Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
AADRoleEligibilityScheduleRequest: adminAssign action will always remove the current assignment and set it again with same value
Description of the issue
I use AADRoleEligibilityScheduleRequest to set eligible role assignment, it works perfectly but as I use it in a scheduled Pipeline to ensure the value is always compliant with our repository, the configuration is applied multiple time per week.
When it run, M365DSC will always remove and re-add the assignment even if the values have not changed:
This action is a problem because people who have already activated their role in PIM, will lose their access and will have to reactivate their roles. So people have activated their role, and all of a sudden, they will no longer be able to perform administrative actions because the role is no longer present.
I would like to be able to launch my pipeline multiple times with the same configuration without the assignment being changed (if the value is identical). So there must be a problem of detection or comparison between the desired value and the value retrieved in Entra ID.
Can you please have a look ?
Thank you !
Microsoft 365 DSC Version
1.25.129.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
@{
Principal = 'gpaz-azuread-roles-GENDPOINTADM_PaC'
Action = 'AdminAssign'
DirectoryScopeId = '/'
Ensure = 'Present'
Id = '0fbe7696-d21e-47d2-bc73-74b8499a6261'
IsValidationOnly = $False
PrincipalType = 'Group'
RoleDefinition = 'Intune Administrator'
ScheduleInfo = @{
expiration = @{ type = 'noExpiration' }
startDateTime = '2024-10-15T10:14:56Z'
}
}
Verbose logs showing the problem
2025-01-30T09:01:42.6790332Z VERBOSE: [fv-az899-360]: LCM: [ Start Resource ]
2025-01-30T09:01:42.6790644Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:42.6791022Z Administrator-/::[AzureAD]AzureAD_Configuration]
2025-01-30T09:01:42.6791281Z VERBOSE: [fv-az899-360]: LCM: [ Start Test ]
2025-01-30T09:01:42.6791730Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:42.6792054Z Administrator-/::[AzureAD]AzureAD_Configuration]
2025-01-30T09:01:42.6792284Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:42.6793033Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:42.6793461Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by Id {6a1e9922-14c4-4c26-9795-99d97f4d649b}
2025-01-30T09:01:43.1443550Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:43.1455643Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:43.1460169Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by PrincipalId and RoleDefinitionId
2025-01-30T09:01:43.1471914Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:43.1476200Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:43.1488948Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal by DisplayName
2025-01-30T09:01:43.1492418Z {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:43.1976718Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:43.1992236Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:43.1998263Z Administrator-/::[AzureAD]AzureAD_Configuration] Found Principal {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:43.2870381Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:43.2883172Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:43.2887681Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieved role definition {Intune Administrator} with ID
2025-01-30T09:01:43.2898157Z {3a2c62db-5318-420d-8d74-23affee5d9d5}
2025-01-30T09:01:43.2902382Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:43.2914175Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:43.2918727Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving the request by PrincipalId
2025-01-30T09:01:43.2929118Z {44fdf048-49e7-45a8-a899-dfcbe3e85bba}, RoleDefinitionId {3a2c62db-5318-420d-8d74-23affee5d9d5} and DirectoryScopeId
2025-01-30T09:01:43.2933268Z {/}
2025-01-30T09:01:44.5591038Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:44.5602920Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:44.5607547Z Administrator-/::[AzureAD]AzureAD_Configuration] Current Values: AccessTokens=$null
