Custom Intune RolesCannot bind argument to parameter 'RoleDefinitionId' because it is an empty string.

[hvdbrink]

Details of the scenario you tried and the problem that is occurring

In our configuration we have custom roles for specific teams that don't need Intune Admin rol. These are exported, but error on import and don't create them because of this

Verbose logs showing the problem

Cannot bind argument to parameter 'RoleDefinitionId' because it is an empty string. + CategoryInfo : InvalidData: (:) [], CimException + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Update-MgDeviceManagementRoleDefinition
+ PSComputerName : localhost

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

    IntuneRoleDefinition f9f4a1a9-27cd-4bf8-8b4c-269c5222b8e7
    {
        allowedResourceActions    = @("Microsoft.Intune_AppleDeviceSerialNumbers_Delete","Microsoft.Intune_AppleDeviceSerialNumbers_Update","Microsoft.Intune_EnrollmentProgramToken_Delete","Microsoft.Intune_AppleEnrollmentProfiles_Update","Microsoft.Intune_AppleDeviceSerialNumbers_Read","Microsoft.Intune_AppleEnrollmentProfiles_Assign","Microsoft.Intune_AppleDeviceSerialNumbers_Create","Microsoft.Intune_AppleEnrollmentProfiles_Read","Microsoft.Intune_AppleEnrollmentProfiles_Create");
        Credential                = $Credscredential;
        Description               = "With this Custom Role users can read, upload the devices Hash.";
        DisplayName               = "Enrollment Administrators";
        Ensure                    = "Present";
        Id                        = "e05c399b-97d7-4b97-95cd-668ab7b6ad20";
        IsBuiltIn                 = $False;
        notallowedResourceActions = @();
        roleScopeTagIds           = @("0");

The operating system the target node is running

OsName : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-US
OsMuiLanguages : {en-US, en-GB}

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.111.1

[ykuijs]

Code incorrectly handles the retrieval of the definition. If the ID does not exist, it does not also check the DisplayName and if also not found, return the NullReturn. The current if/else-statement does not allow that:

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleDefinition/MSFT_IntuneRoleDefinition.psm1

Lines 95 to 114 in 74c7cf5

	if($Id -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')
	{
	$getValue = Get-MgDeviceManagementRoleDefinition -RoleDefinitionId $id -ErrorAction SilentlyContinue
	if($null -ne $getValue){
	Write-Verbose -Message "Found something with id {$id}"
	}
	}
	else
	{
	Write-Verbose -Message "Nothing with id {$id} was found"
	$Filter = "displayName eq '$DisplayName'"
	$getValue = Get-MgDeviceManagementRoleDefinition -Filter $Filter -ErrorAction SilentlyContinue
	if($null -ne $getValue){
	Write-Verbose -Message "Found something with displayname {$DisplayName}"
	}
	else{
	Write-Verbose -Message "Nothing with displayname {$DisplayName} was found"
	return $nullResult
	}
	}

The Else needs to get changed, so it also checks for the name and return the NullReturn when that also not exists.

Fix will be included my a next PR