Issue when trying to export all O365 resources

[RosalindHook]

Description of the issue

I am using a certificate thumbprint to authenticate to the service principal. This works for other workloads; however for O365 (all resources) I am consistently getting a message that says 'Failed to Export', e.g.

Failed to
export M365 DSC Configuration for The role assigned to
application xxxxxxxxxx isn't supported in this
scenario. Please check online documentation for assigning correct Directory
Roles to Azure AD Application for EXO App-Only Authentication.

I get this error message for all the O365 resources.

(full error detailed in log below).

Microsoft 365 DSC Version

1.25.205.1

Which workloads are affected

Office 365 Admin

The DSC configuration

With my credentials (thumbprint etc) saved in a separate .json file (and the resources that I want to export also listed in the file that is called CheckPermissions.ps1), I run the following script:

# Load the credentials from the app_credentials.json file
$credentialsFilePath = "app_credentials.json"

# Import list of resources from the CheckPermissions.ps1 file
. .\CheckPermissions.ps1  # Dot-sourcing to load the script

# Check if the credentials file exists and load it
if (Test-Path $credentialsFilePath) {
    # Read the contents of the JSON file and convert it to a PowerShell object
    $credentials = Get-Content -Path $credentialsFilePath | ConvertFrom-Json

    # Retrieve the certificate thumbprint, application ID and tenant ID from the JSON file
    $certThumbprint = $credentials.certificateThumbprint
    $tenantId = $credentials.tenantId
    $applicationId = $credentials.applicationId

    # Define the output path
    $outputPath = "C:\Development\M365-DSC\o-365\output"
    
    # Check if the certificate exists in the local certificate store
    $cert = Get-Item -Path "Cert:\CurrentUser\My\$certThumbprint" -ErrorAction SilentlyContinue
 
    if ($cert) {
        # loop through each resource in $resourceName array from CheckPermissions.ps1
        foreach ($resource in $resourceName) {
            try {
    
                # Construct the filename based on the resource name
                $fileName = "$resource-M365TenantConfig.ps1"          
            
                # Export M365 DSC config for current resource
                Export-M365DSCConfiguration -Components @($resource) `
                    -CertificateThumbprint $certThumbprint `
                    -TenantId $tenantId `
                    -ApplicationId $applicationId `
                    -Path $outputPath `
                    -FileName $fileName `
                    -Verbose        
            } catch {
                Write-Error "Failed to export M365 DSC Configuration for $resource $_"
            }
        }
     } else {
         Write-Error "Certificate not found: $certThumbprint"
     }
 } else {
     Write-Error "Credentials file not found: $credentialsFilePath"
 }

Verbose logs showing the problem

(after the script to set out permissions runs first...)

VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: O365AdminAuditLogConfig
 
Authentication methods specified:
- Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 
'\\xxxx\home3$\HookRb\WindowsPowerShell\Modules\Microso 
ft365DSC\1.25.205.1\DSCResources\MSFT_O365AdminAuditLogConfig\MSFT_O365AdminAud 
itLogConfig.psm1'.
VERBOSE: Importing function 'Export-TargetResource'.
VERBOSE: Importing function 'Get-TargetResource'.
VERBOSE: Importing function 'Set-TargetResource'.
VERBOSE: Importing function 'Test-TargetResource'.
Connecting to {ExchangeOnline}...❌
Partial Export file was saved at: C:\Users\Hookrb\AppData\Local\Temp\3ead0d7f-1e55-4d91-a907-64817e99504f.partial.ps1
C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1 : Failed to 
export M365 DSC Configuration for O365AdminAuditLogConfig The role assigned to  
application c3d86caf-5628-4dd6-8fbe-7d70e505d3f9 isn't supported in this        
scenario. Please check online documentation for assigning correct Directory     
Roles to Azure AD Application for EXO App-Only Authentication.
At line:1 char:1
+ . 'C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep  
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio  
   n,ExportConfig-o365-with-cert.ps1
 
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: O365OrgCustomizationSetting
 
Authentication methods specified:
- Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 
'\\GBMLVFILFS04N02.rbsres01.net\home3$\HookRb\WindowsPowerShell\Modules\Microso 
ft365DSC\1.25.205.1\DSCResources\MSFT_O365OrgCustomizationSetting\MSFT_O365OrgC 
ustomizationSetting.psm1'.
VERBOSE: Importing function 'Export-TargetResource'.
VERBOSE: Importing function 'Get-TargetResource'.
VERBOSE: Importing function 'Set-TargetResource'.
VERBOSE: Importing function 'Test-TargetResource'.
Connecting to {ExchangeOnline}...❌
Partial Export file was saved at: C:\Users\Hookrb\AppData\Local\Temp\fe02caea-ad3f-4a4a-9ca2-95c72110f60c.partial.ps1
C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1 : Failed to       
export M365 DSC Configuration for O365OrgCustomizationSetting The role 
assigned to application c3d86caf-5628-4dd6-8fbe-7d70e505d3f9 isn't supported    
in this scenario. Please check online documentation for assigning correct       
Directory Roles to Azure AD Application for EXO App-Only Authentication.        
At line:1 char:1
+ . 'C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep  
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio  
   n,ExportConfig-o365-with-cert.ps1
 
