Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: AADApplication permission drift logs in string instead of XML format #3830

Closed
techthoughts2 opened this issue Oct 25, 2023 · 0 comments · Fixed by #3832 or #3833
Closed

Bug: AADApplication permission drift logs in string instead of XML format #3830

techthoughts2 opened this issue Oct 25, 2023 · 0 comments · Fixed by #3832 or #3833
Labels
Bug Something isn't working Entra ID V1.23.1011.1 Version 1.23.1011.1

Comments

@techthoughts2
Copy link

techthoughts2 commented Oct 25, 2023
edited
Loading

Description of the issue

Expected Behavior

M365DSC log outputs drift detection in log in XML format: <M365DSCEvent>

Actual Behavior for AADApplication

When DSC detects a permissions drift for AADApplication the log is output in free-form text.

Microsoft 365 DSC Version

v1.23.1011.1

Which workloads are affected

Azure Active Directory

The DSC configuration

# https://microsoft365dsc.com/resources/azure-ad/AADApplication/
AADApplication 'AADApplication-AppName' {
    AvailableToOtherTenants = $false
    DisplayName             = 'AppName'
    Ensure                  = 'Present'
    IdentifierUris          = @()
    KnownClientApplications = @()
    Owners                  = @(
        "user@$Domain.com"
    )
    Permissions             = @(
        MSFT_AADApplicationPermission {
            Name                = 'Exchange.ManageAsApp'
            Type                = 'AppOnly'
            SourceAPI           = 'Office 365 Exchange Online'
            AdminConsentGranted = $False
        }
        MSFT_AADApplicationPermission {
            Name                = 'Application.ReadWrite.OwnedBy'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Application.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Application.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'AppCatalog.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Channel.Delete.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'ChannelSettings.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'ChannelMember.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Directory.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Directory.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Domain.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Group.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Group.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Organization.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Policy.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Policy.ReadWrite.Authorization'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Policy.ReadWrite.ConditionalAccess'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Policy.ReadWrite.CrossTenantAccess'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'ReportSettings.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'ReportSettings.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'RoleManagement.Read.Directory'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'RoleEligibilitySchedule.ReadWrite.Directory'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'RoleManagement.ReadWrite.Directory'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'RoleManagementPolicy.Read.Directory'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'SharePointTenantSettings.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'TeamSettings.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'User.Invite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'User.Read'
            Type                = 'Delegated'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'User.Read.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'User.ReadWrite.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Microsoft Graph'
            AdminConsentGranted = $false
        }
        MSFT_AADApplicationPermission {
            Name                = 'Sites.FullControl.All'
            Type                = 'AppOnly'
            SourceAPI           = 'Office 365 SharePoint Online'
            AdminConsentGranted = $False
        }
    )
    PublicClient            = $false
    ReplyURLs               = @()
    ApplicationId           = $ApplicationId
    TenantId                = $TenantId
    CertificateThumbprint   = $Thumbprint
}

Verbose logs showing the problem

EventID            : 1
MachineName        : device-1
Data               : {}
Index              : 457
Category           : (1)
CategoryNumber     : 1
EntryType          : Warning
Message            : Permissions for Azure AD Application {Microsoft365DSC} were not in the desired state.
                     They should contain {Exchange.ManageAsApp Application.ReadWrite.OwnedBy Application.ReadWrite.All Application.Read.All
                     AppCatalog.ReadWrite.All Channel.Delete.All ChannelSettings.ReadWrite.All ChannelMember.ReadWrite.All Directory.Read.All
                     Directory.ReadWrite.All Domain.Read.All Group.Read.All Group.ReadWrite.All Organization.Read.All Policy.Read.All
                     Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.CrossTenantAccess ReportSettings.Read.All
                     ReportSettings.ReadWrite.All RoleManagement.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory
                     RoleManagementPolicy.Read.Directory SharePointTenantSettings.ReadWrite.All TeamSettings.ReadWrite.All User.Invite.All User.Read
                     User.Read.All User.ReadWrite.All Sites.FullControl.All} but instead contained {Application.ReadWrite.OwnedBy Application.ReadWrite.All
                     Application.Read.All AppCatalog.ReadWrite.All Channel.Delete.All ChannelSettings.ReadWrite.All ChannelMember.ReadWrite.All
                     Directory.Read.All Directory.ReadWrite.All Domain.Read.All Group.Read.All Group.ReadWrite.All Organization.Read.All Policy.Read.All
                     Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.CrossTenantAccess ReportSettings.Read.All
                     ReportSettings.ReadWrite.All RoleManagement.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory
                     RoleManagementPolicy.Read.Directory SharePointTenantSettings.ReadWrite.All TeamSettings.ReadWrite.All User.Invite.All User.Read
                     User.Read.All User.ReadWrite.All Sites.FullControl.All}
Source             : MSFT_AADApplication
ReplacementStrings : {Permissions for Azure AD Application {Microsoft365DSC} were not in the desired state.
                     They should contain {Exchange.ManageAsApp Application.ReadWrite.OwnedBy Application.ReadWrite.All Application.Read.All
                     AppCatalog.ReadWrite.All Channel.Delete.All ChannelSettings.ReadWrite.All ChannelMember.ReadWrite.All Directory.Read.All
                     Directory.ReadWrite.All Domain.Read.All Group.Read.All Group.ReadWrite.All Organization.Read.All Policy.Read.All
                     Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.CrossTenantAccess ReportSettings.Read.All
                     ReportSettings.ReadWrite.All RoleManagement.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory
                     RoleManagementPolicy.Read.Directory SharePointTenantSettings.ReadWrite.All TeamSettings.ReadWrite.All User.Invite.All User.Read
                     User.Read.All User.ReadWrite.All Sites.FullControl.All} but instead contained {Application.ReadWrite.OwnedBy Application.ReadWrite.All
                     Application.Read.All AppCatalog.ReadWrite.All Channel.Delete.All ChannelSettings.ReadWrite.All ChannelMember.ReadWrite.All
                     Directory.Read.All Directory.ReadWrite.All Domain.Read.All Group.Read.All Group.ReadWrite.All Organization.Read.All Policy.Read.All
                     Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.CrossTenantAccess ReportSettings.Read.All
                     ReportSettings.ReadWrite.All RoleManagement.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory
                     RoleManagementPolicy.Read.Directory SharePointTenantSettings.ReadWrite.All TeamSettings.ReadWrite.All User.Invite.All User.Read
                     User.Read.All User.ReadWrite.All Sites.FullControl.All}}
InstanceId         : 1
TimeGenerated      : 10/9/2023 11:33:41 PM
TimeWritten        : 10/9/2023 11:33:41 PM
UserName           :
Site               :
Container          :


### Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      5.1.20348.1850
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1850
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@andikrueger andikrueger added Bug Something isn't working Entra ID V1.23.1011.1 Version 1.23.1011.1 labels Oct 25, 2023
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Oct 25, 2023
@NikCharlebois
Fixes microsoft#3830
d3f51fa
@NikCharlebois NikCharlebois mentioned this issue Oct 25, 2023
Merged
NikCharlebois added a commit that referenced this issue Oct 25, 2023
@NikCharlebois
Merge pull request #3832 from NikCharlebois/Fix3787
390b9b9 
Fixes #3830
@NikCharlebois NikCharlebois mentioned this issue Oct 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Entra ID V1.23.1011.1 Version 1.23.1011.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #3830 NikCharlebois/Microsoft365DSC
Release 1.23.1025.1 NikCharlebois/Microsoft365DSC
2 participants
@techthoughts2 @andikrueger