Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

AADEntitlementManagementAccessPackageAssignmentPolicy generating invalid members for Auto Assignment policies

Open Sheep-NZ opened this issue 7 months ago • 3 comments

I get this error when trying to run New-M365DSCReportFromConfiguration DSC Version 1.25.521.1

The member 'Count' is not valid. Valid members are
'AccessReviewTimeoutBehavior', 'DurationInDays', 'IsAccessRecommendationEnabled', 'IsApprovalJustificationRequired', 'IsEnabled', 'RecurrenceType', 'Reviewers', 'ReviewerType', 
'StartDateTime'.

It seems to be that all of the "Auto Assignment" policies in M365TenantConfig.ps1 are adding invalid members to AccessReviewSettings.

Image

Image

All the non automatic policies are fine though:

Image

Sheep-NZ avatar May 22 '25 00:05 Sheep-NZ

Is the code in the middle screenshot generated from an export or is it your defined code?

n9294651 avatar Jun 13 '25 03:06 n9294651

They are both generated from an export into M365TenantConfig.ps1, I did not change anything. The auto assignment policies are generating incorrect AccessReviewSettings as shown.

Sheep-NZ avatar Jun 13 '25 03:06 Sheep-NZ

Taking a wild stab in the dark I'm imaging it's because the beta module and auto assignment policies don't really place nicely.

https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1

If you look at line 121 it's using the graph beta module (which most/all DSC components use).

https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-auto-assignment-policy#create-an-automatic-assignment-policy-programmatically

The example for creating an auto assign policy uses the v1.0 module and attributeruleMembers for the subjectset. https://learn.microsoft.com/en-us/graph/api/resources/attributerulemembers?view=graph-rest-1.0

https://learn.microsoft.com/en-us/graph/api/resources/subjectset?view=graph-rest-beta the beta module doesn't have attributerulemembers so it could just be an issue with the export using beta module butchering auto assignment policies

EDIT: actually I can see there's now a rulebasedsubjectset which wasn't there a while back when I checked. let me check the export dsc code again

https://learn.microsoft.com/en-us/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta

n9294651 avatar Jun 13 '25 04:06 n9294651

This appears to have been fixed now

Sheep-NZ avatar Jul 25 '25 03:07 Sheep-NZ