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: O365OrgSettings
 
Authentication methods specified:
- Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 
'\\GBMLVFILFS04N02.rbsres01.net\home3$\HookRb\WindowsPowerShell\Modules\Microso 
ft365DSC\1.25.205.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1 
'.
VERBOSE: Importing function 'Export-TargetResource'.
VERBOSE: Importing function 'Get-TargetResource'.
VERBOSE: Importing function 'Set-TargetResource'.
VERBOSE: Importing function 'Test-TargetResource'.
Connecting to {ExchangeOnline}...❌
Partial Export file was saved at: C:\Users\Hookrb\AppData\Local\Temp\274a8953-93fd-4839-b780-0dd7f61cd298.partial.ps1
C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1 : Failed to 
export M365 DSC Configuration for O365OrgSettings The role assigned to 
application c3d86caf-5628-4dd6-8fbe-7d70e505d3f9 isn't supported in this        
scenario. Please check online documentation for assigning correct Directory     
Roles to Azure AD Application for EXO App-Only Authentication.
At line:1 char:1
+ . 'C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep  
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio  
   n,ExportConfig-o365-with-cert.ps1
 
VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: O365SearchAndIntelligenceConfigurations
 
Authentication methods specified:
- Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 
'\\GBMLVFILFS04N02.rbsres01.net\home3$\HookRb\WindowsPowerShell\Modules\Microso 
ft365DSC\1.25.205.1\DSCResources\MSFT_O365SearchAndIntelligenceConfigurations\M 
SFT_O365SearchAndIntelligenceConfigurations.psm1'.
VERBOSE: Importing function 'Export-TargetResource'.
VERBOSE: Importing function 'Get-TargetResource'.
VERBOSE: Importing function 'Set-TargetResource'.
VERBOSE: Importing function 'Test-TargetResource'.
Connecting to {ExchangeOnline}...❌
Partial Export file was saved at: C:\Users\Hookrb\AppData\Local\Temp\00ee0c56-b2f9-4e10-9d30-bece3042e5d8.partial.ps1
C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1 : Failed to 
export M365 DSC Configuration for O365SearchAndIntelligenceConfigurations The   
supported in this scenario. Please check online documentation for assigning     
correct Directory Roles to Azure AD Application for EXO App-Only
supported in this scenario. Please check online documentation for assigning     
correct Directory Roles to Azure AD Application for EXO App-Only
Authentication.
supported in this scenario. Please check online documentation for assigning     
correct Directory Roles to Azure AD Application for EXO App-Only
supported in this scenario. Please check online documentation for assigning     
supported in this scenario. Please check online documentation for assigning     
correct Directory Roles to Azure AD Application for EXO App-Only
correct Directory Roles to Azure AD Application for EXO App-Only
Authentication.
At line:1 char:1
+ . 'C:\Development\M365-DSC\o-365\ExportConfig-o365-with-cert.ps1'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep  
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio  
   n,ExportConfig-o365-with-cert.ps1

Environment Information + PowerShell Version

[RosalindHook]

Running in Visual Studio code (environment), PowerShell Version 5.1

[RosalindHook]

Also when trying to authenticate and connect to the Service Principal using Secret rather than Certificate thumbprint, I get this:

'Connecting to {ExchangeOnline}...❌
Partial Export file was saved at: C:\path\to\file.partial.ps1
C:\Development\M365-DSC\o-365\ExportConfig-o365-with-secret.ps1 : Failed to
export M365 DSC Configuration: No valid authentication type found
At line:1 char:1

• . 'C:\Development\M365-DSC\o-365\ExportConfig-o365-with-secret.ps1'

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep  
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio  
   n,ExportConfig-o365-with-secret.ps1
  

[RosalindHook]

One more update - I hadn't tried to map O365Group previously and this resource DOES seem to work okay with the script above.

So the issue is confined to the other O365 resources, i.e. "O365AdminAuditLogConfig", "O365OrgCustomizationSetting", "O365OrgSettings", and "O365SearchAndIntelligenceConfigurations" - these all return the errors detailed above when using the Service Principal and authenticating with either certificate thumbprint or secret.

[LaurentCusimano-cellenza]

Looks like many things are failing, including ExchangeOnlineManagement & Entra ID login w/ Service principal & Cert Thumbprint.

Anyway our team is encountering issues as well.

[Franky709]

Looks like many things are failing, including ExchangeOnlineManagement & Entra ID login w/ Service principal & Cert Thumbprint.

Anyway our team is encountering issues as well.

+1