Start-DscConfiguration: Restore fails on AAD tenant ... MSFT_AADRoleSetting failed to execute Test-TargetResource functionality with error message: Could not determine authentication method CimException: The SendConfigurationApply function did not succeed.

[horgasz2023]

Description of the issue

InvalidOperation: PowerShell DSC resource MSFT_AADRoleSetting failed to execute Test-TargetResource functionality with error message: Could not determine authentication method
CimException: The SendConfigurationApply function did not succeed.

Restore fails on AAD tenant. PowerShell DSC resource MSFT_AADRoleSetting failed to execute Test-TargetResource functionality with error message: Could not determine authentication method
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost

First role where it starts failing:

[[AADRoleSetting]AADRoleSetting-Global Administrator] Testing configuration of Role Assignment: Global Administrator
VERBOSE: : [[AADRoleSetting]AADRoleSetting-Global Administrator] Getting configuration of Role: Global Administrator
VERBOSE: : LCM: [ End Test ] [[AADRoleSetting]AADRoleSetting-Global Administrator] in 0.6110 seconds.

Microsoft 365 DSC Version

1.23.906.1

Which workloads are affected

Azure Active Directory

The DSC configuration

DSC config generated with all the AAD GraphAPI s.

Verbose logs showing the problem

[[AADRoleSetting]AADRoleSetting-Global Administrator]
VERBOSE: []: LCM:  [ Start  Test     ]  [[AADRoleSetting]AADRoleSetting-Global Administrator]
VERBOSE: []:                            [[AADRoleSetting]AADRoleSetting-Global Administrator] Testing configuration of Role Assignment: Global Administrator
VERBOSE: []:                            [[AADRoleSetting]AADRoleSetting-Global Administrator] Getting configuration of Role: Global Administrator
VERBOSE: []: LCM:  [ End    Test     ]  [[AADRoleSetting]AADRoleSetting-Global Administrator]  in 0.6110 seconds.
PowerShell DSC resource MSFT_AADRoleSetting  failed to execute Test-TargetResource functionality with error message: Could not determine authentication method 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

--------------------------------------------------------------------------------------------------------
VERBOSE: []: LCM:  [ Start  Resource ]  [[AADRoleSetting]AADRoleSetting-Extended Directory User Administrator]
VERBOSE: []: LCM:  [ Start  Test     ]  [[AADRoleSetting]AADRoleSetting-Extended Directory User Administrator]
VERBOSE: []:                            [[AADRoleSetting]AADRoleSetting-Extended Directory User Administrator] Testing configuration of Role Assignment: Extended Directory User Administrator
VERBOSE: []:                            [[AADRoleSetting]AADRoleSetting-Extended Directory User Administrator] Getting configuration of Role: Extended Directory User Administrator
VERBOSE: []: LCM:  [ End    Test     ]  [[AADRoleSetting]AADRoleSetting-Extended Directory User Administrator]  in 0.0990 seconds.
PowerShell DSC resource MSFT_AADRoleSetting  failed to execute Test-TargetResource functionality with error message: Could not determine authentication method 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: []: LCM:  [ Start  Resource ]  [[AADSecurityDefaults]AADSecurityDefaults]
VERBOSE: []: LCM:  [ Start  Test     ]  [[AADSecurityDefaults]AADSecurityDefaults]
VERBOSE: []:                            [[AADSecurityDefaults]AADSecurityDefaults] Testing configuration of the Azure AD Security Defaults
VERBOSE: []:                            [[AADSecurityDefaults]AADSecurityDefaults] Getting configuration for Azure AD Security Defaults
VERBOSE: []:                            [[AADSecurityDefaults]AADSecurityDefaults] Get-TargetResource Result: 
 ApplicationId=***
ApplicationSecret=***
CertificateThumbprint=***
Credential=$null
Description=Security defaults is a set of basic identity security mechanisms recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. Administrators and users will be better protected from common identity related attac
ks.
DisplayName=Security Defaults
IsEnabled=True
IsSingleInstance=Yes
Managedidentity=False
TenantId=***
VERBOSE: []:                            [[AADSecurityDefaults]AADSecurityDefaults] Target Values: ApplicationId=***
ApplicationSecret=***
Description=Security defaults is a set of basic identity security mechanisms recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. Administrators and users will be better protected from common identity related attacks.
DisplayName=Security Defaults
IsEnabled=True
IsSingleInstance=Yes
TenantId=***
Verbose=True
VERBOSE: []:                            [[AADSecurityDefaults]AADSecurityDefaults] Test-TargetResource returned True
VERBOSE: []: LCM:  [ End    Test     ]  [[AADSecurityDefaults]AADSecurityDefaults]  in 1.7060 seconds.
VERBOSE: []: LCM:  [ Skip   Set      ]  [[AADSecurityDefaults]AADSecurityDefaults]
VERBOSE: []: LCM:  [ End    Resource ]  [[AADSecurityDefaults]AADSecurityDefaults]
VERBOSE: []: LCM:  [ Start  Resource ]  [[AADTenantDetails]AADTenantDetails]
VERBOSE: []: LCM:  [ Start  Test     ]  [[AADTenantDetails]AADTenantDetails]
VERBOSE: []:                            [[AADTenantDetails]AADTenantDetails] Testing configuration of AzureAD Tenant Details
VERBOSE: []:                            [[AADTenantDetails]AADTenantDetails] Getting configuration of AzureAD Tenant Details
VERBOSE: []:                            [[AADTenantDetails]AADTenantDetails] Found existing AzureAD Tenant Details
VERBOSE: []:                            [[AADTenantDetails]AADTenantDetails] Get-TargetResource Result: 
 ApplicationId=***
ApplicationSecret=***
CertificateThumbprint=***
Credential=$null
IsSingleInstance=Yes
Managedidentity=False
MarketingNotificationEmails=()
SecurityComplianceNotificationMails=()
SecurityComplianceNotificationPhones=()
TechnicalNotificationMails=(xxxxxxxxxxxxxxxxxxxxxx)
TenantId=***
VERBOSE: []:                            [[AADTenantDetails]AADTenantDetails] Target-Values: ApplicationId=***
ApplicationSecret=***
IsSingleInstance=Yes
MarketingNotificationEmails=()
SecurityComplianceNotificationMails=()
SecurityComplianceNotificationPhones=()
TechnicalNotificationMails=(xxxxxxxxxxxxxxxxxxxxxxx)
TenantId=***
Verbose=True
VERBOSE: []:                            [[AADTenantDetails]AADTenantDetails] Test-TargetResource returned True
VERBOSE: []: LCM:  [ End    Test     ]  [[AADTenantDetails]AADTenantDetails]  in 1.0550 seconds.
VERBOSE: []: LCM:  [ Skip   Set      ]  [[AADTenantDetails]AADTenantDetails]
VERBOSE: []: LCM:  [ End    Resource ]  [[AADTenantDetails]AADTenantDetails]
VERBOSE: []: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 193.385 seconds

