microsoft
TeamsAppSetupPolicy: Can't create policy if using Certificate authentication
Description of the issue
I'm testing all Teams resources with certificate authentication and TeamsOrgWideAppSettings and TeamsUserCallingSettings are known to not work with it, nevertheless TeamsAppSetupPolicy accepts certificate authentication as parameter but actually doesn't work.
It wasn't the first resource I've noticed this, but to have output from the Teams cmdlets (to catch errors) they need to be added the Verbose switch and not being piped to Out-Null which is the case on this one, otherwise it just returns without output and nothing happens. After running Start-DSCConfiguration it outputs that the resource was created but actually doesn't create anything, I was able to figure it out by creating it manually in Verbose mode.
I've created a list of pinned appbar apps as follows:
PS C:\temp\dsc\TeamsAppSetupPolicy> $pinnedAppBarAppsValue
Identity :
Priority :
Id : 14d6962d-6eeb-4f48-8890-de55454bb136
Order : 1
Identity :
Priority :
Id : 42f6c1da-a241-483a-a3cc-4f5be9185951
Order : 2
Identity :
Priority :
Id : 86fcd49b-61a2-4701-b771-54728cd291fb
Order : 3
Identity :
Priority :
Id : 20c3440d-c67e-4420-9f80-0e50c39693df
Order : 4
Connected to Teams via certificate gave me this output:
PS C:\temp\dsc\TeamsAppSetupPolicy> New-CsTeamsAppSetupPolicy -AllowSideLoading $false -AllowUserPinning $true
-Description "TeamsAppSetupPolicy_1" -Identity "TeamsAppSetupPolicy_1" -PinnedAppBarApps $pinnedAppBarAppsValue
-Verbose
New-CsTeamsAppSetupPolicy : The App Id(s) specified could not be validated from the App Catalog. Please refer to
documentation. CorrelationId: 1f020e4f-5e26-440a-96f0-9928816d8a71
At line:1 char:1
+ New-CsTeamsAppSetupPolicy -AllowSideLoading $false -AllowUserPinning ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-CsTeamsAppSetupPolicy], PolicyRpException
+ FullyQualifiedErrorId : ClientError,Microsoft.Teams.Policy.Administration.Cmdlets.Core.NewTeamsAppSetupPolicyCmdlet
But instead running with credentials the policy is actually created:
PS C:\temp\dsc\TeamsAppSetupPolicy> New-CsTeamsAppSetupPolicy -AllowSideLoading $false -AllowUserPinning $true
-Description "TeamsAppSetupPolicy_1" -Identity "TeamsAppSetupPolicy_1" -PinnedAppBarApps $pinnedAppBarAppsValue
-Verbose
Identity : Tag:TeamsAppSetupPolicy_1
AppPresetList : {}
PinnedAppBarApps : {14d6962d-6eeb-4f48-8890-de55454bb136, 42f6c1da-a241-483a-a3cc-4f5be9185951, 86fcd49b-61a2-4701-b771-54728cd291fb, 20c3440d-c67e-4420-9f80-0e50c39693df}
PinnedMessageBarApps : {}
AppPresetMeetingList : {}
AdditionalCustomizationApps : {}
Description : TeamsAppSetupPolicy_1
AllowSideLoading : False
AllowUserPinning : True
All other Teams resources I've tested, which includes almost all of them, didn't have this issue, in any case these are the permissions I've granted to my app which also is assigned the Teams Administrator role. According to https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication the cmdlets on this resource should work with certificate, maybe some additional permission is required which is not mentioned in settings.json? Or is the documentation on that webpage incorrect?
AppCatalog.ReadWrite.All
Channel.Delete.All
ChannelMember.ReadWrite.All
ChannelSettings.Read.All
ChannelSettings.ReadWrite.All
Group.ReadWrite.All
Organization.Read.All
TeamSettings.ReadWrite.All
TeamsTab.Create
TeamsTab.ReadWrite.All
User.Read.All
Microsoft 365 DSC Version
1.23.124.1
Which workloads are affected
Teams
The DSC configuration
TeamsAppSetupPolicy "TeamsAppSetupPolicy-TeamsAppSetupPolicy_1"
{
AllowSideLoading = $False;
AllowUserPinning = $True;
ApplicationId = $TeamsApplicationId;
CertificateThumbprint = $TeamsCertThumbprint;
Description = "TeamsAppSetupPolicy_1";
Ensure = "Present";
Identity = "TeamsAppSetupPolicy_1";
PinnedAppBarApps = @("14d6962d-6eeb-4f48-8890-de55454bb136","42f6c1da-a241-483a-a3cc-4f5be9185951","86fcd49b-61a2-4701-b771-54728cd291fb","20c3440d-c67e-4420-9f80-0e50c39693df");
TenantId = $OrganizationName;
}
Verbose logs showing the problem
N/A
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Enterprise OsOperatingSystemSKU : EnterpriseEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250 OsLanguage : en-US OsMuiLanguages : {en-US, en-GB}
Name Value ---- ----- PSVersion 5.1.22621.1778 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.22621.1778 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
