search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.63k stars 503 forks source link

Microsoft365DSC\EXOCalendarProcessing: Unsupported values for properties in M365TenantConfig.ps1 prevent the creation of .mof file #5122

Open MGPlex opened 1 month ago

MGPlex commented 1 month ago

Description of the issue

With a freshly generated M365TenantConfig.ps1 file it creates an error when trying to dot source it and make a .mof file.

Currently I am expriencing the following error:

Microsoft365DSC\EXOCalendarProcessing : At least one of the values 'Absent' is not supported or valid for property 'Ensure' on class 'EXOCa lendarProcessing'. Please specify only supported values: Present.

But I have seen this happen on other workloads as well.

Microsoft 365 DSC Version

1.24.904.1

Which workloads are affected

Exchange Online

The DSC configuration

EXOCalendarProcessing "EXOCalendarProcessing-alias@domain.com"
        {
            Credential           = $Credscredential;
            Ensure               = "Absent";
            Identity             = "alias@domain.com";
        }

Verbose logs showing the problem

Microsoft365DSC\EXOCalendarProcessing : At least one of the values 'Absent' is not supported or valid for property 'Ensure' on class 'EXOCalendarProcessing'. Please specify only supported values: 
Present.
At C:\users\micha\desktop\Oarsprong\M365TenantConfig.ps1:31108 char:9
+         EXOCalendarProcessing "EXOCalendarProcessing-ferrenoahkruisse ...
+         ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnsupportedValueForProperty,Microsoft365DSC\EXOCalendarProcessing

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Education
OsOperatingSystemSKU : 121
OsArchitecture       : 64 bits
WindowsVersion       : 2009
WindowsBuildLabEx    : 22000.1.amd64fre.co_release.210604-1628
OsLanguage           : nl-NL
OsMuiLanguages       : {nl-NL, en-US}

Key   : PSVersion
Value : 5.1.22000.3147
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.22000.3147
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion
FabienTschanz commented 1 month ago

@MGPlex To me, it seems like you can not "remove" the calendar processing. It is an "Update only" resource, which only allows updating values of the configuration, but not "removing" the values. That's why you cannot use Ensure = 'Absent'.

MGPlex commented 1 month ago

@MGPlex To me, it seems like you can not "remove" the calendar processing. It is an "Update only" resource, which only allows updating values of the configuration, but not "removing" the values. That's why you cannot use Ensure = 'Absent'.

@FabienTschanz , It would seem that way, but these values are directly exported from a live-environment with export-M365DSCConfiguration. It seems that something in that command goes wrong when it comes to the Exchange Workload, since this value is consistently incorrect with each exported user.

Now I am totally capable to edit M365TenantConfig.ps1, but for automation purposes I would rather see this file generated correctly.

FabienTschanz commented 1 month ago

I understand the issue. From my lab environment with some test users, there is no Ensure = 'Absent'. How do I have to configure it so that it results in the same export as yours? Do you happen to know that?

Are there any errors logged in the Event Viewer --> Applications and Services Log --> M365DSC?

MGPlex commented 1 month ago

I wouldn't know how to rebuild such an export file.

I run the following command:

