Export-M365DSCConfiguration for Teams having Read.All permission is not generating configuration information #3704
Comments
|
I am using version 1.23.809.1 |
|
Would you mind updating to the latest release? This should fix the issue |
Hello,
Below are the permissions that my Azure AD app has - Microsoft Graph Application Application.Read.All |
|
Did you reset the permissions (removed the old and set the new ones) or are you re-using the previous app registration? |
|
I already had these READ permissions added on the Azure AD App. No new additions/removal of permission done on the App. |
|
AFAIK The cmdLet will not remove permissions. @NikCharlebois Is this even doable? |
|
Having a similar issue where all permissions are inline with compiled permission list correct. Export success on only Teams, Users and Channels. All Policies and Settings are failing to export. On the latest version currently investigating further. |
|
There is a known issue with Teams PowerShell which is different and affects only TeamsOrgWideAppSettings: #3394 Either there was a change to the bad or this is something new. |
|
Update on my case, created a full new AppRegistration exactly the same API permissions as my DEV tenant (where it worked). Was still not working did a further look and in my Dev-Tenant i also gave the same Appregistration the Exchange Role. For testing purposes i gave the new test-Appregistration the Teams-Admin role and now it works. The additional role apparently adds some extra permissions in the forms of a role is needed. |
|
@DennisLangenberg Thank you for the feedback. This would align with the documentation: https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#setup-application-based-authentication
We should add this to our documentation and check with the teams team, what roles are needed. //cc @NikCharlebois |
|
The Teams Administrator role is listed on the Teams resources. Closing this issue. |
Checked required permission for Teams for some of the policies using command
Get-M365DSCCompiledPermissionList -ResourceNameList @('TeamsCallingPolicy','TeamsClientConfiguration','TeamsEmergencyCallingPolicy','TeamsGuestCallingConfiguration','TeamsGuestMeetingConfiguration','TeamsGuestMessagingConfiguration','TeamsMeetingBroadcastConfiguration','TeamsMeetingBroadcastPolicy','TeamsMeetingConfiguration','TeamsMeetingPolicy','TeamsMessagingPolicy','TeamsUpgradeConfiguration') -PermissionType 'Application' -AccessType 'Read'
Generates below ReadWrite.All and Delete,All permissions along with Organization.Read.All and User.Read.All
Group.ReadWrite.All
AppCatalog.ReadWrite.All
TeamSettings.ReadWrite.All
Channel.Delete.All
ChannelSettings.ReadWrite.All
ChannelMember.ReadWrite.All
I don't intend to modify any of the configuration settings. Why ReadWrite.All and Delete.All permissions required only for executing Export-M365DSCConfiguration for Teams?
The text was updated successfully, but these errors were encountered: