Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After running Start-DscConfiguration AADConditionalAccessPolicy policies are not written to the target tenant #5195

Open
rick-engle opened this issue Oct 16, 2024 · 3 comments
Open

After running Start-DscConfiguration AADConditionalAccessPolicy policies are not written to the target tenant #5195

rick-engle opened this issue Oct 16, 2024 · 3 comments

Comments

@rick-engle
Copy link

Description of the issue

I ran Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy") against my source tenant and it listed all 39 CA policies that I had. After compiling the powershell script and then running Start-DscConfiguration all of the policies showed up in the output using -Verbose and had no errors that I could see yet the polcies were not successfully written to my target tenant.
How can i troubleshoot this?

Rick

Microsoft 365 DSC Version

Release 1.24.1002.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy") -ApplicationId $clientId -TenantId $tenantIdDomainName -ApplicationSecret $clientSecretValue -Path $SavePath -FileName $SaveFileName

Start-DscConfiguration -Path $PathToCompiledMOF -Wait -Verbose -Force

Verbose logs showing the problem

Just AADConditionalAccessPolicy:

Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy") -ApplicationId $clientId -TenantId $tenantIdDomainName -ApplicationSecret $clientSecretValue -Path $SavePath -FileName $SaveFileName

Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy

Authentication methods specified:

  • Service Principal with Application Secret

Connecting to {MicrosoftGraph}...✅
[1/1] Extracting [AADConditionalAccessPolicy] using {ApplicationSecret}...
|---[1/39] My App Conditional Access Policy✅
...
|---[39/39] Multifactor authentication for Microsoft partners and vendors✅
⌛ Export took {59 seconds} for {39 instances}

$PermissionsList = Get-M365DSCCompiledPermissionList -AccessType Update -ResourceNameList @("AADApplication", "AADAuthenticationMethodPolicy", "AADAuthenticationStrengthPolicy", "AADAuthorizationPolicy", "AADGroup", "AADNamedLocationPolicy", "AADServicePrincipal") -PermissionType Application

The M365DSC app needs the Directory.Read.All permission

$PermissionsList += @{API ='Graph';PermissionName='Directory.Read.All';}
$PermissionsList += @{API ='Graph';PermissionName='Directory.ReadWrite.All';}

. .\M365TenantConfig_M365x648977_Backup.ps1
Import-Module : The version of Windows PowerShell on this computer is '5.1.26100.1882'. The module 'C:\Program
Files\WindowsPowerShell\Modules\PSDesiredStateConfiguration\2.0.7\PSDesiredStateConfiguration.psd1' requires a minimum Windows PowerShell version
of '6.1' to run. Verify that you have the minimum required version of Windows PowerShell installed, and then try again.
At line:3 char:25

  • ... Import-Module PSDesiredStateConfiguration -Verbose:$false ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : ResourceUnavailable: (C:\Program File...figuration.psd1:String) [Import-Module], InvalidOperationException
    • FullyQualifiedErrorId : Modules_InsufficientPowerShellVersion,Microsoft.PowerShell.Commands.ImportModuleCommand

