Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

AADRoleEligibilityScheduleRequest - : The Role assignment already exists - on Administrative Unit as DirectoryScopeId

Open landsdale opened this issue 1 year ago • 1 comments

Description of the issue

Hi guys, I run a devops pipeline with this module configured like that:

  • Name: "<group-to-assingn-NameDescription>" Action: "AdminAssign" DirectoryScopeId: "/administrativeUnits/<AUId>"
    DependsOn: "[AADGroup]" Ensure: "Present" IsValidationOnly: False Principal: "<group-to-assingn-Name>" PrincipalType: "Group" RoleDefinition: "Privileged Authentication Administrator" ScheduleInfo: startDateTime: "2024-07-05T11:08:33Z" expiration: type: "noExpiration"

    So the first run of the pipeline is ok and the role correctly assigned.
    From a "second run" of the pipeline we get this error:

##[error][RoleAssignmentExists] : The Role assignment already exists. + CategoryInfo : InvalidOperation: ({ Headers = , b...heduleRequest }:) [], CimException + FullyQualifiedErrorId : RoleAssignmentExists,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaRoleManagementDire ctoryRoleEligibilityScheduleRequest_CreateExpanded + PSComputerName : localhost VERBOSE: [fv-az524-586]: LCM: [ End Set ]
[[AADRoleEligibilityScheduleRequest]<group-to-assingn-NameDescription>::[EntraID]EntraID_Configuration] in 5.5520 seconds. ##[error]The PowerShell DSC resource

No problem with the DirectoryScopeId on "/" I think it is a bug.

Thank you in advance.

Microsoft 365 DSC Version

1.24.904.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADRoleEligibilityScheduleRequest:
 - Name: "<group-to-assingn-NameDescription>"
    Action: "AdminAssign"
    DirectoryScopeId: "/administrativeUnits/<AUId>"  
    DependsOn: "[AADGroup]<group-to-assingn>"
    Ensure: "Present"
    IsValidationOnly: False
    Principal: "<group-to-assingn-Name>"
    PrincipalType: "Group"
    RoleDefinition: "Privileged Authentication Administrator"
    ScheduleInfo:
      startDateTime: "2024-07-05T11:08:33Z"
      expiration:
        type: "noExpiration"

Verbose logs showing the problem

##[error][RoleAssignmentExists] : The Role assignment already exists.
    + CategoryInfo          : InvalidOperation: ({ Headers = , b...heduleRequest }:) [], CimException
    + FullyQualifiedErrorId : RoleAssignmentExists,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaRoleManagementDire 
   ctoryRoleEligibilityScheduleRequest_CreateExpanded
    + PSComputerName        : localhost
VERBOSE: [fv-az524-586]: LCM:  [ End    Set      ]  
[[AADRoleEligibilityScheduleRequest]<group-to-assingn-NameDescription>::[EntraID]EntraID_Configuration]  in 
5.5520 seconds.
##[error]The PowerShell DSC resource

Environment Information + PowerShell Version

git version 2.45.2.windows.1
Task PowerShell Version: 2.245.1

landsdale avatar Sep 24 '24 08:09 landsdale

I confirm, same problem on my side. I posted a comment on the similar post #3787

gibi916 avatar Sep 26 '24 06:09 gibi916