Problem exporting OrgSettings and PPTenantIsolationSettings #4783
Comments
|
Could you please share a screenshot of the assigned API permissions for your application and the assigned roles? Thanks. |
The app registration only has the Global Reader role and is a Power Platform admin management application. |
|
Please check if you did assign: OrganizationSettings.Read or if you need write access as well: OrganizationSettings.ReadWrite I did not see this API permission within the screenshot. |
|
I do not see that permission listed in my Azure portal. I also checked which permissions the application would need using Get-M365DSCCompiledPermissionList and that API permission doesn't appear.
Could this be a problem with how my app registration was created? |
Is this a permission that I need to assign via PowerShell and not GUI? |
|
You could add the permission by using Graph PowerShell or the EntraId Admin Center. Using Graph PowerShell you need to add the scope parameter to Connect-MGGraph with one of the scopes above. Within EntraID you could update your app registration in the section api permissions. |
|
@andikrueger PP workload app doesn't require any API permissions, it just needs to be added to Power Apps as a mgmt app by an admin. "Service principal applications are treated within Power Platform similar to how normal users are with the Power Platform Administrator role assigned. Granular roles and permissions can't be assigned to limit their capabilities. The application doesn't get any special role assigned in Microsoft Entra ID, as this is how platform services treat requests made by service principals." |
|
That is absolutely correct. I was referring to the Exchange error message. |
|
Oh right, I didn't even see that resource there, O365 workload and specially O365OrgSettings is really a pain in the neck... The log shows that it's failing on line 294 which corresponds for calling In my case I've assigned Insights administrator since it's the most restrictive, please bear in mind that assigning any one of these Entra roles is required even if only reading is required. |
|
After adding the Exchange Admin role, the error was fixed but generated new teams errors. Is there any specific roles/permissions needed to export the component TeamsM365App? The error I got was below: {NotSpecified} |
I have been getting the below error messages when exporting PPTenantIsolationSettings and OrgSettings. For PowerPlatform, I have already completed adding the application as a service principal in PowerPlatform. For both workloads, I am authenticating using a certificate.
Microsoft 365 DSC Version
1.24.619.1
Which workloads are affected
Office 365 Admin, Power Platform
The DSC configuration
No response
Verbose logs showing the problem
o365 workload: {ProtocolError} Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied: ((TokenTypeAuthorizationRequirement(UserActAs, AppOnly)&ScopeAuthorizationRequirement(OrganizationSettings.Read, OrganizationSettings.ReadWrite, OrganizationSettings.Read, OrganizationSettings.ReadWrite))|WidsAuthorizationRequirement(62e90394-69f5-4237-9190-012177145e10,29232cdf-9323-42fd-ade2-1d097af3e4de,69091246-20e8-4a56-aa4d-066075b2a7a8,eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c)). at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.HandleErrorResponse(HttpResponseMessage response, String settingsName) at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.MakeAndSendGetRequest[T](String settingsName, Uri uri) at Microsoft.Exchange.Management.RestApiClient.Analytics.GetDefaultTenantMyAnalyticsFeatureConfig.InternalProcessRecord() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.<ProcessRecord>b__34_0() at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.ExecuteWithExceptionHandling(Action action, Exception& exception) "Error retrieving data:" at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 294 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1079 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\Modules\M365DSCReverse.psm1: line 682 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\Modules\M365DSCUtil.psm1: line 1356 at <ScriptBlock>, <No file>: line 51 powerapps workload: {OperationStopped} System.Management.Automation.RuntimeException: Invalid permission for the application. If you are using a custom app registration to authenticate, make sure it is defined as a Power Platform admin management application. For additional information refer to https://learn.microsoft.com/en-us/power-platform/admin/powershell-create-service-principal#registering-an-admin-management-application "Error retrieving data:" at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\DSCResources\MSFT_PPTenantIsolationSettings\MSFT_PPTenantIsolationSettings.psm1: line 90 at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\DSCResources\MSFT_PPTenantIsolationSettings\MSFT_PPTenantIsolationSettings.psm1: line 672 at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\Modules\M365DSCReverse.psm1: line 682 at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.619.1\Modules\M365DSCUtil.psm1: line 1356 at <ScriptBlock>, <No file>: line 1Environment Information + PowerShell Version
No response
The text was updated successfully, but these errors were encountered: