SCDLPComplianceRule - AccessScope - Cannot convert value "System.Collections.Generic.List1[System.String]"

[william-boyd]

Details of the scenario you tried and the problem that is occurring

SCDLPComplianceRule - AccessScope - Cannot convert value
I am deploying one DLPComplianceRule. When specifying AccessScope it always fails with the same error. When removing this key, the configuration succeeds.

Verbose logs showing the problem

##[error]Cannot process argument transformation on parameter 'AccessScope'. Cannot convert value
"System.Collections.Generic.List1[System.String]" to type "System.Nullable1[Microsoft.Office.CompliancePolicy.Tasks.AccessScope]". Error: "Unable to match the identifier name
System.Collections.Generic.List`1[System.String] to a valid enumerator name. Specify one of the following enumerator
names and try again: InOrganization, NotInOrganization, None"

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration M365Configuration {
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]$ApplicationId,

        [Parameter(Mandatory = $true)]
        [System.String]$TenantId,
        
        [Parameter(Mandatory = $true)]
        [System.String]$CertificateThumbprint
    )

    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        SCDLPCompliancePolicy 'ConfigureCompliancePolicy'
        {
            Name                  = "General Data Protection Regulation (GDPR)"
            Comment               = "Test Policy"
            Priority              = 0
            ExchangeLocation      = "All"
            Ensure                = "Present"
            ApplicationId         = $ApplicationId;
            CertificateThumbprint = $CertificateThumbprint;
            TenantId              = $TenantId;
        }
        SCDLPComplianceRule 'ConfigureDLPComplianceRule'
        {
            Name                                = 'Low volume EU Sensitive content found'
            Policy                              = 'General Data Protection Regulation (GDPR)'
            AccessScope                         = 'InOrganization'
            BlockAccess                         = $True
            BlockAccessScope                    = 'All'
            ContentContainsSensitiveInformation = MSFT_SCDLPContainsSensitiveInformation
            {
                SensitiveInformation = @(
                    MSFT_SCDLPSensitiveInformation
                    {
                        name           = 'EU Debit Card Number'
                        id             = '0e9b3178-9678-47dd-a509-37222ca96b42'
                        maxconfidence  = '100'
                        minconfidence  = '75'
                        classifiertype = 'Content'
                        mincount       = '1'
                        maxcount       = '9'
                    }
                )
            }
            Disabled                            = $False
            DocumentIsPasswordProtected         = $False
            DocumentIsUnsupported               = $False
            ExceptIfDocumentIsPasswordProtected = $False
            ExceptIfDocumentIsUnsupported       = $False
            ExceptIfHasSenderOverride           = $False
            ExceptIfProcessingLimitExceeded     = $False
            GenerateIncidentReport              = @('SiteAdmin')
            HasSenderOverride                   = $False
            IncidentReportContent               = @('DocumentLastModifier', 'Detections', 'Severity', 'DetectionDetails', 'OriginalContent')
            NotifyUser                          = @('LastModifier')
            ProcessingLimitExceeded             = $False
            RemoveRMSTemplate                   = $False
            ReportSeverityLevel                 = 'Low'
            StopPolicyProcessing                = $False
            Ensure                              = 'Present'
            ApplicationId                       = $ApplicationId;
            CertificateThumbprint               = $CertificateThumbprint;
            TenantId                            = $TenantId;
        }
    }
}

The operating system the target node is running

Windows Server 2022

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.628.1

[william-boyd]

FYI, this still happens on 1.23.712.1

Is there any workaround if we cannot specify AccessScope?

[william-boyd]

Just confirmed the same issue still happens on 1.23.719.1

[william-boyd]

Should the unit tests for this resource specify AccessScope? The config provided in the docs has it, but the unit test doesn't.

https://microsoft365dsc.com/resources/security-compliance/SCDLPComplianceRule/
https://github.com/microsoft/Microsoft365DSC/blob/Dev/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCDLPComplianceRule.Tests.ps1

[william-boyd]

Just updated to the latest release - same error on 1.23.726.1

[william-boyd]

VERBOSE: [vmss-win00005E]:                            [[SCDLPComplianceRule]SCDLPComplianceRule-[External] High volume 
Financial Data::[DLPComplianceRule]SCDLPComplianceRule_Configuration] Query 1 failed.
##[error]Cannot process argument transformation on parameter 'AccessScope'. Cannot convert value 
"System.Collections.Generic.List`1[System.String]" to type 
"System.Nullable`1[Microsoft.Office.CompliancePolicy.Tasks.AccessScope]". Error: "Unable to match the identifier name 
System.Collections.Generic.List`1[System.String] to a valid enumerator name. Specify one of the following enumerator 
names and try again: InOrganization, NotInOrganization, None"
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : [TimeStamp=Thu, 27 Jul 2023 14:40:58 GMT],Write-ErrorMessage
    + PSComputerName        : localhost
VERBOSE: [vmss-win00005E]: LCM:  [ End    Set      ]  [[SCDLPComplianceRule]SCDLPComplianceRule-[External] High volume 
Financial Data::[DLPComplianceRule]SCDLPComplianceRule_Configuration]  in 2.6400 seconds.
##[error]The PowerShell DSC resource '[SCDLPComplianceRule]SCDLPComplianceRule-[External] High volume Financial 
Data::[DLPComplianceRule]SCDLPComplianceRule_Configuration' with SourceInfo 'C:\a\1\s\modules\SecurityCompliance\0.0.1\
DSCResources\DLPComplianceRule\DLPComplianceRule.schema.psm1::28::5::SCDLPComplianceRule' threw one or more 
non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel 
called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
VERBOSE: [vmss-win00005E]: LCM:  [ End    Set      ]
##[error]The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 61.689 seconds
[2023-07-27 14:40:59] -  
[2023-07-27 14:40:59] -  
[2023-07-27 14:40:59] - ************************************************
[2023-07-27 14:40:59] - *              Deployment results              *
[2023-07-27 14:40:59] - ************************************************
[2023-07-27 14:40:59] - MOF Deployment Succeeded!

[Cyanic-Cloud]

We are having the same issue, is there a fix due soon?
If not what version can we role back to?

[Cyanic-Cloud]

Per william-boyd comment "Should the unit tests for this resource specify AccessScope? The config provided in the docs has it, but the unit test doesn't."
I have removed the AccessScope from the psd1 file and the rule is then created without issue. . .