O365OrgSettings - Get-DefaultTenantMyAnalyticsFeatureConfig permission issue

[YenNantes]

Description of the issue

The Get-DefaultTenantMyAnalyticsFeatureConfig cmdlet from the resource "O365OrgSettings" requires one of the following roles: Global Administrator Exchange Administrator Insights Administrator

source: https://learn.microsoft.com/en-us/powershell/module/exchange/get-defaulttenantmyanalyticsfeatureconfig?view=exchange-ps

Global reader unfortunatly does not fly (I have tested it).

The problem is that we are planning to use M365DSC only to audit tenants. We are not allowed by the security team to get permissions allowing to write the config.

Would it be possible to isolate this cmdlet on a dedicated resource or at least build the resource in a way that the other settings will be exported if this cmdlet returns a permissions error?

Microsoft 365 DSC Version

1.24.110.1

Which workloads are affected

Office 365 Admin

The DSC configuration

Export-M365DSCConfiguration -Components @("O365OrgSettings")

Verbose logs showing the problem

[2024/01/12 06:43:38]
{ProtocolError}
Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied: ((TokenTypeAuthorizationRequirement(UserActAs, AppOnly)&ScopeAuthorizationRequirement(OrganizationSettings.Read, OrganizationSettings.ReadWrite, OrganizationSettings.Read, OrganizationSettings.ReadWrite))|WidsAuthorizationRequirement(62e90394-69f5-4237-9190-012177145e10,29232cdf-9323-42fd-ade2-1d097af3e4de,69091246-20e8-4a56-aa4d-066075b2a7a8,eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c)).
   at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.HandleErrorResponse(HttpResponseMessage response, String settingsName)
   at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.MakeAndSendGetRequest[T](String settingsName, Uri uri)
   at Microsoft.Exchange.Management.RestApiClient.Analytics.GetDefaultTenantMyAnalyticsFeatureConfig.InternalProcessRecord()
   at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.<ProcessRecord>b__34_0()
   at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.ExecuteWithExceptionHandling(Action action, Exception& exception)
"Error retrieving data:"
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 289
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1056
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\modules\M365DSCReverse.psm1: line 639
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\modules\M365DSCUtil.psm1: line 1312
at <ScriptBlock>, <No file>: line 1
TenantId: erfitcs02.onmicrosoft.com

[2024/01/12 06:43:46]
{InvalidOperation}
System.Management.Automation.RuntimeException: You cannot call a method on a null-valued expression.
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
   at System.Management.Automation.PSScriptCmdlet.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
   at System.Management.Automation.PSScriptCmdlet.DoEndProcessing()
   at System.Management.Automation.CommandProcessorBase.Complete()
"Error during Export:"
at Get-M365DSCExportContentForResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\modules\M365DSCUtil.psm1: line 3333
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1061
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\modules\M365DSCReverse.psm1: line 639
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1227.1\modules\M365DSCUtil.psm1: line 1312
at <ScriptBlock>, <No file>: line 1
TenantId: erfitcs02.onmicrosoft.com

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22000.1.amd64fre.co_release.210604-1628
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PS C:\Windows\system32>
PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.22000.2713
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22000.2713
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

[Ben-m-s]

Hi all, we are impacted by the exact same issue. Granting high privileges for the application to simply take a snapshot goes against best practices. This improvement wold be highly appreciated. Thanks for the great work put in this initiative, by the way.

[ricmestre]

Ditto.

@nikcharlebois @andikrueger I also have a customer that wants to start in read-only mode, and O365 is one of the workloads they want, and telling them an admin account is needed and is not Global Reader this is not gonna fly with them. Additionally in some corner cases the resource also seems to create missing Service Principals during the export so this will also need some kind of admin access even if you just need read-only.

[Ben-m-s]

Would it be possible to determine the exact permissions that are needed, and create a custom role with those permissions? Then, the custom role would be assigned to the custom Service Principal.

In other words: is there a collection of (ReadOnly) permissions that can be compiled in a custom role that would allow the Microsoft365DSC to run all its workloads?

[andikrueger]

I had the same thought earlier. The obvious challenge would be to test all possible combinations of permissions.

I assume it’s feasible to start with the Insights Admin Role which holds the least write permissions.

[Ben-m-s]

Doing some tests with custom directory roles I came across the following issue:

https://stackoverflow.com/questions/62304052/action-microsoft-directory-approleassignments-create-is-not-supported-for-cus https://learn.microsoft.com/en-us/answers/questions/794953/custom-azure-ad-role-creation-problem

Custom directory roles do not support most of the permissions of OOTB directory roles. Thus, it is not possible to create a custom directory role with the minimum privileges needed (read-only) for taking a snapshot.

There is a request, where some people are asking Microsoft to support more permissions for custom directory roles:

https://feedback.azure.com/d365community/idea/118966ca-5c4d-ee11-a81c-000d3a040137

[andikrueger]

Thanks for looking into it. Looks like we are stuck with the current two options: Either we warn about the permission issue or we stick with a broken resource in those cases, that not all permissions are given. I do not feel really comfortable with the either option. Trying to fix the permission issue by catching the exception looks like the obvious solution. Within an export we can printout warnings.

This is truly not the expected scenario.

[YenNantes]

Would it be at least possible to isolate MyAnalyticsFeatureConfig on a dedicated resource? This would allow auditing the other O365OrgSettings.