuration] received 502-byte response of content 
2024-05-22T07:51:50.6371299Z type application/json
2024-05-22T07:51:50.6379150Z VERBOSE: [fv-az516-242]:

And it takes a lot of execution time. As it's a dyn admin unit, why retrieve all admin unit members ?