Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADRoleEligibilityScheduleRequest: adminAssign action will always remove the current assignment and set it again with same value #5712

Open
gbs916 opened this issue Feb 3, 2025 · 0 comments
Open

AADRoleEligibilityScheduleRequest: adminAssign action will always remove the current assignment and set it again with same value #5712

gbs916 opened this issue Feb 3, 2025 · 0 comments

Comments

@gbs916
Copy link

gbs916 commented Feb 3, 2025

Description of the issue

I use AADRoleEligibilityScheduleRequest to set eligible role assignment, it works perfectly but as I use it in a scheduled Pipeline to ensure the value is always compliant with our repository, the configuration is applied multiple time per week.
When it run, M365DSC will always remove and re-add the assignment even if the values ​​have not changed:
Image

This action is a problem because people who have already activated their role in PIM, will lose their access and will have to reactivate their roles. So people have activated their role, and all of a sudden, they will no longer be able to perform administrative actions because the role is no longer present.

I would like to be able to launch my pipeline multiple times with the same configuration without the assignment being changed (if the value is identical). So there must be a problem of detection or comparison between the desired value and the value retrieved in Entra ID.

Can you please have a look ?

Thank you !

Microsoft 365 DSC Version

1.25.129.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

@{
                    Principal        = 'gpaz-azuread-roles-GENDPOINTADM_PaC'
                    Action           = 'AdminAssign'
                    DirectoryScopeId = '/'
                    Ensure           = 'Present'
                    Id               = '0fbe7696-d21e-47d2-bc73-74b8499a6261'
                    IsValidationOnly = $False
                    PrincipalType    = 'Group'
                    RoleDefinition   = 'Intune Administrator'
                    ScheduleInfo     = @{
                        expiration    = @{ type = 'noExpiration' }
                        startDateTime = '2024-10-15T10:14:56Z'
                    }
                }

