Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADRoleEligibilityScheduleRequest - MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest_List Error #5445

Open
pangjaa opened this issue Nov 21, 2024 · 0 comments
Open

AADRoleEligibilityScheduleRequest - MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest_List Error #5445

pangjaa opened this issue Nov 21, 2024 · 0 comments

Comments

@pangjaa
Copy link

pangjaa commented Nov 21, 2024
edited
Loading

Description of the issue

Updated DSC Module throws error when performing Test-DscConfiguration, when evaluating AADRoleEligibilityScheduleRequest.

Microsoft 365 DSC Version

1.24.1120.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

    # https://microsoft365dsc.com/resources/azure-ad/AADRoleEligibilityScheduleRequest/
    AADRoleEligibilityScheduleRequest 'RoleElevation' {
        DependsOn             = @(
            '[AADRoleSetting]f28a1f50-f6e7-4571-818b-6a12f2af6b6c'
        )
        Principal             = 'sg-group' ### L1|Group that is assigned to eligible assignment
        RoleDefinition        = 'SharePoint Administrator' ### L1|Role that is being targetted for eligible assignment
        PrincipalType         = 'Group' ### L3|Represents the type of principal to assign the request to. Accepted values are: Group and User.
        DirectoryScopeId      = "/"; ### L3|Identifier of the directory object representing the scope of the role eligibility.
        # Id
        # AppScopeId
        Action                = 'AdminAssign' ### L2|Represents the type of operation on the role eligibility request.
        # IsValidationOnly
        Justification         = 'Assigning permanent eligibility for Pentesters for SharePoint Admin' ### L3|A message provided by users and administrators when create they create the unifiedRoleEligibilityScheduleRequest object.
        IsValidationOnly      = $false
        ScheduleInfo          = MSFT_AADRoleEligibilityScheduleRequestSchedule {
            startDateTime = '2023-09-01T02:40:44Z'
            expiration    = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
                type = 'noExpiration'
            }
        }
        # TicketInfo
        Ensure                = 'Absent'
        ApplicationId         = $ApplicationId
        TenantId              = $TenantId
        CertificateThumbprint = $Thumbprint
    }

