IntuneAppProtectionPolicyAndroid Assignments are broken

[dannyKBjj]

Description of the issue

IntuneAppProtectionPolicyAndroid is unable to enforce 'inclusion' and 'exclusion' groups. In some circumstances it will cause an error

To replicate the issue:

1. Create an Android App Protection Policy
2. Assign an include group
3. Export the configuration and compile
4. Delete the assignment
5. Run Start-DscConfiguration against your .mof

Expected: assignment is recreated
Actual: assignment is not recreated, no error occurs. Test-DscConfiguration still shows 'true'

Code will completely fail if you do this:

1. Create an Android App Protection Policy
2. Assign 2 include groups
3. Assign 1 exclude group
4. Export the configuration and compile
5. Delete the exclude assignment and one of the include assignments
6. Run Start-DscConfiguration against your .mof

Expected: assignment are recreated
Actual: error message copied below (verbose logs section).

Note: looking at the code this module seems to handle assignments in different way to every other module I've seen, except 'IntuneAppProtectionPolicyiOS' (which I'll be raising another issue for).

Microsoft 365 DSC Version

1.25.212.2

Which workloads are affected

Intune

The DSC configuration

# Generated with Microsoft365DSC version 1.25.212.2
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
)

Configuration M365TenantConfig
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.25.212.2'

    Node localhost
    {
        IntuneAppProtectionPolicyAndroid "IntuneAppProtectionPolicyAndroid-Test-Android-Protection"
        {
            AllowedDataStorageLocations                     = @("oneDriveForBusiness","sharePoint");
            AllowedInboundDataTransferSources               = "managedApps";
            AllowedOutboundClipboardSharingLevel            = "managedAppsWithPasteIn";
            AllowedOutboundDataTransferDestinations         = "managedApps";
            AppGroupType                                    = "selectedPublicApps";
            ApplicationId                                   = $ConfigurationData.NonNodeData.ApplicationId;
            Apps                                            = @("com.microsoft.office.excel");
            Assignments                                     = @("All Users","TestGroup");
            CertificateThumbprint                           = $ConfigurationData.NonNodeData.CertificateThumbprint;
            ContactSyncBlocked                              = $True;
            CustomBrowserDisplayName                        = "fakestring";
            CustomBrowserPackageId                          = "com.fake";
            DataBackupBlocked                               = $True;
            Description                                     = "";
            DeviceComplianceRequired                        = $True;
            DisableAppEncryptionIfDeviceEncryptionIsEnabled = $False;
            DisableAppPinIfDevicePinIsSet                   = $False;
            DisplayName                                     = "Test-Android-Protection";
            EncryptAppData                                  = $False;
            Ensure                                          = "Present";
            ExcludedGroups                                  = @("TestExcluded");
            FingerprintBlocked                              = $False;
            Id                                              = "T_339947bd-c045-4a21-8d02-1e802530b166";
            ManagedBrowser                                  = "notConfigured";
            ManagedBrowserToOpenLinksRequired               = $True;
            MaximumPinRetries                               = 10;
            MinimumPinLength                                = 8;
            MinimumRequiredOSVersion                        = "12.0";
            MinimumRequiredPatchVersion                     = "0000-00-00";
            MinimumWarningPatchVersion                      = "0000-00-00";
            OrganizationalCredentialsRequired               = $False;
            PeriodBeforePinReset                            = "365.00:00:00";
            PeriodOfflineBeforeAccessCheck                  = "3.00:00:00";
            PeriodOfflineBeforeWipeIsEnforced               = "30.00:00:00";
            PeriodOnlineBeforeAccessCheck                   = "00:05:00";
            PinCharacterSet                                 = "numeric";
            PinRequired                                     = $True;
            PrintBlocked                                    = $True;
            RequireClass3Biometrics                         = $False;
            RequirePinAfterBiometricChange                  = $False;
            SaveAsBlocked                                   = $True;
            ScreenCaptureBlocked                            = $True;
            SimplePinBlocked                                = $True;
            TenantId                                        = $OrganizationName;
        }
    }
}

M365TenantConfig -ConfigurationData .\ConfigurationData.psd1

Verbose logs showing the problem

[BadRequest] : {
  "_version": 3,
  "Message": "Invalid group id - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: e67e3b27-c95e-426e-991b-fa8f526b99f0 - Url: 
https://fef.msub06.manage.microsoft.com/MAMAdmin_2501/MAMAdminFEService/deviceAppManagement/targetedManagedAppConfigurations('T_339947bd-c045-4a21-8d02-1e802530b166')/microsoft.management.services.api.assign?api-version=5024-02-26",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ TargetedManag...ionJsonSchema }:) [], CimException
    + FullyQualifiedErrorId : BadRequest,Microsoft.Graph.Beta.PowerShell.Cmdlets.SetMgBetaDeviceAppManagementTargetedManagedAppConfiguration_AssignExpanded
    + PSComputerName        : localhost
 
The PowerShell DSC resource '[IntuneAppProtectionPolicyAndroid]IntuneAppProtectionPolicyAndroid-Test-Android-Protection' with SourceInfo 'C:\dsc-AssignmentsBug-ANDROID\M365TenantConfig.ps1::17::9::IntuneAppProtectionPolicyAndroid' threw one or more non-terminating 
errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
 
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

Environment Information + PowerShell Version

[ricmestre]

@dannyKBjj I already reported this issue here #5675

[dannyKBjj]

Oh interesting, so this is due to code changes? I was thinking of simply updating it to handle assignments the way every other module does, as it seemed mad this module handles it differently? I have seen the same problem in IntuneAppProtectionPolicyiOS as well.

[ricmestre]

No one moved forward to do that yet, but also because such change would be considered a breaking change so it's always a few months away from being accepted, next opening window to get that in is next April.

[dannyKBjj]

Hi, why is it a breaking change? Because we're thinking we need to edit Get-IntuneAppProtectionPolicyiOSAssignment?

At first look editing the module to use Get-MgDeviceAppManagementiOSManagedAppProtectionAssignment will likely fix it? I thought breaking changes didn't include update/editing the existing modules? But I guess there's a reason this wasn't done in the first place?

Either way, I'm currently doing this, but if I'm wasting my time I'll stop :-D

[ricmestre]

The Assignments and ExcludedGroups properties right now for those resources are String[], for all other Intune resources are CIMInstances[] which means that someone with a blueprint from today with
IntuneAppProtectionPolicy{Android,iOS} won't have it working if you change the type, that's considered breaking change and can only get in twice a year. Checkout this https://microsoft365dsc.com/concepts/breaking-changes/

[dannyKBjj]

Ah, Ok I get it thanks!