Environment Information + PowerShell Version

OsName               : Microsoft Windows 10 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

[andikrueger]

Could you share a bit of your configuration and which authentication parameters are set? Please make sure to run Start-DSCConfiguration within PS 5.1.

[Sylit82]

Hello @andikrueger,
Thanks for the quick response.

Let me answer instead of @horgasz2023 because he is unavailable today, but we are working on this project together.

1, We tried with both PS7 and PS 5.1, the result is the same.

2, We use client secret (and app ID) for authentication, so we add application related API permissions to the Azure AD app.

3, We exported the default AAD config (newly created tenant) without applications, users, and groups.(exact scope bellow)
We modified a setting in the tenant config and tried to import back the snapshot what we exported before for test purposes.
The import failed with errors. You can see the errors above. (we opened this issue for)

export scope:
"AADAdministrativeUnit"
"AADAuthenticationMethodPolicy"
"AADAuthenticationMethodPolicyAuthenticator"
"AADAuthenticationMethodPolicyEmail"
"AADAuthenticationMethodPolicyFido2"
"AADAuthenticationMethodPolicySms"
"AADAuthenticationMethodPolicySoftware"
"AADAuthenticationMethodPolicyTemporary"
"AADAuthenticationMethodPolicyVoice"
"AADAuthenticationMethodPolicyX509"
"AADAuthenticationStrengthPolicy"
"AADAuthorizationPolicy"
"AADConditionalAccessPolicy"
"AADCrossTenantAccessPolicy"
"AADCrossTenantAccessPolicyConfigurationDefault"
"AADCrossTenantAccessPolicyConfigurationPartner"
"AADEntitlementManagementAccessPackage"
"AADEntitlementManagementAccessPackageAssignmentPolicy"
"AADEntitlementManagementAccessPackageCatalog"
"AADEntitlementManagementAccessPackageCatalogResource"
"AADEntitlementManagementConnectedOrganization"
"AADGroupLifecyclePolicy"
"AADGroupsNamingPolicy"
"AADGroupsSettings"
"AADNamedLocationPolicy"
"AADRoleDefinition"
"AADRoleEligibilityScheduleRequest"
"AADRoleSetting"
"AADSecurityDefaults"
"AADTenantDetails"
"AADTokenLifetimePolicy

Thanks in advance!

[andikrueger]

Would you mind sharing a bit of your config with redacted auth parameters?

[Sylit82]

Sure, but maybe I do not get the point.
If you do not mean this please be more detailed.