    AADRoleSetting 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' {
        Id                                                        = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c'
        Displayname                                               = 'SharePoint Administrator'
        # Activation
        ActivationMaxDuration                                     = 'PT6H' ### L1|Activation maximum duration.
        ActivationReqMFA                                          = $true ### L1|Require MFA on activation.
        ActivationReqJustification                                = $true ### L1|Require justification on activation.
        ActivationReqTicket                                       = $true ### L2|Require ticket information on activation.
        ApprovaltoActivate                                        = $false ### L2|Require approval to activate.
        ActivateApprover                                          = @()
        # Assignment
        PermanentEligibleAssignmentisExpirationRequired           = $false ### L1|permanent eligible assignment enablement.
        ExpireEligibleAssignment                                  = 'P365D' ### L2|Expire eligible assignments after.
        PermanentActiveAssignmentisExpirationRequired             = $true ### L1|permanent active assignment enablement.
        ExpireActiveAssignment                                    = 'P1D' ### L1|Expire active assignments after.
        AssignmentReqMFA                                          = $true ### L1|Require Azure Multi-Factor Authentication on active assignment.
        AssignmentReqJustification                                = $true ### L1|Require justification on active assignment.
        ElegibilityAssignmentReqMFA                               = $false ### L1|Do not require MFA on eligible assignment. This blocks pipeline from being able to perform eligible assignments.
        ElegibilityAssignmentReqJustification                     = $true ### L1|Require justification on eligible assignment.
        # Send notifications when members are assigned as eligible to this role:
        EligibleAlertNotificationDefaultRecipient                 = $false ### L1|Send notifications when members are assigned as eligible to this role: Role assignment alert, default recipient.
        EligibleAlertNotificationAdditionalRecipient              = @()
        EligibleAlertNotificationOnlyCritical                     = $false ### L2|Send notifications when members are assigned as eligible to this role: Role assignment alert, only critical Email.
        EligibleAssigneeNotificationDefaultRecipient              = $true ### L2|Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee), default recipient.
        EligibleAssigneeNotificationAdditionalRecipient           = @()
        EligibleAssigneeNotificationOnlyCritical                  = $true ### L2|Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee), only critical Email.
        EligibleApproveNotificationDefaultRecipient               = $false ### L2|Send notifications when members are assigned as eligible to this role: Request to approve a role assignment renewal/extension, default recipient.
        EligibleApproveNotificationAdditionalRecipient            = @()
        EligibleApproveNotificationOnlyCritical                   = $false ### L2|Send notifications when members are assigned as eligible to this role: Request to approve a role assignment renewal/extension, only critical Email.
        # Send notifications when members are assigned as active to this role:
        ActiveAlertNotificationDefaultRecipient                   = $false ### L1|Send notifications when members are assigned as active to this role: Role assignment alert, default recipient.
        ActiveAlertNotificationAdditionalRecipient                = @()
        ActiveAlertNotificationOnlyCritical                       = $false ### L2|Send notifications when members are assigned as active to this role: Role assignment alert, only critical.
        ActiveAssigneeNotificationDefaultRecipient                = $true ### L2|Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee), default recipient.
        ActiveAssigneeNotificationAdditionalRecipient             = @()
        ActiveAssigneeNotificationOnlyCritical                    = $true ### L2|Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee), only critical Email.
        ActiveApproveNotificationDefaultRecipient                 = $false ### L2|Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension, default recipient.
        ActiveApproveNotificationAdditionalRecipient              = @()
        ActiveApproveNotificationOnlyCritical                     = $false ### L2|Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension, only critical Email.
        # Send notifications when eligible members activate this role:
        EligibleAssignmentAlertNotificationDefaultRecipient       = $false ### L2|Send notifications when eligible members activate this role: Role assignment alert, default recipient.
        EligibleAssignmentAlertNotificationAdditionalRecipient    = @()
        EligibleAssignmentAlertNotificationOnlyCritical           = $false ### L2|Send notifications when eligible members activate this role: Role assignment alert, only critical Email.
        EligibleAssignmentAssigneeNotificationDefaultRecipient    = $true ### L2|Send notifications when eligible members activate this role: Notification to activated user (requestor), default recipient.
        EligibleAssignmentAssigneeNotificationAdditionalRecipient = @()
        EligibleAssignmentAssigneeNotificationOnlyCritical        = $true ### L2|Send notifications when eligible members activate this role: Notification to activated user (requestor), only critical Email.
        ApplicationId                                             = $ApplicationId
        TenantId                                                  = $TenantId
        CertificateThumbprint                                     = $Thumbprint
    }

Verbose logs showing the problem

[[AADRoleEligibilityScheduleRequest]RoleElevation::[AzureAD]AzureAD_Configuration] Retrieving the request by 
PrincipalId {}, RoleDefinitionId {f28a1f50-f6e7-4571-818b-6a12f2af6b6c} and DirectoryScopeId {/}
[13:51:24 ERR] Error while evaluating configuration: [FormatException] : Unrecognized Guid format.
ERROR: [FormatException] : Unrecognized Guid format.
At C:\AzurePipeline-Agent\_work\1\s\BuildScripts\Get-TenantDriftStatus.ps1:82 char:9
+         $result = Test-DscConfiguration -Path $mofPath -Verbose -Erro ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At C:\AzurePipeline-Agent\_work\1\s\M365Config.build.ps1:342 char:1
+ Add-BuildTask Get {
+ ~~~~~~~~~~~~~~~~~~~
Build FAILED. 1 tasks, 1 errors, 0 warnings 00:04:21.0871784
##[error][FormatException] : Unrecognized Guid format.
At C:\AzurePipeline-Agent\_work\1\s\BuildScripts\Get-TenantDriftStatus.ps1:82 char:9
+         $result = Test-DscConfiguration -Path $mofPath -Verbose -Erro ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ Top = , Skip ... , Headers =  }:) [], CimException
    + FullyQualifiedErrorId : FormatException,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaRoleManagementDirectory 
   RoleEligibilityScheduleRequest_List
    + PSComputerName        : localhost




{
        "EventName": "EventID(4118)",
        "ProviderName": "Microsoft-Windows-DSC",
        "FormattedMessage": "Job {16E921AC-A80F-11EF-BAD7-02736DD045B9} : 
Displaying debug messages from Powershell DSC resource:
\t ResourceID : [AADRoleEligibilityScheduleRequest]RoleElevation::[AzureAD]AzureAD_Configuration 
\t Message : []:                            [[AADRoleEligibilityScheduleRequest]RoleElevation::[AzureAD]AzureAD_Configuration] ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests?$filter=PrincipalId eq '' and RoleDefinitionId eq 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' and DirectoryScopeId eq '/'

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; en-US),PowerShell/5.1.20348.2849
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.24.0
client-request-id             : e4a7d247-2068-4b22-84e8-d5fa7cbaf481

Body:


 ",
        "ProcessID": 3736,
        "ExecutingThreadID": 2524,
        "MachineName": ".",
        "Payload": {
            "JobId": "{16E921AC-A80F-11EF-BAD7-02736DD045B9}",
            "ResourceId": "[AADRoleEligibilityScheduleRequest]RoleElevation::[AzureAD]AzureAD_Configuration",
            "MessageBody": "[]:                            [[AADRoleEligibilityScheduleRequest]RoleElevation::[AzureAD]AzureAD_Configuration] ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests?$filter=PrincipalId eq '' and RoleDefinitionId eq 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' and DirectoryScopeId eq '/'

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.20348; en-US),PowerShell/5.1.20348.2849
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.24.0
client-request-id             : e4a7d247-2068-4b22-84e8-d5fa7cbaf481

Body:


"
        }
    }


    {
        "EventName": "EventID(4103)",
        "ProviderName": "Microsoft-Windows-DSC",
        "FormattedMessage": "Job {16E921AC-A80F-11EF-BAD7-02736DD045B9} : \r\nThis event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_AADRoleEligibilityScheduleRequest DSC resource. FullyQualifiedErrorId is FormatException,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest_List. Error Message is [FormatException] : Unrecognized Guid format.. ",
        "ProcessID": 3736,
        "ExecutingThreadID": 2524,
        "MachineName": ".",
        "Payload": {
            "JobId": "{16E921AC-A80F-11EF-BAD7-02736DD045B9}",
            "ComponentName": "DSCEngine",
            "OperationCmd": "Test-TargetResource",
            "ProviderName": "MSFT_AADRoleEligibilityScheduleRequest",
            "FullyQualifiedErrorId": "FormatException,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest_List",
            "ErrorMessage": "[FormatException] : Unrecognized Guid format."
        }
    }



	
[]:                            [[AADRoleEligibilityScheduleRequest]RoleElevation::[AzureAD]AzureAD_Configuration] ============================ HTTP RESPONSE ============================
Status Code:
BadRequest
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 02d782b0-1b85-4e2d-abef-15e24528b4e6
client-request-id             : e4a7d247-2068-4b22-84e8-d5fa7cbaf481
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"MWH0EPF000A30E0"}}
Date                          : Thu, 21 Nov 2024 13:51:23 GMT
Body:
{
  "error": {
    "code": "FormatException",
    "message": "Unrecognized Guid format.",
    "innerError": {
      "date": "2024-11-21T13:51:24",
      "request-id": "02d782b0-1b85-4e2d-abef-15e24528b4e6",
      "client-request-id": "e4a7d247-2068-4b22-84e8-d5fa7cbaf481"
    }
  }
}



    {
        "EventName": "EventID(4252)",
        "ProviderName": "Microsoft-Windows-DSC",
        "FormattedMessage": "Job {16E921AC-A80F-11EF-BAD7-02736DD045B9} : 
MIResult: 1
Error Message: [FormatException] : Unrecognized Guid format.
Message ID: FormatException,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest_List
Error Category: 7
Error Code: 7
Error Type: MI ",
        "ProcessID": 3736,
        "ExecutingThreadID": 2524,
        "MachineName": ".",
        "Payload": {
            "JobId": "{16E921AC-A80F-11EF-BAD7-02736DD045B9}",
            "MIResult": 1,
            "ErrorMessage": "[FormatException] : Unrecognized Guid format.",
            "MessageID": "FormatException,Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest_List",
            "ErrorCategory": 7,
            "ErrorCode": 7,
            "ErrorType": "MI"
        }
    }

Environment Information + PowerShell Version

Name                           Value
----                           -----
PSVersion                      5.1.20348.2849
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2849
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pangjaa