Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EXOManagementRoleAssignment: Errors when managing a resource with RecipientAdministrativeUnitScope #3185

Closed
Borgquite opened this issue Apr 19, 2023 · 2 comments · Fixed by #3188
Closed

EXOManagementRoleAssignment: Errors when managing a resource with RecipientAdministrativeUnitScope #3185

Borgquite opened this issue Apr 19, 2023 · 2 comments · Fixed by #3188

Comments

@Borgquite
Copy link
Contributor

Borgquite commented Apr 19, 2023
edited

Details of the scenario you tried and the problem that is occurring

Just so you know, trying to rely on this module feels like playing Whack-a-mole at present - every new bug or feature just breaks existing functionality. It would be a good idea to get some unit and integration tests soon, as an end-user it's incredibly frustrating... [/rant]

The fix #3064 and possibly #3046 appear to have actually broken the RecipientAdministrativeUnitScope functionality for EXOManagementRoleAssignment. Resources are marked as 'Absent' during the Test process but the Set process shows that they do actually exist

Verbose logs showing the problem

VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Resource ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Test     ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Testing Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Current Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Absent
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Target Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Present
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Test-TargetResource returned False
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Test     ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]  in 6.7380 seconds.
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Set      ]  [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Setting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Management Role Assignment'EXO SSD AU Mail Recipients Role' does not exist but it
should. Create and configure it.
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Returning precomputed version info: 3.1.0
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] POST
https://outlook.office365.com/adminapi/beta/22c6e8f7-a453-4d7f-a381-13ec6072b90f/InvokeCommand with -1-byte payload
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Query 1 failed.
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting message from error object
Ex17CDAE|Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException|Active Directory operation failed on
CWLP265A10DC005.GBRP265A010.PROD.OUTLOOK.COM. The object 'CN=EXO SSD AU Mail Recipients Role,CN=Role Assignments,CN=RBA
C,CN=Configuration,CN=tenantname.onmicrosoft.com,CN=ConfigurationUnits,DC=GBRP265A010,DC=PROD,DC=OUTLOOK,DC=COM'
already exists.
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : [Server=CWLP265MB4176,RequestId=e3926398-c54c-9689-9533-ad761af5cf60,TimeStamp=Wed, 19 A
   pr 2023 14:15:33 GMT],Write-ErrorMessage
    + PSComputerName        : localhost

VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Testing to ensure changes were applied.
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Testing Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Getting Management Role Assignment for EXO SSD AU Mail Recipients Role
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Current Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Absent
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Target Values: ApplicationId=***
CertificateThumbprint=<REDACTED>
Ensure=Present
Name=EXO SSD AU Mail Recipients Role
RecipientAdministrativeUnitScope=MAF-I Operating Programmes and Support Offices/Africa/South Sudan
Role=Mail Recipients
SecurityGroup=EXO SSD AUs Mail Recipients Role
TenantId=***
Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Test-TargetResource returned False
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients
Role::[DomainController]COMPUTERNAME] Test-TargetResource returned False. Waiting for a total of 10 out of 120
VERBOSE: [COMPUTERNAME]:                            [[EXOManagementRoleAssignment]EXO SSD AU Mail Recipients

Suggested solution to the issue

There are a number of potential places which might be the cause in MSFT_EXOManagementRoleAssignment.psm1:

I've created a potential patch to resolve the last two solutions but they don't fix the problem on their own. UPDATE - Actually it looks like the patch fixes it completely, no need to worry about the references to #3046

The DSC configuration that is used to reproduce the issue (as detailed as possible)

$ApplicationId = '<id>'
$CertificateThumbprint = '<cert thumbprint>'
$TenantId = '<tenantid>.onmicrosoft.com'

Configuration Example
{
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            ApplicationId                    = $ApplicationId;
            CertificateThumbprint      = $CertificateThumbprint;
            TenantId                      = $TenantId;
            DisplayName                   = "Test-Unit";
            Ensure                        = "Present";
        }
        EXODistributionGroup 'MailEnabledSecurityGroup'
        {
            ApplicationId                    = $ApplicationId;
            CertificateThumbprint      = $CertificateThumbprint;
            TenantId                      = $TenantId;
            Name = "Test-Group";
            Alias = "Test-Group";
            Type = "Security";
            Ensure = "Present";
        }
        EXOManagementRoleAssignment 'AssignManagementRole'
        {
            ApplicationId                    = $ApplicationId;
            CertificateThumbprint      = $CertificateThumbprint;
            TenantId                      = $TenantId;
            Ensure               = "Present";
            Name                 = "MyManagementRoleAssignment";
            Role                 = "Mail Recipients";
            SecurityGroup        = "Test-Group";
            RecipientAdministrativeUnitScope = "Test-Unit"
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

The operating system the target node is running

PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.412.1
Borgquite added a commit to Borgquite/Microsoft365DSC that referenced this issue Apr 19, 2023
@Borgquite
Use correct Graph cmdlets - partial fix for microsoft#3185
72814d5
@Borgquite Borgquite mentioned this issue Apr 19, 2023
Merged
@Borgquite
Copy link
Contributor Author

Borgquite commented Apr 19, 2023
edited

Correction - it appears the fixes in the pull request resolve the issue completely, ignore the references to #3046 above. Hopefully this is ready to commit.

@Borgquite Borgquite changed the title EXOManagementRoleAssignment: Errors when managing a resource with RecipientAdministrativeUnitScope using TenantId EXOManagementRoleAssignment: Errors when managing a resource with RecipientAdministrativeUnitScope Apr 19, 2023
ykuijs added a commit that referenced this issue Apr 19, 2023
@ykuijs
Merge pull request #3186 from Borgquite/patch-1
0984972 
Use correct Graph cmdlets - fix for #3185
@ykuijs ykuijs mentioned this issue Apr 19, 2023
Merged
@Borgquite
Copy link
Contributor Author

Works fine now, thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release 1.23.419.1
1 participant
@Borgquite