Verbose logs showing the problem

2025-01-30T09:01:42.6790332Z VERBOSE: [fv-az899-360]: LCM:  [ Start  Resource ]  
2025-01-30T09:01:42.6790644Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:42.6791022Z Administrator-/::[AzureAD]AzureAD_Configuration]
2025-01-30T09:01:42.6791281Z VERBOSE: [fv-az899-360]: LCM:  [ Start  Test     ]  
2025-01-30T09:01:42.6791730Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:42.6792054Z Administrator-/::[AzureAD]AzureAD_Configuration]
2025-01-30T09:01:42.6792284Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:42.6793033Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:42.6793461Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by Id {6a1e9922-14c4-4c26-9795-99d97f4d649b}
2025-01-30T09:01:43.1443550Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:43.1455643Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:43.1460169Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by PrincipalId and RoleDefinitionId
2025-01-30T09:01:43.1471914Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:43.1476200Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:43.1488948Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal by DisplayName 
2025-01-30T09:01:43.1492418Z {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:43.1976718Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:43.1992236Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:43.1998263Z Administrator-/::[AzureAD]AzureAD_Configuration] Found Principal {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:43.2870381Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:43.2883172Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:43.2887681Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieved role definition {Intune Administrator} with ID 
2025-01-30T09:01:43.2898157Z {3a2c62db-5318-420d-8d74-23affee5d9d5}
2025-01-30T09:01:43.2902382Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:43.2914175Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:43.2918727Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving the request by PrincipalId 
2025-01-30T09:01:43.2929118Z {44fdf048-49e7-45a8-a899-dfcbe3e85bba}, RoleDefinitionId {3a2c62db-5318-420d-8d74-23affee5d9d5} and DirectoryScopeId 
2025-01-30T09:01:43.2933268Z {/}
2025-01-30T09:01:44.5591038Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:44.5602920Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:44.5607547Z Administrator-/::[AzureAD]AzureAD_Configuration] Current Values: AccessTokens=$null
2025-01-30T09:01:44.5612935Z 
2025-01-30T09:01:44.5620762Z Action=$null
2025-01-30T09:01:44.5625997Z 
2025-01-30T09:01:44.5633763Z ApplicationId=***
2025-01-30T09:01:44.5638943Z 
2025-01-30T09:01:44.5646615Z ApplicationSecret=$null
2025-01-30T09:01:44.5663357Z 
2025-01-30T09:01:44.5672137Z AppScopeId=$null
2025-01-30T09:01:44.5677476Z 
2025-01-30T09:01:44.5686421Z CertificateThumbprint=***
2025-01-30T09:01:44.5691694Z 
2025-01-30T09:01:44.5699438Z Credential=$null
2025-01-30T09:01:44.5704560Z 
2025-01-30T09:01:44.5711341Z DirectoryScopeId=/
2025-01-30T09:01:44.5716885Z 
2025-01-30T09:01:44.5734778Z Ensure=Present
2025-01-30T09:01:44.5742568Z 
2025-01-30T09:01:44.5753341Z Id=85ab3a0f-1a25-412a-b084-8669f58c3dc7
2025-01-30T09:01:44.5758240Z 
2025-01-30T09:01:44.5768844Z IsValidationOnly=$null
2025-01-30T09:01:44.5774672Z 
2025-01-30T09:01:44.5783810Z Justification=$null
2025-01-30T09:01:44.5788582Z 
2025-01-30T09:01:44.5797700Z Managedidentity=False
2025-01-30T09:01:44.5801987Z 
2025-01-30T09:01:44.5813399Z Principal=gpaz-azuread-roles-GENDPOINTSVC_PaC
2025-01-30T09:01:44.5818365Z 
2025-01-30T09:01:44.5827325Z PrincipalType=Group
2025-01-30T09:01:44.5832000Z 
2025-01-30T09:01:44.5841458Z RoleDefinition=Intune Administrator
2025-01-30T09:01:44.5845877Z 
2025-01-30T09:01:44.5855110Z ScheduleInfo={expiration={duration=$null
2025-01-30T09:01:44.5859515Z 
2025-01-30T09:01:44.5868515Z type=noExpiration}
2025-01-30T09:01:44.5874524Z 
2025-01-30T09:01:44.5883641Z Recurrence={pattern={dayOfMonth=$null
2025-01-30T09:01:44.5888370Z 
2025-01-30T09:01:44.5897331Z daysOfWeek=$null
2025-01-30T09:01:44.5901524Z 
2025-01-30T09:01:44.5910463Z firstDayOfWeek=$null
2025-01-30T09:01:44.5914789Z 
2025-01-30T09:01:44.5924089Z index=$null
2025-01-30T09:01:44.5928852Z 
2025-01-30T09:01:44.5937897Z interval=$null
2025-01-30T09:01:44.5942514Z 
2025-01-30T09:01:44.5951453Z month=$null
2025-01-30T09:01:44.5955695Z 
2025-01-30T09:01:44.5964629Z type=$null}
2025-01-30T09:01:44.5970652Z 
2025-01-30T09:01:44.5980574Z range={endDate=$null
2025-01-30T09:01:44.5985394Z 
2025-01-30T09:01:44.5994310Z numberOfOccurrences=$null
2025-01-30T09:01:44.5998875Z 
2025-01-30T09:01:44.6009046Z recurrenceTimeZone=$null
2025-01-30T09:01:44.6014983Z 
2025-01-30T09:01:44.6023717Z startDate=$null
2025-01-30T09:01:44.6028111Z 
2025-01-30T09:01:44.6036988Z type=$null}}
2025-01-30T09:01:44.6041474Z 
2025-01-30T09:01:44.6050372Z StartDateTime=2025-01-28T11:58:45Z}
2025-01-30T09:01:44.6055580Z 
2025-01-30T09:01:44.6064954Z TenantId=***
2025-01-30T09:01:44.6073881Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:44.6082829Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:44.6091893Z Administrator-/::[AzureAD]AzureAD_Configuration] Target Values: ApplicationId=***
2025-01-30T09:01:44.6096640Z 
2025-01-30T09:01:44.6105405Z CertificateThumbprint=***
2025-01-30T09:01:44.6109520Z 
2025-01-30T09:01:44.6118386Z DirectoryScopeId=/
2025-01-30T09:01:44.6122833Z 
2025-01-30T09:01:44.6141804Z Ensure=Present
2025-01-30T09:01:44.6146289Z 
2025-01-30T09:01:44.6155222Z Id=6a1e9922-14c4-4c26-9795-99d97f4d649b
2025-01-30T09:01:44.6160171Z 
2025-01-30T09:01:44.6169380Z Principal=gpaz-azuread-roles-GENDPOINTSVC_PaC
2025-01-30T09:01:44.6173834Z 
2025-01-30T09:01:44.6183811Z PrincipalType=Group
2025-01-30T09:01:44.6188510Z 
2025-01-30T09:01:44.6197361Z RoleDefinition=Intune Administrator
2025-01-30T09:01:44.6202973Z 
2025-01-30T09:01:44.6211755Z TenantId=***
