AADAdministrativeUnit: Cannot set ScopedRoleMembers with RoleMemberInfo Type of Group (or ServicePrincipal)

[Borgquite]

Details of the scenario you tried and the problem that is occurring

Trying to create an AADAdministrativeUnit with a ScopedRoleMembers attribute where RoleMemberInfo has a type of Group (or probably ServicePrincipal) fails:

Verbose logs showing the problem

VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Resource ]  [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Test     ]  [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]:                            [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME] Testing configuration of the Azure AD Administrative Unit
with Id {Operating Programmes and Support Offices/Asia-Pacific/Timor-Leste} and DisplayName {Operating
Programmes and Support Offices/Asia-Pacific/Timor-Leste}
VERBOSE: [COMPUTERNAME]:                            [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME] Test-TargetResource returned False - Ensure not the same
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Test     ]  [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME]  in 0.1560 seconds.
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Set      ]  [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME]
VERBOSE: [COMPUTERNAME]:                            [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME] AU {Operating Programmes and Support
Offices/Asia-Pacific/Timor-Leste} process 4 ScopedRoleMembers
VERBOSE: [COMPUTERNAME]:                            [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME] AU {Operating Programmes and Support
Offices/Asia-Pacific/Timor-Leste} member: role 'Authentication Administrator' type '' identity
VERBOSE: [COMPUTERNAME]:                            [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME] AU {Operating Programmes and Support
Offices/Asia-Pacific/Timor-Leste} role is enabled
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Set      ]  [[AADAdministrativeUnit]Operating Programmes and Support
Offices\Asia-Pacific\Timor-Leste::[DomainController]COMPUTERNAME]  in 0.2500 seconds.
PowerShell DSC resource MSFT_AADAdministrativeUnit  failed to execute Set-TargetResource functionality with error
message: AU {Operating Programmes and Support Offices/Asia-Pacific/Timor-Leste}: Invalid
ScopedRoleMember.RoleMemberInfo.Type {Group}
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Suggested solution to the issue

There are some incorrect lines in the AADAdminstrativeUnit code for Groups and ServicePrincipals. I will submit a PR shortly

The DSC configuration that is used to reproduce the issue (as detailed as possible)

$credsCredential = Get-Credential

Configuration Example
{
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADGroup 'TestGroup'
        {
            Credential = $credsCredential;
            DisplayName = "TestGroup"
            MailNickname = "TestGroup"
            SecurityEnabled = $true
            MailEnabled = $true
            IsAssignableToRole = $true
            Ensure = "Present"
        }
        AADAdministrativeUnit 'TestUnit'
        {
            Credential = $credsCredential;
            Id = "Test-Unit";
            DisplayName = "Test-Unit";
            Ensure = "Present";
            ScopedRoleMembers             = @(
                MSFT_MicrosoftGraphScopedRoleMembership
                {
                    RoleName = "User Administrator"
                    RoleMemberInfo = MSFT_MicrosoftGraphMember
                    {
                        Identity = "TestGroup"
                        Type = "Group"
                    }
                }
            )
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

Example -ConfigurationData $cd

The operating system the target node is running

OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-GB
OsMuiLanguages : {en-GB, en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.412.1

[Borgquite]

Tested now, appears working