O365OrgSettings: Which roles are actually required for Read and for Write?

ricmestre commented 6 months ago

Description of the issue

One of our customers decided they wanted to use the O365 workload but I'm having an hard time with it since there are no instructions on https://microsoft365dsc.com which permissions are required so I could only gather what was need so far by reading code and searching the interwebs.

For the whole O365 workload I've created a single app and added these Write API permissions, which were taken from what's in settings.json combined for all 5 resources.

Then I created an Exchange role group with both "Audit Logs" and "Organization Configuration" roles, and had problems already here because you cannot actually add to the role group the app registration directly like you normally would, you need to create a new Service Principal and associate it to the app registration and is that SP that will get added to the role group.

After having a discussion in some other thread I found out O365OrgSettings would need at least "Insights Administrator" AAD role which I also granted for the app registration, and I'm able to read and write everything, the exception is I cannot change PlannerAllowCalendarSharing only read it. Which permission or role am I missing here? Additionally running the commands by hand it seems there's more settings inside but only allowCalendarSharing is included in the export as seen below so should they also be added to the resource?

@nikcharlebois @andikrueger So question is basically what is required for reading the entire O365 workload, and is required for writing, both in terms of API permissions and roles, if what I've shared above is already correct then I'll just need the info on what's missing. Most likely I'm just missing a role for fiddling with the Planner, I looked into PnPcli-microsoft365 and they say "Global Administrator" is required to change these settings, that will be an hard sell with the customer but if that's the case nothing we can do, at least for reading it works right now, but this whole workload definitely needs to be added to the documentation in microsoft365dsc.com.

Microsoft 365 DSC Version

1.23.214.2

Which workloads are affected

other

The DSC configuration

N/A

Verbose logs showing the problem

VERBOSE: [REDACTED]:
 [[O365OrgSettings]O365OrgSettings] Updating the Planner Allow Calendar Sharing setting to {False}
The remote server returned an error: (403) Forbidden.                                                                                                                                                                  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:) [], CimException                                                                                              + FullyQualifiedErrorId :
WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
+ PSComputerName        : localhost

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise                                                                                                                                                             OsOperatingSystemSKU : EnterpriseEdition                                                                                                                                                                           OsArchitecture       : 64-bit                                                                                                                                                                                      WindowsVersion       : 2009                                                                                                                                                                                        WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250                                                                                                                                                     OsLanguage           : en-US                                                                                                                                                                                       OsMuiLanguages       : {en-US, en-GB}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                     Name                           Value                                                                                                                                                                               ----                           -----                                                                                                                                                                               PSVersion                      5.1.22621.1778                                                                                                                                                                      PSEdition                      Desktop                                                                                                                                                                             PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                             BuildVersion                   10.0.22621.1778                                                                                                                                                                     CLRVersion                     4.0.30319.42000                                                                                                                                                                     WSManStackVersion              3.0                                                                                                                                                                                 PSRemotingProtocolVersion      2.3                                                                                                                                                                                 SerializationVersion           1.1.0.1

andikrueger commented 6 months ago

Thank you for investigating the required permissions for this resource.

Maybe this holds a good pointer to look at: https://pnp.github.io/powershell/cmdlets/Get-PnPPlannerConfiguration.html - Even though I was not able to find said permission :(

Linking the other O365OrgSettings permission issue #4146.

ricmestre commented 6 months ago

@andikrueger The one I saw it said it required Global Admin was here but I need to be sure to get back to the client with that info.

https://github.com/pnp/cli-microsoft365/blob/0ae7da4f294ba49b514519d057a6339ea742b972/docs/docs/cmd/planner/tenant/tenant-settings-set.mdx#L43

microsoft / Microsoft365DSC