Description
Description of the issue
Trying to creating a New AADApplication, along with specifying Owners , AADApplicationPermissions and AdminConsent settings to true. Compilation is good.
But, when .MOF file is applied FIRST time -
a. Application gets created
b. Owners are NOT being set. Even though I mentioned 1 or 2 users as owners, they are not being set. Only owner at this time on the AADApplication is my DSC App reg, which created the app.
c. Application permissions (delegated & apponly) are being set .
d. But AdminConsent is not being set to true, even though .MOF file contains it as TRUE.
When I apply same .MOF file again (ie with same Application Displayname), this time
a. Owners mentioned (above 1 or 2 users) - are being set correctly now.
b. AdminConsent - still NOT being set to true (though .MOF file has correct value)
Suspected code block: MSFT_AADApplication.psm1 (Version : 1.25.611.1)
Line 742 : $backCurrentOwners = $currentAADApp.Owners
as this is new Application (first time), $currentAADApp will be $null. It is not clear why line 743 needed.
Line 743 : $currentParameters.Remove('Owners')
Line 954 - 957: New-MgApplication with $currentParameters. Doesnt contains 'Owners' (removed in 743).
LIne 1078 - 1106 : Owners are being added / removed. But this entire section some how is not being called for first time creation.
Line 1131 - 1211 ; Permissions getting applied, but missing 'Adminconsent'
AADApp-FirstTime-log.txt
AADApp-secondTime-log.txt
Microsoft 365 DSC Version
1.25.611.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
MOF FILE
============================
/*
@TargetNode='localhost'
@GeneratedBy=user1
@GenerationDate=06/26/2025 13:14:04
@GenerationHost=x-828
*/
instance of MSFT_AADApplicationPermission as $MSFT_AADApplicationPermission1ref
{
AdminConsentGranted = False;
Type = "Delegated";
Name = "Group.Read.All";
SourceAPI = "Microsoft Graph";
};
instance of MSFT_AADApplicationPermission as $MSFT_AADApplicationPermission2ref
{
AdminConsentGranted = True;
Type = "AppOnly";
Name = "Policy.Read.All";
SourceAPI = "Microsoft Graph";
};
instance of MSFT_AADApplication as $MSFT_AADApplication1ref
{
CertificateThumbprint = "xxxx";
IdentifierUris = {
};
SignInAudience = "AzureADMyOrg";
Description = "this is to test C-App-OwnerTest";
ApplicationTemplateId = NULL;
ReplyURLs = {
};
DisplayName = "C-App-OwnerTest";
OnPremisesPublishing = NULL;
KnownClientApplications = {
};
Api = NULL;
OptionalClaims = NULL;
ModuleName = "Microsoft365DSC";
TenantId = "aaa.com";
KeyCredentials = {
};
AuthenticationBehaviors = {
};
Permissions = {
$MSFT_AADApplicationPermission1ref,
$MSFT_AADApplicationPermission2ref
};
GroupMembershipClaims = NULL;
LogoutURL = NULL;
ResourceID = "[AADApplication]AADApplication-C-App-OwnerTest::[C_AADApplication]AADApplication-conf";
ApplicationId = "xxxxx";
Ensure = "Present";
Spa = NULL;
Owners = {
"user1@aaa.com",
"user2@aaa.com"
};
IsFallbackPublicClient = False;
ObjectId = "";
ModuleVersion = "1.25.611.1";
AvailableToOtherTenants = False;
SourceInfo = "D:\\Setup\\C_AADApplication.schema.psm1::24::2::AADApplication";
Homepage = NULL;
PasswordCredentials = {
};
AppRoles = {
};
AppId = "";
ConfigurationName = "M365Configuration";
};
instance of OMI_ConfigurationDocument
{
Version="2.0.0";
MinimumCompatibleVersion = "1.0.0";
CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
Author="user1";
GenerationDate="06/26/2025 13:14:04";
GenerationHost="x-828";
Name="M365Configuration";
};
=========================
input .psd1 file
========================================================
@{
AllNodes = @(
@{
NodeName = "localhost"
}
)
NonNodeData = @{
AAD = @{
AADApplication = @(
@{
AppId="";
AuthenticationBehaviors=@();
AvailableToOtherTenants=$False;
DisplayName="C-App-OwnerTest";
Description = "this is to test C-App-OwnerTest";
Ensure="Present";
IdentifierUris=@();
IsFallbackPublicClient=$False;
KnownClientApplications=@();
ObjectId="";
Owners=@("user1@aaa.com","user2@aaa.com");
PublicClient=$False;
PublicClientRedirectUris = @();
ReplyURLs=@();
SignInAudience="AzureADMyOrg";
Permissions = @(
@{
Name = "Group.Read.All"
Type = "Delegated"
SourceAPI = "Microsoft Graph"
AdminConsentGranted = $false
},
@{
Name = "Policy.Read.All"
Type = "Apponly"
SourceAPI = "Microsoft Graph"
AdminConsentGranted = $true
}
);
}
)
}
}
}
=========================================Verbose logs showing the problem
Log files attached in issue description section. AADApp-FirstTime-log.txt, AADApp-secondTime-log.txtEnvironment Information + PowerShell Version
OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
Key : PSVersion
Value : 5.1.17763.7434
Name : PSVersion
Key : PSEdition
Value : Desktop
Name : PSEdition
Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions
Key : BuildVersion
Value : 10.0.17763.7434
Name : BuildVersion
Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion
Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion
Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion
Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion