ApplicationSecret handling results in PlainText passwords in the resulting MOF

[rberghuis]

Based on the usage of ApplicationSecret, this is currently stored as Plain Text in MOF-files regardless of the use of Set-M365DSCAgentCertificateConfiguration, as DSC doesn't recognize this as a 'Secret' by itself. https://github.com/microsoft/Microsoft365DSC/blob/76c81cd1da27501d57e0e694bfd8f36aaa03047b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1#L1580-L1586

The referencing module also expects a plain-text secret ([system.string]) as show below, but would implement it as a [System.Management.Automation.PSCredential] retrieving the 'SecureString' and coverting that back to plaintext upon connect. As it is then a PSCredential object, the MOF will reference this as such, making it possible to encrypt the secret using a certificate by leveraging the Set-M365DSCAgentCertificateConfiguration.

[Parameter()]
[System.String]
$ApplicationSecret,

<# omitted #>

[Parameter()]
[SecureString]
$CertificatePassword,

Example code using an Application Secret

Configuration AADGroupLifecyclePolicy
{
    Param (
        [Parameter(Mandatory=$false)]
        [ValidateScript({$_ -match 'onmicrosoft.com'})]
        [string]$TenantId,

        [Parameter(Mandatory=$false)]
        [System.Guid]$ApplicationId,

        [Parameter(Mandatory=$false)]
        [string]$ApplicationSecret,
    )

    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        AADGroupLifecyclePolicy 'AADGroupLifecyclePolicy'
        {
            # Authentication details
            TenantId                                      = $TenantId
            ApplicationId                                 = $ApplicationId
            ApplicationSecret                             = $ApplicationSecret
            # Settings
            IsSingleInstance                              = "Yes"
            AlternateNotificationEmails                   = @("[email protected]")
            GroupLifetimeInDays                           = 365
            ManagedGroupTypes                             = "All"
        }
    }
}

Results into a MOF-file like

/*
@TargetNode='localhost'
@GeneratedBy=M365ConfigAgentSvc
@GenerationDate=01/26/2022 08:30:23
@GenerationHost=M365DSC
*/

instance of MSFT_AADGroupLifecyclePolicy as $MSFT_AADGroupLifecyclePolicy1ref
{
    ResourceID = "[AADGroupLifecyclePolicy]AADGroupLifecyclePolicy";
    TenantId = "contoso.onmicrosoft.com";
    ApplicationSecret = "The_PlainText_Application_Pa$$w0rd_here";
    ApplicationId = "123456789-abcd-1337-dcba-9876543210";
    AlternateNotificationEmails = {
        "[email protected]"
    };
    SourceInfo = "C:\\Agent\\_work\\1\\s\\DSC\\Azure-AD\\Group-Lifecycle-Policy.ps1::42::9::AADGroupLifecyclePolicy";
    ManagedGroupTypes = "All";
    IsSingleInstance = "Yes";
    ModuleName = "Microsoft365DSC";
    ModuleVersion = "1.22.105.1";
    GroupLifetimeInDays = 365;
    ConfigurationName = "AADGroupLifecyclePolicy";
};
instance of OMI_ConfigurationDocument
{
    Version="2.0.0";
    MinimumCompatibleVersion = "1.0.0";
    CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
    Author="M365ConfigAgentSvc";
    GenerationDate="01/26/2022 08:30:23";
    GenerationHost="M365DSC";
    Name="AADGroupLifecyclePolicy";
};

Edited to provide syntax highlighting

[NikCharlebois]

We are aware of this and have a fix in place. However this will need to be a breaking change since the ApplicationSecret parameter will need to be changed from being a String to a SecureString object for EVERY resource in the project. Next breaking change release is scheduled for April 6th 2022.

[NikCharlebois]

Update on this, SecureString is not a supported type for MOF files. Either we make ApplicationSecret a PSCredential (breaking) or we keep it as is for the time being (until we review how to address in PoSh 7.2+)

[NikCharlebois]

This will be fixed as part of 1.22.1005.1