2025-01-30T09:01:44.5612935Z
2025-01-30T09:01:44.5620762Z Action=$null
2025-01-30T09:01:44.5625997Z
2025-01-30T09:01:44.5633763Z ApplicationId=***
2025-01-30T09:01:44.5638943Z
2025-01-30T09:01:44.5646615Z ApplicationSecret=$null
2025-01-30T09:01:44.5663357Z
2025-01-30T09:01:44.5672137Z AppScopeId=$null
2025-01-30T09:01:44.5677476Z
2025-01-30T09:01:44.5686421Z CertificateThumbprint=***
2025-01-30T09:01:44.5691694Z
2025-01-30T09:01:44.5699438Z Credential=$null
2025-01-30T09:01:44.5704560Z
2025-01-30T09:01:44.5711341Z DirectoryScopeId=/
2025-01-30T09:01:44.5716885Z
2025-01-30T09:01:44.5734778Z Ensure=Present
2025-01-30T09:01:44.5742568Z
2025-01-30T09:01:44.5753341Z Id=85ab3a0f-1a25-412a-b084-8669f58c3dc7
2025-01-30T09:01:44.5758240Z
2025-01-30T09:01:44.5768844Z IsValidationOnly=$null
2025-01-30T09:01:44.5774672Z
2025-01-30T09:01:44.5783810Z Justification=$null
2025-01-30T09:01:44.5788582Z
2025-01-30T09:01:44.5797700Z Managedidentity=False
2025-01-30T09:01:44.5801987Z
2025-01-30T09:01:44.5813399Z Principal=gpaz-azuread-roles-GENDPOINTSVC_PaC
2025-01-30T09:01:44.5818365Z
2025-01-30T09:01:44.5827325Z PrincipalType=Group
2025-01-30T09:01:44.5832000Z
2025-01-30T09:01:44.5841458Z RoleDefinition=Intune Administrator
2025-01-30T09:01:44.5845877Z
2025-01-30T09:01:44.5855110Z ScheduleInfo={expiration={duration=$null
2025-01-30T09:01:44.5859515Z
2025-01-30T09:01:44.5868515Z type=noExpiration}
2025-01-30T09:01:44.5874524Z
2025-01-30T09:01:44.5883641Z Recurrence={pattern={dayOfMonth=$null
2025-01-30T09:01:44.5888370Z
2025-01-30T09:01:44.5897331Z daysOfWeek=$null
2025-01-30T09:01:44.5901524Z
2025-01-30T09:01:44.5910463Z firstDayOfWeek=$null
2025-01-30T09:01:44.5914789Z
2025-01-30T09:01:44.5924089Z index=$null
2025-01-30T09:01:44.5928852Z
2025-01-30T09:01:44.5937897Z interval=$null
2025-01-30T09:01:44.5942514Z
2025-01-30T09:01:44.5951453Z month=$null
2025-01-30T09:01:44.5955695Z
2025-01-30T09:01:44.5964629Z type=$null}
2025-01-30T09:01:44.5970652Z
2025-01-30T09:01:44.5980574Z range={endDate=$null
2025-01-30T09:01:44.5985394Z
2025-01-30T09:01:44.5994310Z numberOfOccurrences=$null
2025-01-30T09:01:44.5998875Z
2025-01-30T09:01:44.6009046Z recurrenceTimeZone=$null
2025-01-30T09:01:44.6014983Z
2025-01-30T09:01:44.6023717Z startDate=$null
2025-01-30T09:01:44.6028111Z
2025-01-30T09:01:44.6036988Z type=$null}}
2025-01-30T09:01:44.6041474Z
2025-01-30T09:01:44.6050372Z StartDateTime=2025-01-28T11:58:45Z}
2025-01-30T09:01:44.6055580Z
2025-01-30T09:01:44.6064954Z TenantId=***
2025-01-30T09:01:44.6073881Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:44.6082829Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:44.6091893Z Administrator-/::[AzureAD]AzureAD_Configuration] Target Values: ApplicationId=***
2025-01-30T09:01:44.6096640Z
2025-01-30T09:01:44.6105405Z CertificateThumbprint=***
2025-01-30T09:01:44.6109520Z
2025-01-30T09:01:44.6118386Z DirectoryScopeId=/
2025-01-30T09:01:44.6122833Z
2025-01-30T09:01:44.6141804Z Ensure=Present
2025-01-30T09:01:44.6146289Z
2025-01-30T09:01:44.6155222Z Id=6a1e9922-14c4-4c26-9795-99d97f4d649b
2025-01-30T09:01:44.6160171Z
2025-01-30T09:01:44.6169380Z Principal=gpaz-azuread-roles-GENDPOINTSVC_PaC
2025-01-30T09:01:44.6173834Z
2025-01-30T09:01:44.6183811Z PrincipalType=Group
2025-01-30T09:01:44.6188510Z
2025-01-30T09:01:44.6197361Z RoleDefinition=Intune Administrator
2025-01-30T09:01:44.6202973Z
2025-01-30T09:01:44.6211755Z TenantId=***
2025-01-30T09:01:44.6215926Z
2025-01-30T09:01:44.6224790Z Verbose=True
2025-01-30T09:01:44.7433055Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:44.7446436Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:44.7451695Z Administrator-/::[AzureAD]AzureAD_Configuration] Test-TargetResource returned False
2025-01-30T09:01:44.7462290Z VERBOSE: [fv-az899-360]: LCM: [ End Test ]
2025-01-30T09:01:44.7466826Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:44.7477238Z Administrator-/::[AzureAD]AzureAD_Configuration] in 3.4750 seconds.