Export-M365DSCConfiguration -Path $exportpath -FileName $filename -Components @("TeamsTemplatesPolicy", "AADAuthenticationContextClassReference","AADAuthenticationMethodPolicy", "AADAuthenticationMethodPolicyAuthenticator", "AADAuthenticationMethodPolicyEmail", "AADAuthenticationMethodPolicyFido2", "AADAuthenticationMethodPolicySms", "AADAuthenticationMethodPolicySoftware", "AADAuthenticationMethodPolicyTemporary", "AADAuthenticationMethodPolicyVoice", "AADAuthenticationMethodPolicyX509", "AADAuthenticationStrengthPolicy", "AADAuthorizationPolicy", "AADConditionalAccessPolicy", "AADCrossTenantAccessPolicy", "AADCrossTenantAccessPolicyConfigurationDefault", "AADCrossTenantAccessPolicyConfigurationPartner", "AADExternalIdentityPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADSecurityDefaults", "AADServicePrincipal", "AADTenantDetails", "EXOAcceptedDomain", "EXOAddressBookPolicy", "EXOAddressList", "EXOAntiPhishPolicy", "EXOAntiPhishRule", "EXOApplicationAccessPolicy", "EXOAtpPolicyForO365", "EXOAuthenticationPolicy", "EXOAuthenticationPolicyAssignment", "EXOAvailabilityAddressSpace", "EXOAvailabilityConfig", "EXOCalendarProcessing", "EXOCASMailboxPlan", "EXOCASMailboxSettings", "EXOClientAccessRule", "EXODataClassification", "EXODataEncryptionPolicy", "EXODistributionGroup", "EXODkimSigningConfig", "EXOEmailAddressPolicy", "EXOGlobalAddressList", "EXOGroupSettings", "EXOHostedConnectionFilterPolicy", "EXOHostedContentFilterPolicy", "EXOHostedContentFilterRule", "EXOHostedOutboundSpamFilterPolicy", "EXOHostedOutboundSpamFilterRule", "EXOInboundConnector", "EXOIntraOrganizationConnector", "EXOIRMConfiguration", "EXOMailboxPermission", "EXOMalwareFilterPolicy", "EXOMalwareFilterRule", "EXOManagementRole", "EXOManagementRoleAssignment", "EXOManagementRoleEntry", "EXOMessageClassification", "EXOOMEConfiguration", "EXOOnPremisesOrganization", "EXOOrganizationConfig", "EXOOutboundConnector", "EXOOwaMailboxPolicy", "EXOPolicyTipConfig", "EXOQuarantinePolicy", "EXORecipientPermission", "EXORemoteDomain", "EXOReportSubmissionPolicy", "EXOReportSubmissionRule", "EXORoleAssignmentPolicy", "EXOSafeAttachmentPolicy", "EXOSafeAttachmentRule", "EXOSafeLinksPolicy", "EXOSafeLinksRule", "EXOSharedMailbox", "EXOSharingPolicy", "EXOTransportConfig", "EXOTransportRule", "IntuneAccountProtectionLocalUserGroupMembershipPolicy", "IntuneAccountProtectionPolicy", "IntuneAntivirusPolicyWindows10SettingCatalog", "IntuneAppConfigurationPolicy", "IntuneASRRulesPolicyWindows10", "IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager", "IntuneDeviceCleanupRule", "IntuneDeviceCompliancePolicyWindows10", "IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10", "IntuneDeviceConfigurationEndpointProtectionPolicyWindows10", "IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10", "IntuneDeviceConfigurationIdentityProtectionPolicyWindows10", "IntuneDeviceEnrollmentLimitRestriction", "IntuneDeviceEnrollmentPlatformRestriction", "IntuneDeviceEnrollmentStatusPageWindows10", "IntuneEndpointDetectionAndResponsePolicyWindows10", "IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined", "IntuneWindowsAutopilotDeploymentProfileAzureADJoined", "IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled", "IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10", "IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10", "O365AdminAuditLogConfig", "O365Group", "O365OrgCustomizationSetting", "O365OrgSettings", "O365SearchAndIntelligenceConfigurations", "SCAuditConfigurationPolicy", "SCAutoSensitivityLabelPolicy", "SCAutoSensitivityLabelRule", "SCCaseHoldPolicy", "SCCaseHoldRule", "SCComplianceCase", "SCComplianceSearch", "SCComplianceSearchAction", "SCComplianceTag", "SCDeviceConditionalAccessPolicy", "SCDeviceConfigurationPolicy", "SCDLPCompliancePolicy", "SCDLPComplianceRule", "SCFilePlanPropertyAuthority", "SCFilePlanPropertyCategory", "SCFilePlanPropertyCitation", "SCFilePlanPropertyDepartment", "SCFilePlanPropertyReferenceId", "SCFilePlanPropertySubCategory", "SCLabelPolicy", "SCProtectionAlert", "SCRetentionCompliancePolicy", "SCRetentionComplianceRule", "SCRetentionEventType", "SCRoleGroup", "SCRoleGroupMember", "SCSecurityFilter", "SCSensitivityLabel", "SCSupervisoryReviewPolicy", "SCSupervisoryReviewRule", "TeamsAppPermissionPolicy", "TeamsAppSetupPolicy", "TeamsChannelsPolicy", "TeamsClientConfiguration", "TeamsComplianceRecordingPolicy", "TeamsGuestCallingConfiguration", "TeamsGuestMeetingConfiguration", "TeamsGuestMessagingConfiguration", "TeamsMeetingConfiguration", "TeamsMeetingPolicy", "TeamsMessagingPolicy", "TeamsOrgWideAppSettings", "TeamsTemplatesPolicy", "TeamsUpdateManagementPolicy", "TeamsUpgradeConfiguration", "TeamsUpgradePolicy", "TeamsUserCallingSettings", "TeamsUserPolicyAssignment")

