Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
Every time I use Start-DscConfiguration I get errors about needing to connect to MS Graph
Description of the issue
After backing up my tenant, authenticating to my target tenant and successfully compiling the MOF file, every step in DSC to configure a setting in my target tenant gives me errors like: WARNING: [PC]: [[AADApplication]AADApplication-Microsoft Graph PowerShell application ] Unable to retrieve AccessToken. Have you registered the 'Microsoft Graph PowerShell' application already? Please run 'C onnect-MgGraph -Scopes Domain.Read.All' and logon using '[email protected]' or ] Testing configuration of AzureAD Application WARNING: [PC]: [[AADApplication]AADApplication-Microsoft Graph PowerShell application ] Unable to retrieve AccessToken. Have you registered the 'Microsoft Graph PowerShell' application already? Please run 'C onnect-MgGraph -Scopes Domain.Read.All' and logon using '[email protected]'
The docs for Start-DscConfiguration don't even mention first connecting to MS Graph. I tried first to authenticate to my target tenant using: Connect-MgGraph -UseDeviceAuthentication And that works OK and I check my scopes now using this:
List authorized Scopes:
Get-MgContext | Select-Object -ExpandProperty Scopes
I see I think all of the scopes I need: AdministrativeUnit.Read.All AdministrativeUnit.ReadWrite.All Agreement.Read.All Application.Read.All Application.ReadWrite.All Device.Read.All DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Directory.Read.All Directory.ReadWrite.All Domain.Read.All EntitlementManagement.Read.All EntitlementManagement.ReadWrite.All Group.Read.All Group.ReadWrite.All GroupMember.Read.All GroupMember.ReadWrite.All openid Organization.Read.All Organization.ReadWrite.All OrgSettings-AppsAndServices.Read.All OrgSettings-DynamicsVoice.ReadWrite.All OrgSettings-Forms.ReadWrite.All OrgSettings-Microsoft365Install.ReadWrite.All OrgSettings-Todo.ReadWrite.All Policy.Read.All Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.CrossTenantAccess profile ReportSettings.ReadWrite.All RoleManagement.Read.Directory RoleManagement.ReadWrite.Directory RoleManagementPolicy.Read.Directory SharePointTenantSettings.ReadWrite.All User.Read User.Read.All User.ReadWrite User.ReadWrite.All email
So then why do I get these MS Graph authentication or scope errors?
Microsoft 365 DSC Version
1.24.731.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
Update-M365DSCAllowedGraphScopes -ResourceNameList @("AADApplication", "AADAuthenticationMethodPolicy", "AADAuthenticationStrengthPolicy", "AADAuthorizationPolicy", "AADGroup", "AADNamedLocationPolicy", "AADServicePrincipal") -Type Update
Verbose logs showing the problem
No response
Environment Information + PowerShell Version
No response