2025-01-30T09:01:44.6215926Z 
2025-01-30T09:01:44.6224790Z Verbose=True
2025-01-30T09:01:44.7433055Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:44.7446436Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:44.7451695Z Administrator-/::[AzureAD]AzureAD_Configuration] Test-TargetResource returned False
2025-01-30T09:01:44.7462290Z VERBOSE: [fv-az899-360]: LCM:  [ End    Test     ]  
2025-01-30T09:01:44.7466826Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:44.7477238Z Administrator-/::[AzureAD]AzureAD_Configuration]  in 3.4750 seconds.
2025-01-30T09:01:44.7481717Z VERBOSE: [fv-az899-360]: LCM:  [ Start  Set      ]  
2025-01-30T09:01:44.7491994Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:44.7495550Z Administrator-/::[AzureAD]AzureAD_Configuration]
2025-01-30T09:01:45.7252396Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:45.7253001Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:45.7253476Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by Id {6a1e9922-14c4-4c26-9795-99d97f4d649b}
2025-01-30T09:01:46.4551897Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:46.4566465Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:46.4571934Z Administrator-/::[AzureAD]AzureAD_Configuration] Getting Role Eligibility by PrincipalId and RoleDefinitionId
2025-01-30T09:01:46.4587317Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:46.4592656Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:46.4604383Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal by DisplayName 
2025-01-30T09:01:46.4607699Z {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:46.5683337Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:46.5695865Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:46.5699318Z Administrator-/::[AzureAD]AzureAD_Configuration] Found Principal {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:46.6907846Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:46.6922621Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:46.6927682Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieved role definition {Intune Administrator} with ID 
2025-01-30T09:01:46.6941077Z {3a2c62db-5318-420d-8d74-23affee5d9d5}
2025-01-30T09:01:46.6945555Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:46.6956753Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:46.6963828Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving the request by PrincipalId 
2025-01-30T09:01:46.6976522Z {44fdf048-49e7-45a8-a899-dfcbe3e85bba}, RoleDefinitionId {3a2c62db-5318-420d-8d74-23affee5d9d5} and DirectoryScopeId 
2025-01-30T09:01:46.6984376Z {/}
2025-01-30T09:01:47.9983959Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:47.9995271Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:47.9999916Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal Id from Set-TargetResource
2025-01-30T09:01:48.0010433Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:48.0014947Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:48.0025405Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving Principal by DisplayName 
2025-01-30T09:01:48.0028941Z {gpaz-azuread-roles-GENDPOINTSVC_PaC}
2025-01-30T09:01:48.2224592Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:48.2236517Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:48.2240314Z Administrator-/::[AzureAD]AzureAD_Configuration] Retrieving ROleDefinitionId from Set-TargetResource
2025-01-30T09:01:48.3251152Z VERBOSE: [fv-az899-360]:                            
2025-01-30T09:01:48.3263080Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:48.3267778Z Administrator-/::[AzureAD]AzureAD_Configuration] Updating role eligibility Schedule with parameters:
2025-01-30T09:01:48.3273242Z 
2025-01-30T09:01:48.3281070Z {
2025-01-30T09:01:48.3286158Z 
2025-01-30T09:01:48.3293915Z     "action":  "AdminUpdate",
2025-01-30T09:01:48.3298940Z 
2025-01-30T09:01:48.3306711Z     "roleDefinitionId":  "3a2c62db-5318-420d-8d74-23affee5d9d5",
2025-01-30T09:01:48.3311847Z 
2025-01-30T09:01:48.3319565Z     "scheduleInfo":  {
2025-01-30T09:01:48.3324611Z 
2025-01-30T09:01:48.3333282Z                          "startDateTime":  "2024-10-15T10:13:39Z",
2025-01-30T09:01:48.3338358Z 
2025-01-30T09:01:48.3346086Z                          "expiration":  {
2025-01-30T09:01:48.3351628Z 
2025-01-30T09:01:48.3372901Z                                             "type":  "noExpiration"
2025-01-30T09:01:48.3379076Z 
2025-01-30T09:01:48.3392650Z                                         }
2025-01-30T09:01:48.3397670Z 
2025-01-30T09:01:48.3406890Z                      },
2025-01-30T09:01:48.3411324Z 
2025-01-30T09:01:48.3420606Z     "justification":  "AdminUpdate by Microsoft365DSC",
2025-01-30T09:01:48.3425236Z 
2025-01-30T09:01:48.3437556Z     "principalId":  "44fdf048-49e7-45a8-a899-dfcbe3e85bba",
2025-01-30T09:01:48.3443254Z 
2025-01-30T09:01:48.3454263Z     "directoryScopeId":  "/"
2025-01-30T09:01:48.3459260Z 
2025-01-30T09:01:48.3469141Z }
2025-01-30T09:01:51.0653382Z VERBOSE: [fv-az899-360]: LCM:  [ End    Set      ]  
2025-01-30T09:01:51.0667682Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:51.0673261Z Administrator-/::[AzureAD]AzureAD_Configuration]  in 6.3290 seconds.
2025-01-30T09:01:51.0685936Z VERBOSE: [fv-az899-360]: LCM:  [ End    Resource ]  
2025-01-30T09:01:51.0690702Z [[AADRoleEligibilityScheduleRequest]AADRoleEligibilityScheduleRequest-gpaz-azuread-roles-GENDPOINTSVC_PaC-Intune 
2025-01-30T09:01:51.0710816Z Administrator-/::[AzureAD]AzureAD_Configuration]

Environment Information + PowerShell Version


      		
    

      
  





        

            


            

              
            

        

      


      
    








      

    







  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  




          
    
No branches or pull requests







    
  




      

    

  
      

  

    

      1 participant
    

    

        
          @gbs916