Export:
Export-M365DSCConfiguration -Components @("AADAdministrativeUnit", "AADAuthenticationMethodPolicy", "AADAuthenticationMethodPolicyAuthenticator", "AADAuthenticationMethodPolicyEmail", "AADAuthenticationMethodPolicyFido2", "AADAuthenticationMethodPolicySms", "AADAuthenticationMethodPolicySoftware", "AADAuthenticationMethodPolicyTemporary", "AADAuthenticationMethodPolicyVoice", "AADAuthenticationMethodPolicyX509", "AADAuthenticationStrengthPolicy", "AADAuthorizationPolicy", "AADConditionalAccessPolicy", "AADCrossTenantAccessPolicy", "AADCrossTenantAccessPolicyConfigurationDefault", "AADCrossTenantAccessPolicyConfigurationPartner", "AADEntitlementManagementAccessPackage", "AADEntitlementManagementAccessPackageAssignmentPolicy", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADEntitlementManagementConnectedOrganization", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADRoleEligibilityScheduleRequest", "AADRoleSetting", "AADSecurityDefaults", "AADTenantDetails", "AADTokenLifetimePolicy") -ApplicationId $ApplicationId -ApplicationSecret $ApplicationSecret -TenantId $TenantId -Path '$path -FileName "M365DSC_export_$(get-date -f yyyy-MM-dd).ps1"

Import:
Start-DSCConfiguration -Path $path -Wait -Verbose -Force

[andikrueger]

The export will generate a ps1 file which needs to be compiled to a mof file prior to be able to run Start-DSCConfiguration. Could you please share a redacted version of this .ps1 file. I'm interested in which authentication parameters are present . something like this here:

[horgasz2023]

ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
ApplicationSecret = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));

[horgasz2023]

For the AAD application that is being used by M365DS we do have these settings in the ps1 file:

AADApplication "M365DSC"
{
AppId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
ApplicationSecret = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
AvailableToOtherTenants = $False;
DisplayName = "M365DSC";
Ensure = "Present";
IdentifierUris = @();
KnownClientApplications = @();
ObjectId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
Owners = @();
Permissions = @(MSFT_AADApplicationPermission {
Name = 'RoleEligibilitySchedule.ReadWrite.Directory'
Type = 'Delegated'
SourceAPI = 'Microsoft Graph'

[horgasz2023]

this is option 2 from the guide:

A Service Principal by specifying parameters such as an Azure Active Directory (AD) Application ID, Tenant ID and a Secret or Certificate.
https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/

[andikrueger]

It looks like that you are missing the TenantId parameters in your configuration.

AADApplication "M365DSC"
{
AppId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
ApplicationSecret = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
TenantId = 'contoso.onmicrosoft.com'

[horgasz2023]

so the node part is like follows:

param (
)

Configuration xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
{
param (
)

$OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.906.1'

Node localhost
{
    AADAuthenticationMethodPolicy "AADAuthenticationMethodPolicy-Authentication Methods Policy"
    {
        ApplicationId               = $ConfigurationData.NonNodeData.ApplicationId;
        ApplicationSecret           = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
        Description                 = "The tenant-wide policy that controls which authentication methods are allowed in the tenant, authentication method registration requirements, and self-service password reset settings";
        DisplayName                 = "Authentication Methods Policy";
        Ensure                      = "Present";
        Id                          = "authenticationMethodsPolicy";
        PolicyMigrationState        = "migrationInProgress";
        PolicyVersion               = "1.4";
        RegistrationEnforcement     = MSFT_MicrosoftGraphregistrationEnforcement{

            AuthenticationMethodsRegistrationCampaign = MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaign{
                SnoozeDurationInDays = 1


                IncludeTargets = @(
                    MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaignIncludeTarget{
                        TargetedAuthenticationMethod = 'microsoftAuthenticator'
                        TargetType = 'group'
                        Id = 'all_users'
                    }                    )
                State = 'default'
            }
        };
        SystemCredentialPreferences = MSFT_MicrosoftGraphsystemCredentialPreferences{


            IncludeTargets = @(
                MSFT_AADAuthenticationMethodPolicyIncludeTarget{
                    Id = 'all_users'
                    TargetType = 'group'
                }                )
            State = 'default'
        };
        TenantId                    = $OrganizationName;
    }

The error comes from the AADRoleSetting resource restore when it hits the Global Administrator role and the whole procedure fails afterwards. The other roles before this does work.

[[AADRoleSetting]AADRoleSetting-Global Administrator]
VERBOSE: []: LCM: [ Start Test ] [[AADRoleSetting]AADRoleSetting-Global Administrator]
VERBOSE: []: [[AADRoleSetting]AADRoleSetting-Global Administrator] Testing configuration of Role Assignment: Global Administrator
VERBOSE: []: [[AADRoleSetting]AADRoleSetting-Global Administrator] Getting configuration of Role: Global Administrator
VERBOSE: []: LCM: [ End Test ] [[AADRoleSetting]AADRoleSetting-Global Administrator] in 0.6110 seconds.
PowerShell DSC resource MSFT_AADRoleSetting failed to execute Test-TargetResource functionality with error message: Could not determine authentication method
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost

[NikCharlebois]

Sorry folks, we are getting a little confused here. You are talking about AADRoleSetting being the problem, but so far you've shared an AADApplication and a AADAuthenticationMethodPolicy snippet. Can you share either the whole redacted configuration or the AADAuthenticationMethodPolicy snippet that is causing the error. Thanks

[horgasz2023]

will try to reach out to you through the MS Premier Support as i cannot share on a public space the config file.

[andikrueger]

If you are able to find a solution for this issue, kindly share the resolution here and proceed to close the matter.