2025-01-30T09:01:44.7481717Z VERBOSE: [fv-az899-360]: LCM: [ Start Set ]
2025-01-30T09:01:44.7491994Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:44.7495550Z Administrator-/::[AzureAD]AzureAD_Configuration]
2025-01-30T09:01:45.7252396Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:45.7253001Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:45.7253476Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by Id {6a1e9922-14c4-4c26-9795-99d97f4d649b}
2025-01-30T09:01:46.4551897Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:46.4566465Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:46.4571934Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by PrincipalId and RoleDefinitionId
2025-01-30T09:01:46.4587317Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:46.4592656Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:46.4604383Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal by DisplayName
2025-01-30T09:01:46.4607699Z {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:46.5683337Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:46.5695865Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:46.5699318Z Administrator-/::[AzureAD]AzureAD_Configuration] Found Principal {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:46.6907846Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:46.6922621Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:46.6927682Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieved role definition {Intune Administrator} with ID
2025-01-30T09:01:46.6941077Z {3a2c62db-5318-420d-8d74-23affee5d9d5}
2025-01-30T09:01:46.6945555Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:46.6956753Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:46.6963828Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving the request by PrincipalId
2025-01-30T09:01:46.6976522Z {44fdf048-49e7-45a8-a899-dfcbe3e85bba}, RoleDefinitionId {3a2c62db-5318-420d-8d74-23affee5d9d5} and DirectoryScopeId
2025-01-30T09:01:46.6984376Z {/}
2025-01-30T09:01:47.9983959Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:47.9995271Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:47.9999916Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal Id from Set-TargetResource
2025-01-30T09:01:48.0010433Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:48.0014947Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:48.0025405Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal by DisplayName
2025-01-30T09:01:48.0028941Z {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:48.2224592Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:48.2236517Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:48.2240314Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving ROleDefinitionId from Set-TargetResource
2025-01-30T09:01:48.3251152Z VERBOSE: [fv-az899-360]:
2025-01-30T09:01:48.3263080Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:48.3267778Z Administrator-/::[AzureAD]AzureAD_Configuration] Updating role eligibility Schedule with parameters:
2025-01-30T09:01:48.3273242Z
2025-01-30T09:01:48.3281070Z {
2025-01-30T09:01:48.3286158Z
2025-01-30T09:01:48.3293915Z "action": "AdminUpdate",
2025-01-30T09:01:48.3298940Z
2025-01-30T09:01:48.3306711Z "roleDefinitionId": "3a2c62db-5318-420d-8d74-23affee5d9d5",
2025-01-30T09:01:48.3311847Z
2025-01-30T09:01:48.3319565Z "scheduleInfo": {
2025-01-30T09:01:48.3324611Z
2025-01-30T09:01:48.3333282Z "startDateTime": "2024-10-15T10:13:39Z",
2025-01-30T09:01:48.3338358Z
2025-01-30T09:01:48.3346086Z "expiration": {
2025-01-30T09:01:48.3351628Z
2025-01-30T09:01:48.3372901Z "type": "noExpiration"
2025-01-30T09:01:48.3379076Z
2025-01-30T09:01:48.3392650Z }
2025-01-30T09:01:48.3397670Z
2025-01-30T09:01:48.3406890Z },
2025-01-30T09:01:48.3411324Z
2025-01-30T09:01:48.3420606Z "justification": "AdminUpdate by Microsoft365DSC",
2025-01-30T09:01:48.3425236Z
2025-01-30T09:01:48.3437556Z "principalId": "44fdf048-49e7-45a8-a899-dfcbe3e85bba",
2025-01-30T09:01:48.3443254Z
2025-01-30T09:01:48.3454263Z "directoryScopeId": "/"
2025-01-30T09:01:48.3459260Z
2025-01-30T09:01:48.3469141Z }
2025-01-30T09:01:51.0653382Z VERBOSE: [fv-az899-360]: LCM: [ End Set ]
2025-01-30T09:01:51.0667682Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:51.0673261Z Administrator-/::[AzureAD]AzureAD_Configuration] in 6.3290 seconds.
2025-01-30T09:01:51.0685936Z VERBOSE: [fv-az899-360]: LCM: [ End Resource ]
2025-01-30T09:01:51.0690702Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune
2025-01-30T09:01:51.0710816Z Administrator-/::[AzureAD]AzureAD_Configuration]
Environment Information + PowerShell Version
Seems like it detected a drift. Can you try again with the latest version? There were some changes to the comparison routine and I think this should be fixed. I didn't detect anything when checking manually. Thanks.
Unfortunately, I’m still seeing the same behavior. Each time the pipeline runs, it removes and then reassigns the eligible role.
Even if I specify the ID...
I don't have this problem with AADRoleAssignmentScheduleRequest. Only with the eligible.