Update-M365DSCAzureAdApplication - Can't update API with multiple permissions

[Calum-B-AiX]

Details of the scenario you tried and the problem that is occurring

I've attempted to update an App Registration using the Update-M365DSCAzureAdApplication cmdlet as follows:

Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(`
@{Api='Graph';PermissionName='Group.Read.All'},`
@{Api='SharePoint';PermissionName='Sites.FullControl.All'},`
@{Api='Graph';PermissionName='Domain.Read.All'},`
@{Api='Graph';PermissionName='ChannelSettings.Read.All'},`
@{Api='Graph';PermissionName='TeamsTab.ReadWrite.All'},`
@{Api='Graph';PermissionName='DeviceManagementServiceConfig.Read.All'},`
@{Api='Graph';PermissionName='DeviceManagementManagedDevices.Read.All'},`
@{Api='Graph';PermissionName='DeviceManagementConfiguration.Read.All'},`
@{Api='Graph';PermissionName='DeviceManagementRBAC.Read.All'},`
@{Api='Graph';PermissionName='DeviceManagementConfiguration.Read.All'},`
@{Api='Graph';PermissionName='DeviceManagementApps.Read.All'}) `
-TenantId $TenantId -ApplicationId $ApplicationId -Type Certificate -CertificatePath $certPath -CertificateThumbprint $CertificateThumbprint

We kept receiving the following error:

Update-MgApplication : Request contains a property with duplicate values.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.621.1\modules\M365DSCPermissions.psm1:1485 char:9
+         Update-MgApplication -ApplicationId ($azureADApp.Id) `
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ ApplicationId...phApplication }:<>f__AnonymousType0`2) [Update-MgApplication_UpdateExpanded1], RestException`1
    + FullyQualifiedErrorId : DuplicateValue,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgApplication_UpdateExpanded1

From what I can see the Update-M365DSCAzureAdApplication cmdlet is creating multiple entries against the same API, causing the Update-MgApplication to fail.

Suggested solution to the issue

At Line 1448 of M365DSCPermissions.psm1, replace:

$currentAPIAccess = @{
                    ResourceAppId  = $svcprincipal.AppId
                    ResourceAccess = @()
                }

with

if($allRequiredAccess -ne $null)
        {
            foreach($access in $allRequiredAccess)
            {
                if($access.ResourceAppId -eq $svcprincipal.AppId)
                {
                    $currentAPIAccess = $access
                    break
                } 
                else 
                {
                    $currentAPIAccess = @{
                        ResourceAppId  = $svcprincipal.AppId
                        ResourceAccess = @()
                    }
                }
            }
        } 
        else 
        {

            $currentAPIAccess = @{
                ResourceAppId  = $svcprincipal.AppId
                ResourceAccess = @()
            }
        }

and change Line 1474:

                if ($null -ne $currentAPIAccess)

to

                if ($null -ne $currentAPIAccess -and $allRequiredAccess -notcontains $currentAPIAccess)

This checks if the $allRequiredAccess variable exists; if so, it checks against the hash table entry being processed to see if the App ID already exists and appends permissions against it if so, or creates a new $currentAPIAccess if it doesn't. The line change to 1474 ensures a duplicate isn't added to $allRequiredAccess.

[NikCharlebois]

We found an issue with the function. A fix is in the works and will be released with Wednesday's release.