Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Export-M365DSCConfiguration using the -AccessTokens parameter. #4788

Open
MarcoJanse opened this issue Jun 25, 2024 · 5 comments
Open

Unable to Export-M365DSCConfiguration using the -AccessTokens parameter. #4788

MarcoJanse opened this issue Jun 25, 2024 · 5 comments

Comments

@MarcoJanse
Copy link

MarcoJanse commented Jun 25, 2024
edited
Loading

I'm struggling with understanding how the -AccessTokens parameter in Export-M365DSCConfiguration is designed to work.
The help page for the cmdlet does not show much information or an example for this parameter only that it should be a string array.

What I assumed it would do is to use a token from an existing session and reuse this for Microsoft Graph.
Normally, I can do this to use a token from my Azure PowerShell session to connect to Microsoft Graph:

$accessToken = Get-AzAccessToken -ResourceType MSGraph -AsSecureString
Connect-MgGraph -AccessToken $accessToken.Token

I wanted to use this technique to use a managed identity in my Azure DevOps pipeline to run the Export-M365DscConfiguration using a Microsoft hosted agent. I've successfully tested the above PowerShell snippet in a DevOps pipeline to query something in Ms Graph using that managed identity.

However, if I try the same with the Export-M365DSCConfiguration:

$accessToken = (Get-AzAccessToken -ResourceType MSGraph).Token
$accessTokenArray = @($accessToken)
Export-M365DSCConfiguration -Workloads INTUNE -Mode Default -TenantId '<TenantId>' -AccessTokens $accessTokenArray

When looking at the pipeline log, I see this for each Intune component that is tried to be extracted:

2024-06-25T12:54:12.5781798Z ❌
2024-06-25T12:54:13.0478021Z [2/76] Extracting [IntuneAccountProtectionLocalUserGroupMembershipPolicy] using {AccessTokens}...VERBOSE: Attempting connection to {MicrosoftGraph} with:
2024-06-25T12:54:13.9896975Z VERBOSE: 
2024-06-25T12:54:13.9897138Z 
2024-06-25T12:54:13.9897323Z Name                           Value                                                                                   
2024-06-25T12:54:13.9897825Z 
2024-06-25T12:54:13.9897871Z 
2024-06-25T12:54:13.9898397Z ----                           -----                                                                                   
2024-06-25T12:54:13.9898489Z 
2024-06-25T12:54:13.9898533Z 
2024-06-25T12:54:13.9898679Z TenantId                       <tenantName>.onmicrosoft.com                                                                  
2024-06-25T12:54:13.9898810Z 
2024-06-25T12:54:13.9898853Z 
2024-06-25T12:54:13.9898982Z AccessTokens                   
2024-06-25T12:54:13.9899176Z {eyJ0eXAiOiJKV1QiLCJub25jZSI6InNKMFdfa1RmY3ZabVEwYWYyUXltd0ZkRDZwNUxFNUhRcVdPSkFlWVRj...
2024-06-25T12:54:13.9899298Z 
2024-06-25T12:54:13.9899360Z 
2024-06-25T12:54:13.9899402Z 
2024-06-25T12:54:13.9899445Z 
2024-06-25T12:54:13.9899590Z VERBOSE: Connecting via Access Tokens
2024-06-25T12:54:13.9899768Z VERBOSE: Dependencies were already successfully validated.
2024-06-25T12:54:13.9900038Z ❌
2024-06-25T12:54:13.9900253Z [3/76] Extracting [IntuneAccountProtectionPolicy] using {AccessTokens}...VERBOSE: Attempting connection to {MicrosoftGraph} with:
2024-06-25T12:54:13.9900482Z VERBOSE: 
2024-06-25T12:54:13.9900534Z 
2024-06-25T12:54:13.9900676Z Name                           Value                                                                                   
2024-06-25T12:54:13.9900742Z 
2024-06-25T12:54:13.9900784Z 
2024-06-25T12:54:13.9901057Z ----                           -----                                                                                   
2024-06-25T12:54:13.9901123Z 
2024-06-25T12:54:13.9901169Z 
2024-06-25T12:54:13.9901332Z TenantId                       <tenantName>.onmicrosoft.com                                                                  
2024-06-25T12:54:13.9901413Z 
2024-06-25T12:54:13.9901473Z 
2024-06-25T12:54:13.9901581Z AccessTokens                   
2024-06-25T12:54:13.9901791Z {eyJ0eXAiOiJKV1QiLCJub25jZSI6InNKMFdfa1RmY3ZabVEwYWYyUXltd0ZkRDZwNUxFNUhRcVdPSkFlWVRj...

I would really appreciate it if someone could clarify the proper use of the AccessTokens parameter.
@mlhickey
Copy link
Contributor

Have to ask: does the -ManagedIdentity switch not work in this scenario?

@MarcoJanse
Copy link
Author

Thank you for the suggestion @mlhickey.

As far as I know, the -ManagedIdentity switch can be used on a self-hosted runner is the managed identity is assigned to the VM. This is a Microsoft hosted runner, where I have configured the service connection to use Workload Identity federation to use a managed identity for authentication.

I have tested this technique in two different pipelines. Both use an AzurePowerShell@5 task to connect to Azure in which I refer my ServiceConnection as input. The Managed identity has read permissions on my Azure subscription and can connect successfully to Azure.

In my first pipeline, I try Connect-MgGraph with the -Identity parameter and this gives the following error:

##[error]Failed to connect to Microsoft Graph: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.

If I use the Connect-MgGraph with both the -Identity and -ClientId parameter with the Client ID of the managed identity, I get exactly the same error.

However in my second pipeline I use the -AccessToken technique for authentication and that works:

$accessToken = Get-AzAccessToken -ResourceType MSGraph -AsSecureString
Connect-MgGraph -AccessToken $accessToken.Token

After that, I can successfully query resources using graph cmdlets.

But trying to use the same technique with the -AccessTokens parameter for the Export-M365DSCConfiguration is failing with the above errors.

@MarcoJanse
Copy link
Author

I would really appreciate if someone could clarify how the -AccessTokens parameter should work and why it's plural. It's the only parameter without a description in the help

@mlhickey
Copy link
Contributor

mlhickey commented Jul 5, 2024
edited
Loading

Perhaps a bug in MicrosoftGraph.psm1? AuthenticationType is set to 'AccessTokens' in ConnectionProfile

elseif ($this.AccessTokens -and -not [System.String]::IsNullOrEmpty($this.TenantId)) { $this.AuthenticationType = 'AccessTokens' }
but is tested for 'AccessToken' in MicrosoftGraph:

elseif($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.AuthenticationType -eq 'AccessToken')

@FabienTschanz
Copy link
Contributor

FabienTschanz commented Jul 13, 2024
edited
Loading

@NikCharlebois
As @mlhickey mentioned, there is an invalid check for the authentication type in MicrosoftGraph.psm1#L154. Actually, this value is AccessTokens, as specified in ConnectionProfile.psm1#L209.

I opened microsoft/MSCloudLoginAssistant#177 to address the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mlhickey @MarcoJanse @FabienTschanz