Excuse the weird code markup.

It seems where users don't use calendarprocessing, ensure is set to absent. For users with a calendarprocessing configuration this value is set to present.

I also wouldn't know how I would influence Export-M365DSCConfiguration in order to correct this behavior. It seems like this is exactly how it is read from the tenant.

image

I haven't found the correct graph call that's made to export this info. Then I could test what the tenant gives back.

As far as the logs go, I can't seem to find matching errors.

FabienTschanz commented 1 month ago

I am nowhere near with my know-how regarding Exchange. Can you tell me how I disable the calendar processing? I tried with some things inside of Outlook and in the Exchange configuration, but to no avail...

Also, the command you can run is Get-CalendarProcessing -Identity <Name>, then it will return the calendar processing configuration for the mailbox.

ricmestre commented 1 month ago

I don't use this resource, but without even looking at the code I bet it's random connection failures and you get $nullReturn.Ensure = "Absent"

It's just a matter of getting one of those users that appear with the calendar processing set Absent, run the cmdlet manually and check what's inside, most likely will look ok if the connection is fine.

ricmestre commented 1 month ago

Try to export it again and see if there's any message in the screen complaining about "Calendar processing settings for $($Identity) does not exist.", it could be this.

https://github.com/microsoft/Microsoft365DSC/blob/3c57bf8da46a821cd1bb3278fa1e6b34e0a4e919/Modules/Microsoft365DSC/DSCResources/MSFT_EXOCalendarProcessing/MSFT_EXOCalendarProcessing.psm1#L238

MGPlex commented 1 month ago

@ricmestre , you might be onto something here.

When I run the exchange command directly the output doesn't even contain a Ensure value. image

This seems to be generated by M365DSC itself and could be part of some sort of error handling, albeit not effective.

Our usage case for this export is that I use the .MOF file to read config data and export it to a (human readable) report for our clients. Therefore I should be able to trust the integrity of the exported data, which isn't entirely the case right now.

Frustratingly enough, the module did not throw these errors a month ago, but seem to have been created during the latest module update.

ricmestre commented 1 month ago

The Ensure property is specific to M365DSC, it won't appear in the output of Get-CalendarProcessing but if that's one of the affected users that appear as Absent in the blueprint then try what I said, try to do another export with -Verbose switch and while it's doing its thing check if there's any message "Calendar processing settings for $($Identity) does not exist."

The message is not too much helpful, this is because Get-CalendarProcessing is being called with ErrorAction set to SilentlyContinue which means that as an example the connection might fail and it won't give any error, it will happily continue but return $null and therefore you get that user as Absent in the blueprint.