Mode LastWriteTime Length Name

-a---- 10/14/2024 5:33 PM 171746 localhost.mof

Start-DscConfiguration -Path $PathToCompiledMOF -Wait -Verbose -Force
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigura
tionManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer ULTRASBOOK6 with user sid S-1-12-1-2786440620-1107658995-3191192979-3267944029.
VERBOSE: The -Force option was specified with the Stop operation. The current configuration has been successfully cancelled.
VERBOSE: An LCM method call arrived from computer ULTRASBOOK6 with user sid S-1-12-1-2786440620-1107658995-3191192979-3267944029.
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Set ]
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy]
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy]
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Testing
configuration of AzureAD CA Policies
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Getting
configuration of AzureAD Conditional Access Policy
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] PolicyI
D was specified
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Found existing Conditional Access policy
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Process IncludeUsers
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Process ExcludeUsers
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Process IncludeGroups
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Process ExcludeGroups
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Location condition defined, processing
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Processing IncludeLocations
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource: Processing ExcludeLocations
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Get-Tar
getResource Result:
AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa,compliantDevice)
CertificateThumbprint=***
ClientAppTypes=(browser,mobileAppsAndDesktopClients)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=$null
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=My App Conditional Access Policy
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=(android,iOS,macOS)
ExcludeRoles=()
ExcludeUsers=(GuestsOrExternalUsers)
GrantControlOperator=AND
Id=266e548c-eddd-4b20-b561-8e6eed90efdb
IncludeApplications=(02c39422-d850-4440-bb38-3eb38a6634ff)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=(All)
IncludePlatforms=(android,iOS)
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=(high)
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=(medium)
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Current
Values: AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa,compliantDevice)
CertificateThumbprint=***
ClientAppTypes=(browser,mobileAppsAndDesktopClients)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=$null
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=My App Conditional Access Policy
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=(android,iOS,macOS)
ExcludeRoles=()
ExcludeUsers=(GuestsOrExternalUsers)
GrantControlOperator=AND
Id=266e548c-eddd-4b20-b561-8e6eed90efdb
IncludeApplications=(02c39422-d850-4440-bb38-3eb38a6634ff)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=(All)
IncludePlatforms=(android,iOS)
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=(high)
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=(medium)
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Target
Values: ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
AuthenticationContexts=()
BuiltInControls=(mfa,compliantDevice)
ClientAppTypes=(browser,mobileAppsAndDesktopClients)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=My App Conditional Access Policy
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=(android,iOS,macOS)
ExcludeRoles=()
ExcludeUsers=(GuestsOrExternalUsers)
GrantControlOperator=AND
Id=266e548c-eddd-4b20-b561-8e6eed90efdb
IncludeApplications=(02c39422-d850-4440-bb38-3eb38a6634ff)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=(All)
IncludePlatforms=(android,iOS)
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=(high)
State=enabledForReportingButNotEnforced
TenantId=***
TransferMethods=
UserRiskLevels=(medium)
Verbose=True
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] Test-Ta
rgetResource returned True
VERBOSE: [ULTRASBOOK6]: LCM: [ End Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy] in 1.3
060 seconds.
VERBOSE: [ULTRASBOOK6]: LCM: [ Skip Set ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy]
VERBOSE: [ULTRASBOOK6]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-My App Conditional Access Policy]
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access]
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access]
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Testin
g configuration of AzureAD CA Policies
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Gettin
g configuration of AzureAD Conditional Access Policy
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Policy
ID was specified
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Found existing Conditional Access policy
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Process IncludeUsers
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Process ExcludeUsers
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Process IncludeGroups
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Process ExcludeGroups
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Location condition defined, processing
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Processing IncludeLocations
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource: Processing ExcludeLocations
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Get-Ta
rgetResource Result:
AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa)
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=$null
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=Require MFA for B2B portal access
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=d65bbcb4-9c6c-4fff-b71e-298f3bf2322c
IncludeApplications=(cc15fd57-2c6c-4117-a88c-83b1d56b4bbe)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(GuestsOrExternalUsers)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=()
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Curren
t Values: AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa)
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=$null
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=Require MFA for B2B portal access
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=d65bbcb4-9c6c-4fff-b71e-298f3bf2322c
IncludeApplications=(cc15fd57-2c6c-4117-a88c-83b1d56b4bbe)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(GuestsOrExternalUsers)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=()
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Target
Values: ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Require MFA for B2B portal access
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=d65bbcb4-9c6c-4fff-b71e-298f3bf2322c
IncludeApplications=(cc15fd57-2c6c-4117-a88c-83b1d56b4bbe)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(GuestsOrExternalUsers)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] Test-T
argetResource returned True
VERBOSE: [ULTRASBOOK6]: LCM: [ End Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access] in 1.
0500 seconds.
VERBOSE: [ULTRASBOOK6]: LCM: [ Skip Set ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access]
VERBOSE: [ULTRASBOOK6]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Require MFA for B2B portal access]
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot]
VERBOSE: [ULTRASBOOK6]: LCM: [ Start Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot]
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Testing configuration of Azure
AD CA Policies
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Getting configuration of Azure
AD Conditional Access Policy
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] PolicyID was specified
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Found exis
ting Conditional Access policy
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Process In
cludeUsers
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Process Ex
cludeUsers
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Process In
cludeGroups
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Process Ex
cludeGroups
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Location c
ondition defined, processing
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Processing
IncludeLocations
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource: Processing
ExcludeLocations
VERBOSE: [ULTRASBOOK6]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-MFA Pilot] Get-TargetResource Result:
AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=***
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa,compliantDevice,domainJoinedDevice)
CertificateThumbprint=***
ClientAppTypes=(exchangeActiveSync,browser,other)

.........

VERBOSE: [ULTRASBOOK6]: LCM: [ End Set ]
VERBOSE: [ULTRASBOOK6]: LCM: [ End Set ] in 80.7530 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 81.363 seconds

Environment Information + PowerShell Version

OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 26100.1.amd64fre.ge_release.240331-1435
OsLanguage : en-US
OsMuiLanguages : {en-US}

Key : PSVersion
Value : 5.1.26100.1882
Name : PSVersion

Key : PSEdition
Value : Desktop
Name : PSEdition

Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions

Key : BuildVersion
Value : 10.0.26100.1882
Name : BuildVersion

Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion

Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion

Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion

Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion
@FabienTschanz
Copy link
Contributor

If you want to apply the configuration to another tenant, you need to change the tenant id / name in the ConfigurationData.psd1 file and then compile it. Otherwise, you'll end up targeting your export tenant.

@rick-engle
Copy link
Author

rick-engle commented Oct 17, 2024
edited
Loading

@FabienTschanz , that is a good tip. I did not see that note in the Microsoft365DSC documentation. I did try that and tested against the AADConditionalAccessPolicy component. I realized that it was still not working and then figured out that after compiling, the M365TenantConfig.ps1 file needs to be edited and have the UPN addresses globally replaced from users' old tenant domain to the target tenant. Then, finally, finally it worked! I didn't find any of that in the documentation. And I cannot thank you enough for giving me this tip that got me to a solution!

@FabienTschanz
Copy link
Contributor

UPNs and other things for one tenant indeed have to be changed by you from an external input unfortunately. What you could do (if you wanted to) would be to configure a variable in the ConfigurationData.psd1 which contains the UPN suffix and have one for each of your tenants. That way, depending on what file you specify, you can target one or the other tenant.

Hope that helps 😃 If the issue is resolved for you, feel free to close it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FabienTschanz @rick-engle