Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission issue exporting O365OrgSetting #4097

Closed
YenNantes opened this issue Dec 27, 2023 · 2 comments · Fixed by #4101
Closed

Permission issue exporting O365OrgSetting #4097

YenNantes opened this issue Dec 27, 2023 · 2 comments · Fixed by #4101

Comments

@YenNantes
Copy link

Description of the issue

I have an issue exporting O365OrgSetting. It seems that it is a permission issue related to M365Insights. I have tried it with multiple tenants and withan account having global administrator permisison but always get the same error.

I'm using PS 5.1.

Microsoft 365 DSC Version

V1.23.1213.1

Which workloads are affected

Office 365 Admin

The DSC configuration

Export-M365DSCConfiguration -Components @("O365OrgSettings") -path "c:\M365DSC\M365\"

Verbose logs showing the problem

[2023/12/27 05:32:48]
{ProtocolError}
Microsoft.Exchange.Management.RestApiClient.RestClientException: Access to the requested resource is forbidden.
   at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.HandleErrorResponse(HttpResponseMessage response, String settingsName)
   at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.MakeAndSendGetRequest[T](String settingsName, Uri uri)
   at Microsoft.Exchange.Management.RestApiClient.Briefing.GetDefaultTenantBriefingConfig.InternalProcessRecord()
   at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.<ProcessRecord>b__34_0()
   at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.ExecuteWithExceptionHandling(Action action, Exception& exception)
"Error retrieving data:"
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1213.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 237
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1213.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1052
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1213.1\modules\M365DSCReverse.psm1: line 639
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1213.1\modules\M365DSCUtil.psm1: line 1312
at <ScriptBlock>, <No file>: line 1
TenantId: erfitcs02.onmicrosoft.com

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22000.1.amd64fre.co_release.210604-1628
OsLanguage           : en-US
OsMuiLanguages       : {en-US}


Name                           Value
----                           -----
PSVersion                      5.1.22000.2600
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22000.2600
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@YenNantes
Copy link
Author

YenNantes commented Dec 28, 2023
edited
Loading

It seems that it is coming from the following cmdlet: Get-DefaultTenantBriefingConfig
I've tried executing it manually connected to the exchangeonlinemanagement module with a global administrator account and I get the same error:
Get-DefaultTenantBriefingConfig: Access to the requested resource is forbidden.

I've tried with multiple tenants including a brand new trial tenant and Ialways get the same error.
It also seem that there is an issue on the MS side. I got the below error when trying to access the briefing email config from the M365 admin portal.

image

Maybe an issue on the MS side?

The problem is that this issue makes the whole O365OrgSetting DSC resource export fail.

@YenNantes
Copy link
Author

YenNantes commented Dec 29, 2023
edited
Loading

I opened a ticket @ms support regarding the issue mentionned above. MS support explained me that the product group has decided to put this feature on "Pause" until it is improved.
Source: https://learn.microsoft.com/en-us/viva/insights/personal/reference/briefing-pause

It would probably be interesting to remove this cmdlet from the resource until they re-enable this feature.

Nevertheless while keep continue investigating I found that this cmdlet as well as the Get-DefaultTenantMyAnalyticsFeatureConfig (that is working) from the same resource will anyway cause us an issue: Both cmdlets require one of the following roles:
Global Administrator
Exchange Administrator
Insights Administrator
source: https://learn.microsoft.com/en-us/powershell/module/exchange/get-defaulttenantmyanalyticsfeatureconfig?view=exchange-ps
I have tried with global reader but it's not enough :(

The problem is that we are planning to use M365DSC only to audit tenants. We will not be allowed by the security team to get such permissions. I'm quite sure that we are not the only ones witch such constraint.
Would it be possible to isolate those two cmdlets on a dedicated resource or at least build the resource in a way that the other settings will be exported if those cmdlets return this permissions error?

@NikCharlebois NikCharlebois mentioned this issue Dec 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release 1.23.1227.1 NikCharlebois/Microsoft365DSC
1 participant
@YenNantes