search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.55k stars 482 forks source link

Minimum 'Azure (custom) role' / 'permissions' for O365 export #4938

Open dBase-be opened 1 month ago

dBase-be commented 1 month ago

Description of the issue

For the export of the Office 365 workload I'm using a Service Principal with Certificate Thumbprint. I have configured the permissions correctly on the app registration, similar as the output of Get-M365DSCCompiledPermissionList for all O365 components, shows:

$O365ResourceNameList = @("O365AdminAuditLogConfig", "O365Group", "O365OrgCustomizationSetting", "O365OrgSettings", "O365SearchAndIntelligenceConfigurations")

Get-M365DSCCompiledPermissionList -ResourceNameList $O365ResourceNameList  -PermissionType 'Application' -AccessType 'Read'
Name                           Value
----                           -----
API                            Graph
PermissionName                 Organization.Read.All
API                            Exchange
PermissionName                 Exchange.ManageAsApp
API                            Graph
PermissionName                 Group.Read.All
API                            Graph
PermissionName                 Application.ReadWrite.All
API                            Graph
PermissionName                 ReportSettings.Read.All
API                            Graph
PermissionName                 OrgSettings-Microsoft365Install.Read.All
API                            Graph
PermissionName                 OrgSettings-Forms.Read.All
API                            Graph
PermissionName                 OrgSettings-Todo.Read.All
API                            Graph
PermissionName                 OrgSettings-AppsAndServices.Read.All
API                            Graph
PermissionName                 OrgSettings-DynamicsVoice.Read.All
API                            Graph
PermissionName                 Tasks.Read.All

However, I'm getting the following error:

Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2024-07-29T09:22:52 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : client-request-id : x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"010","RoleInstance":"AM4PEPF0003341B"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Mon, 29 Jul 2024 09:22:52 GMT ([Authorization_RequestDenied] : Insufficient privileges to complete the operation.)

I think the app registration might need an extra role to be able to export the O365 workload? I'm aware of the following article https://microsoft365dsc.com/concepts/personas/, which refers to the 'Global Reader' and 'Security Reader' role. Both these roles have a lot of permissions and are privileged roles (four eyes, need approval) which make them unsuitable for our automated backup solution.

Is there a way to built a minimal custom role which can export the O365 workload? How can we achieve this?

Side question: why does O365 need Application.ReadWrite.All for read-only mode to work? Is there any documentation/explanation on this requirement?

Microsoft 365 DSC Version

1.24.717.1

Which workloads are affected

Office 365 Admin

The DSC configuration

$Workload = 'O365'
Export-M365DSCConfiguration -Workloads $Workload -Mode $Mode -Path $Path -ApplicationId $ApplicationId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprint  -ErrorAction Continue

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

dBase-be commented 1 week ago

Hello, does anyone have a way to perform a full export without using the built-in roles 'Global Reader' and 'Security Reader'? Since these roles necessitate PIM activation, they are not suitable for our automated process. Thanks!