microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.59k stars 501 forks source link

Azure Automation / runbooks - issue with SP with Thumbprint #4548

Open Wopienkaatwork opened 6 months ago

Wopienkaatwork commented 6 months ago

Description of the issue

I wanted to run an export from a tenant with the help of a runbook but when i use a service principal I get the following error message:

pulling DSC from Tenant 2024-Apr-11-2004PM Exporting Microsoft 365 configuration for Workloads: AAD Finding all resources for workload {AAD} and Mode {Default} Authentication methods specified:

The code I used:

`$creds = Get-AutomationPSCredential -Name "DemoTenant" $path = "$env:TEMP" $Date = $(Get-Date -f yyyy-MMM-dd-HHMMtt)

$ApplicationId = "xxxxxx" $CertificateThumbprint = "xxxxxxx" $TenantId = 'xxxxxxxxxxx.onmicrosoft.com'

write-output "Pulling DSC from Tenant $Date"

Export-M365DSCConfiguration -Workload @("AAD") -path $path -filename "runbook_$date.ps1" *>&1 -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId -generateinfo $true

I already installed all modules (Version 5.1) Is there an option to use runbooks and with SP with thumbprints?

Microsoft 365 DSC Version

1.24.403.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

No response

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

FabienTschanz commented 6 months ago

@Wopienkaatwork The certificate you are using must be imported in the certificate store of the local machine, e.g. using certutil. Below you find an example how I do it on an Azure Runbook Hybrid Worker in System context.

$certPath = "C:\certificate.pfx"
$certificate = Get-PfxCertificate -FilePath $certPath
$thumbPrint = $certificate.Thumbprint
$null = "" | certutil -f -importpfx $certPath NoRoot

Export-M365DSCConfiguration...

The certutil command imports the pfx without the Root certificate in its chain and overwrites any previously existing certificate with that name. You could do this with Import-PfxCertificate as well, but in my case that didn't quite work out. But that's another story.