microsoft
O365OrgSettings: Which roles are actually required for Read and for Write?
Description of the issue
One of our customers decided they wanted to use the O365 workload but I'm having an hard time with it since there are no instructions on https://microsoft365dsc.com which permissions are required so I could only gather what was need so far by reading code and searching the interwebs.
For the whole O365 workload I've created a single app and added these Write API permissions, which were taken from what's in settings.json combined for all 5 resources.
Then I created an Exchange role group with both "Audit Logs" and "Organization Configuration" roles, and had problems already here because you cannot actually add to the role group the app registration directly like you normally would, you need to create a new Service Principal and associate it to the app registration and is that SP that will get added to the role group.
After having a discussion in some other thread I found out O365OrgSettings would need at least "Insights Administrator" AAD role which I also granted for the app registration, and I'm able to read and write everything, the exception is I cannot change PlannerAllowCalendarSharing only read it. Which permission or role am I missing here? Additionally running the commands by hand it seems there's more settings inside but only allowCalendarSharing is included in the export as seen below so should they also be added to the resource?
@nikcharlebois @andikrueger So question is basically what is required for reading the entire O365 workload, and is required for writing, both in terms of API permissions and roles, if what I've shared above is already correct then I'll just need the info on what's missing. Most likely I'm just missing a role for fiddling with the Planner, I looked into PnPcli-microsoft365 and they say "Global Administrator" is required to change these settings, that will be an hard sell with the customer but if that's the case nothing we can do, at least for reading it works right now, but this whole workload definitely needs to be added to the documentation in microsoft365dsc.com.
Microsoft 365 DSC Version
1.23.214.2
Which workloads are affected
other
The DSC configuration
N/A
Verbose logs showing the problem
VERBOSE: [REDACTED]:
[[O365OrgSettings]O365OrgSettings] Updating the Planner Allow Calendar Sharing setting to {False}
The remote server returned an error: (403) Forbidden. + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:) [], CimException + FullyQualifiedErrorId :
WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
+ PSComputerName : localhost
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Enterprise OsOperatingSystemSKU : EnterpriseEdition OsArchitecture : 64-bit WindowsVersion : 2009 WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250 OsLanguage : en-US OsMuiLanguages : {en-US, en-GB}
Name Value ---- ----- PSVersion 5.1.22621.1778 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.22621.1778 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
Thank you for investigating the required permissions for this resource.
Maybe this holds a good pointer to look at: https://pnp.github.io/powershell/cmdlets/Get-PnPPlannerConfiguration.html - Even though I was not able to find said permission :(
Linking the other O365OrgSettings permission issue #4146.
@andikrueger The one I saw it said it required Global Admin was here but I need to be sure to get back to the client with that info.
https://github.com/pnp/cli-microsoft365/blob/0ae7da4f294ba49b514519d057a6339ea742b972/docs/docs/cmd/planner/tenant/tenant-settings-set.mdx#L43