Open YenNantes opened 8 months ago
Hi all, we are impacted by the exact same issue. Granting high privileges for the application to simply take a snapshot goes against best practices. This improvement wold be highly appreciated. Thanks for the great work put in this initiative, by the way.
Ditto.
@nikcharlebois @andikrueger I also have a customer that wants to start in read-only mode, and O365 is one of the workloads they want, and telling them an admin account is needed and is not Global Reader this is not gonna fly with them. Additionally in some corner cases the resource also seems to create missing Service Principals during the export so this will also need some kind of admin access even if you just need read-only.
Would it be possible to determine the exact permissions that are needed, and create a custom role with those permissions? Then, the custom role would be assigned to the custom Service Principal.
In other words: is there a collection of (ReadOnly) permissions that can be compiled in a custom role that would allow the Microsoft365DSC to run all its workloads?
I had the same thought earlier. The obvious challenge would be to test all possible combinations of permissions.
I assume it’s feasible to start with the Insights Admin Role which holds the least write permissions.
Doing some tests with custom directory roles I came across the following issue:
https://stackoverflow.com/questions/62304052/action-microsoft-directory-approleassignments-create-is-not-supported-for-cus https://learn.microsoft.com/en-us/answers/questions/794953/custom-azure-ad-role-creation-problem
Custom directory roles do not support most of the permissions of OOTB directory roles. Thus, it is not possible to create a custom directory role with the minimum privileges needed (read-only) for taking a snapshot.
There is a request, where some people are asking Microsoft to support more permissions for custom directory roles:
https://feedback.azure.com/d365community/idea/118966ca-5c4d-ee11-a81c-000d3a040137
Thanks for looking into it. Looks like we are stuck with the current two options: Either we warn about the permission issue or we stick with a broken resource in those cases, that not all permissions are given. I do not feel really comfortable with the either option. Trying to fix the permission issue by catching the exception looks like the obvious solution. Within an export we can printout warnings.
This is truly not the expected scenario.
Would it be at least possible to isolate MyAnalyticsFeatureConfig on a dedicated resource? This would allow auditing the other O365OrgSettings.
Description of the issue
The Get-DefaultTenantMyAnalyticsFeatureConfig cmdlet from the resource "O365OrgSettings" requires one of the following roles: Global Administrator Exchange Administrator Insights Administrator
source: https://learn.microsoft.com/en-us/powershell/module/exchange/get-defaulttenantmyanalyticsfeatureconfig?view=exchange-ps
Global reader unfortunatly does not fly (I have tested it).
The problem is that we are planning to use M365DSC only to audit tenants. We are not allowed by the security team to get permissions allowing to write the config.
Would it be possible to isolate this cmdlet on a dedicated resource or at least build the resource in a way that the other settings will be exported if this cmdlet returns a permissions error?
Microsoft 365 DSC Version
1.24.110.1
Which workloads are affected
Office 365 Admin
The DSC configuration
Verbose logs showing the problem
Environment Information + PowerShell Version