Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
Export Teams Configuration with Appplication-ID and Certification Thumbprint - Forbidden - Access denied
Description of the issue
Export-M365DSCConfiguration -Components @("TeamsVoiceRoute", "TeamsVoiceRoutingPolicy", "TeamsWorkloadPolicy") -ApplicationId 0aefaf9c-a720-4144-9baa-5e55121af831 -TenantId xx.xxx.xx -CertificateThumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Exporting Microsoft 365 configuration for Components: TeamsVoiceRoute, TeamsVoiceRoutingPolicy, TeamsWorkloadPolicy
Authentication methods specified:
- Service Principal with Certificate Thumbprint
Connecting to {MicrosoftTeams}...✅ [1/3] Extracting [TeamsVoiceRoute] using {CertificateThumbprint}...Correlation id for this request : 9bbac2c9-a72a-4f07-88d8-48d228ef4770 ❌ Error Log created at {file://C:/Users/urs.egli/46352-M365DSC-ErrorLog.log} [2/3] Extracting [TeamsVoiceRoutingPolicy] using {CertificateThumbprint}...Correlation id for this request : 3fc46d11-3a89-45a4-a875-4b8ea01936d4 ❌ Error Log created at {file://C:/Users/urs.egli/46352-M365DSC-ErrorLog.log} [3/3] Extracting [TeamsWorkloadPolicy] using {CertificateThumbprint}...Correlation id for this request : 7127eb42-a3f4-409b-8c33-8bcb11e1fc50 ❌ Error Log created at {file://C:/Users/urs.egli/46352-M365DSC-ErrorLog.log} ⌛ Export took {6 seconds}
Destination Path: ./
Microsoft 365 DSC Version
'1.23.1101.1'
Which workloads are affected
Teams
The DSC configuration
@{
AllNodes = @(
@{
NodeName = "localhost"
PSDscAllowPlainTextPassword = $true;
PSDscAllowDomainUser = $true;
#region Parameters
# Default Value Used to Ensure a Configuration Data File is Generated
ServerNumber = "0"
}
)
NonNodeData = @(
@{
# Tenant's default verified domain name
OrganizationName = "basnet.onmicrosoft.com"
# Azure AD Application Id for Authentication
ApplicationId = "0aefaf9c-a720-4144-9baa-5e55121af831"
# The Id or Name of the tenant to authenticate against
TenantId = "xx.xx.xx"
# Thumbprint of the certificate to use for authentication
CertificateThumbprint = "63121B859B18B13D386A7BB65C525C21CF65FE68"
}
)
}
Verbose logs showing the problem
I get the following Errors
2023.11.05 11:01:00]
{InvalidOperation}
System.Exception: [Forbidden] : Access Denied.
"Error during Export:"
bei Get-CsConfiguration<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\internal\Merged_internal.ps1: Zeile 12845
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\custom\Merged_custom_PsExt.ps1: Zeile 363
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 43971
bei Get-CsOnlineVoiceRoute<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 6353
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\DSCResources\MSFT_TeamsVoiceRoute\MSFT_TeamsVoiceRoute.psm1: Zeile 369
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCReverse.psm1: Zeile 615
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCUtil.psm1: Zeile 1321
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: xxxxx
[2023.11.05 11:01:02]
{InvalidOperation}
System.Exception: [Forbidden] : Access Denied.
"Error during Export:"
bei Get-CsConfiguration<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\internal\Merged_internal.ps1: Zeile 12845
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\custom\Merged_custom_PsExt.ps1: Zeile 363
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 43971
bei Get-CsOnlineVoiceRoutingPolicy<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 6417
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\DSCResources\MSFT_TeamsVoiceRoutingPolicy\MSFT_TeamsVoiceRoutingPolicy.psm1: Zeile 308
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCReverse.psm1: Zeile 615
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCUtil.psm1: Zeile 1321
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: xxxxx
[2023.11.05 11:01:03]
{InvalidOperation}
System.Exception: [Forbidden] : Access Denied.
"Error during Export:"
bei Get-CsConfiguration<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\internal\Merged_internal.ps1: Zeile 12845
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\custom\Merged_custom_PsExt.ps1: Zeile 363
bei Get-CsConfigurationModern<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 43971
bei Get-CsTeamsWorkLoadPolicy<Process>, C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\5.7.1\exports\ProxyCmdletDefinitionsWithHelp.ps1: Zeile 11322
bei Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\DSCResources\MSFT_TeamsWorkloadPolicy\MSFT_TeamsWorkloadPolicy.psm1: Zeile 401
bei Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCReverse.psm1: Zeile 615
bei Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1101.1\modules\M365DSCUtil.psm1: Zeile 1321
bei <ScriptBlock>, <Keine Datei>: Zeile 1
TenantId: xxxx
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-Bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : de-DE
OsMuiLanguages : {de-DE}
Name Value
---- -----
PSVersion 5.1.22621.1778
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.1778
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Did you assign any permission role to the application? see: https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#setup-application-based-authentication
and for the roles:
https://learn.microsoft.com/en-us/microsoftteams/using-admin-roles#teams-roles-and-capabilities
Hello @andikrueger I am also getting the similar error while exporting the configuration Export-M365DSCConfiguration -Components @("TeamsVoiceRoute", "TeamsVoiceRoutingPolicy", "TeamsWorkloadPolicy") -ApplicationId 0aefaf9c-a720-4144-9baa-5e55121af831 -TenantId xx.xxx.xx -CertificateThumbprint.
The Permission Roles which has been assigned to the Azure AD App are as below :
Organization.Read.All User.Read.All Group.Read.All AppCatalog.Read.All TeamSettings.Read.All Channel.ReadBasic.All ChannelSettings.Read.All ChannelMember.Read.All
However regarding the role i have assigned "Global Reader" & "Security Reader" to the Azure AD App.
