Get-MgEntitlementManagementCatalog does not have a digital signature

[llewellynmarriottcer]

Describe the bug Get-MgEntitlementManagementAssignment is defined in a .ps1 script which is not signed with a digital certificate.

To Reproduce Steps to reproduce the behavior:

1. Execute Get-MgEntitlementManagementCatalog on a system configured to block unsigned scripts e.g. AppLocker
2. PowerShell tries to load <Module Path>\Microsoft.Graph.Identity.Governance\2.11.1\custom\Get-MgEntitlementManagementAssignment.ps1 but cannot as it does not have an approved digital signature.

Expected behavior I except these files to have the same digital signature as the rest of the module, allowing the command to work.

Debug Output

> Get-MgEntitlementManagementCatalog -Debug
CmdletInvocationException: File <Module Path>\Microsoft.Graph.Identity.Governance\2.11.1\custom\Get-MgEntitlementManagementAssignment.ps1 cannot be loaded because its operation is blocked by software restriction policies, such as those created by using Group Policy.
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(ScriptBlockClauseToInvoke clauseToInvoke, Boolean createLocalScope, Dictionary`2 functionsToDefine, List`1 variablesToDefine, ErrorHandlingBehavior errorHandlingBehavior, Object dollarUnder, Object input, Object scriptThis, Pipe outputPipe, InvocationInfo invocationInfo, Object[] args)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean useLocalScope, ErrorHandlingBehavior errorHandlingBehavior, Object dollarUnder, Object input, Object scriptThis, Pipe outputPipe, InvocationInfo invocationInfo, Boolean propagateAllExceptionsToTop, List`1 variablesToDefine, Dictionary`2 functionsToDefine, Object[] args)
   at System.Management.Automation.ScriptBlock.DoInvokeReturnAsIs(Boolean useLocalScope, ErrorHandlingBehavior errorHandlingBehavior, Object dollarUnder, Object input, Object scriptThis, Object[] args)
   at System.Management.Automation.CommandInvocationIntrinsics.InvokeScript(ScriptBlock sb, Boolean useNewScope, PipelineResultTypes writeToPipeline, IList input, Object[] args)
   at System.Management.Automation.CommandInvocationIntrinsics.InvokeScript(String script)
   at Microsoft.Graph.PowerShell.Runtime.PowerShell.PsHelpers.RunScript[T](CommandInvocationIntrinsics cii, String script)
   at Microsoft.Graph.PowerShell.Runtime.PowerShell.PsExtensions.RunScript[T](PSCmdlet cmdlet, String script)
   at Microsoft.Graph.PowerShell.Runtime.PowerShell.PsHelpers.GetScriptCmdlets(PSCmdlet cmdlet, String scriptFolder)
   at Microsoft.Graph.PowerShell.Runtime.PowerShell.GetScriptCmdlet.ProcessRecord()
Get-Command: <Module Path>\Microsoft.Graph.Identity.Governance\2.11.1\exports\ProxyCmdletDefinitions.ps1:15176
 Line |
15176 |          $cmdInfo = Get-Command -Name $mapping[$parameterSet]
      |                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | The term 'Microsoft.Graph.Identity.Governance.custom\Get-MgEntitlementManagementCatalog' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
      | try again.
ParentContainsErrorRecordException: <Module Path>\Microsoft.Graph.Identity.Governance\2.11.1\exports\ProxyCmdletDefinitions.ps1:15177
 Line |
15177 |          [Microsoft.Graph.PowerShell.Runtime.MessageAttributeHelper]:: …
      |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | Exception calling "ProcessCustomAttributesAtRuntime" with "4" argument(s): "Object reference not set to an instance of an object."

Module Version

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.11.1                Microsoft.Graph.Authentication      {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}
Script     2.11.1                Microsoft.Graph.Identity.Governance {Add-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision, Get-MgAgreement, Get-MgAgreementAcceptance, Get-MgAgreementAcceptanceCount…}

Environment Data

Name                           Value
----                           -----
PSVersion                      7.4.0
PSEdition                      Core
GitCommitId                    7.4.0
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context Running Get-AuthenticodeSignature <Module Path>\Microsoft.Graph.Identity.Governance\2.11.1\custom\Get-MgEntitlementManagementAssignment.ps1 shows the file as having a status of NotSigned, viewing the file in a text editor shows no signature block.

[marcgoff]

Any update on this issue? This breaks our Just Enough Administration configuration.

[llewellyn-marriott]

Any update on this issue? This breaks our Just Enough Administration configuration.

I worked around the signing issue by using an internal code signing certificate to sign the file myself.

See https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-authenticodesignature?view=powershell-7.4

Though this is not ideal as it requires an internal certificate/trusted root and means distributing an updated version of the module from an internal repository.