Exported PPTenantIsolationSettings invalid, cannot be converted

[leitzler]

Details of the scenario you tried and the problem that is occurring

I exported a clean developer tenant with default sample data (https://developer.microsoft.com/en-us/microsoft-365/dev-program).

The configuration was exported using certificate thumbprint and default mode, without any errors:

Export-M365DSCConfiguration -CertificateThumbprint $Cert.Thumbprint -TenantId <redacted>.onmicrosoft.com -ApplicationId 01234567-890a-bcde-f012-34567890abcd -Path Output -MaxProcesses 64

Verbose logs showing the problem

When I try to convert it the script silently fails (see #3178). Running $ErrorActionPreference = 'Stop' ; gives me the error:

PSDesiredStateConfiguration\Configuration : At least one of the values 'unknown' is not supported or valid for property 'Direction' on class 'MSFT_PPTenantRule'. Please specify only supported values:
Inbound, Outbound, Both.
At C:\output\M365TenantConfig.ps1:6 char:1
+ Configuration M365TenantConfig
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnsupportedValueForProperty,Configuration

The entry in M365TenantConfig.ps1 do indeed have Direction set to unknown:

        PPTenantIsolationSettings "PPTenantIsolationSettings"
        {
            ApplicationId         = $ConfigurationData.NonNodeData.ApplicationId;
            CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
            Enabled               = $False;
            IsSingleInstance      = "Yes";
            Rules                 = @(MSFT_PPTenantRule {
                TenantName          = ''
                Direction           = 'unknown'
            }
            );
            TenantId              = $ConfigurationData.NonNodeData.TenantId;
        }

Running Get-PowerAppTenantIsolationPolicy -TenantId $T fails, which probably is the issue here. The failure isn't detected by export that thinks it got a valid record:

StatusCode        : 403
StatusDescription : Forbidden
Headers           : {Strict-Transport-Security, x-ms-islandgateway, x-ms-request-id, x-ms-correlation-request-id...}
Error             : @{code=Forbidden; message=The service principal with id 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' for application bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb does not have permission to access the path
                    'https://10.1.2.3:20044/providers/PowerPlatform.Governance/v1/tenants/foobar.onmicrosoft.com/tenantIsolationPolicy?api-version=2020-06-01' in tenant cccccccc-cccc-cccc-cccc-cccccccccccc.}
Message           : The service principal with id 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' for application bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb does not have permission to access the path
                    'https://10.1.2.3:20044/providers/PowerPlatform.Governance/v1/tenants/foobar.onmicrosoft.com/tenantIsolationPolicy?api-version=2020-06-01' in tenant cccccccc-cccc-cccc-cccc-cccccccccccc.
Internal          : System.Net.HttpWebResponse

Suggested solution to the issue

Threat failed export as an error instead of returning an invalid file that can't be converted.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Using Windows Server Core container, mcr.microsoft.com/windows/servercore:1809-amd64.

Install-PackageProvider -Name NuGet -Force
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17763.3770
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.3770
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.412.1 Microsoft365DSC                     PSGallery            This DSC module is used to configure and monitor Microsoft tenants, including SharePoint Online, Exchange, Teams, etc.

[andikrueger]

This looks like a discrepancy between the admin ui and the PowerShell cmdLets: https://learn.microsoft.com/en-us/power-platform/admin/cross-tenant-restrictions

The PowerShell cmdLets are not really documented, what values can be passed along...

[NikCharlebois]

Out of curiosity, if you where to connect to Power Platform using an admin account instead of a service principal. Are you getting the same error?

Connect-M365Tenant -Workload PowerPlatforms -Credential $creds
Get-PowerAppTenantIsolationPolicy -TenantId $T

If you aren't getting any error by using credentials, then it's a permission issue on your service principal. Make sure your app is registered as a Power App one by following the steps at:
https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#power-apps-permissions

[leitzler]

Thanks for the quick response!

Yes, seems like that is the issue indeed! When I use a service principal it looks like the export works:

PS C:\> Export-M365DSCConfiguration -CertificateThumbprint $Cert.Thumbprint -TenantId $T -ApplicationId $AppID -Components  @("PPTenantIsolationSettings")
Exporting Microsoft 365 configuration for Components: PPTenantIsolationSettings

Authentication methods specified:
- Service Principal with Certificate Thumbprint

[1/1] Extracting [PPTenantIsolationSettings] using {CertificateThumbprint}...✅
⌛ Export took {4 seconds}

But in reality it doesn't:

PS C:\> Connect-M365Tenant -Workload PowerPlatforms -CertificateThumbprint $Cert.Thumbprint -ApplicationId $AppID -TenantId $T
PS C:\> Get-PowerAppTenantIsolationPolicy -TenantId $T


StatusCode        : 403
StatusDescription : Forbidden
Headers           : {Strict-Transport-Security, x-ms-islandgateway, x-ms-request-id, x-ms-correlation-request-id...}
Error             : @{code=Forbidden; message=The service principal with id '01234567-0123-0123-0123-0123456789ab' for application
                    bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb does not have permission to access the path 'https://10.0.6.57:20060/providers/PowerPlatform.Governan
                    cccccccc-cccc-cccc-cccc-cccccccccccc.}
Message           : The service principal with id '01234567-0123-0123-0123-0123456789ab' for application bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb does not have
                    permission to access the path 'https://10.0.6.57:20060/providers/PowerPlatform.Governance/v1/tenants/foo.onmicrosoft.com/tenant
                    IsolationPolicy?api-version=2020-06-01' in tenant cccccccc-cccc-cccc-cccc-cccccccccccc.
Internal          : System.Net.HttpWebResponse

Using credentials instead works!

I hadn't registered the service principal as a "Power App". Do you happen to know if that procedure is available via non-interactive Graph API (using oauth popup as the only interactive part for example)?

[leitzler]

Note that I'd probably want to keep the "Bug" label for this issues, and resolve it when Export-M365DSCConfiguration can detect, via the StatusCode for example, that the export failed.