microsoft
O365: Error while exporting O365ExternalConnection and O365OrgSettings
Description of the issue
Failing while I try to export the O365 config.
[2/4] Extracting [O365ExternalConnection] using {CertificateThumbprint}... |---[1/2] LearningAppConnectorV8 Error Log created at {file://C:/Windows/system32/11436-M365DSC-ErrorLog.log}✅ |---[2/2] AzureDevOps1 Error Log created at {file://C:/Windows/system32/11436-M365DSC-ErrorLog.log}✅ [4/4] Extracting [O365OrgSettings] using {CertificateThumbprint}...Error Log created at {file://C:/Windows/system32/11436-M365DSC-ErrorLog.log}❌
For the external connection's, it can not find the referenced application. Where is this configured?
For the org setting, the following permissions are granted to the app
Microsoft 365 DSC Version
1.24.1002.1
Which workloads are affected
Office 365 Admin
The DSC configuration
$WriteOutput = Export-M365DSCConfiguration `
-Components @("O365AdminAuditLogConfig","O365OrgCustomizationSetting","O365OrgSettings","O365SearchAndIntelligenceConfigurations","O365ExternalConnection") `
-Path ("$LogPath\$Workload") `
-FileName ("$($Workload)_$($Mode)_ConfigurationData.ps1") `
-ConfigurationName ("$($Workload)_$($Mode)_ConfigurationData.psd1") `
-ApplicationId $ApplicationId `
-TenantId $TenantId `
-CertificateThumbprint $CertificateThumbprint
Verbose logs showing the problem
[2024.10.07 01:33:08]
{OperationStopped}
System.Management.Automation.RuntimeException: Could not find referenced application {2c9e12e5-a56c-4ba1-b768-7a141586c6fe} in the tenant.
"Error retrieving data:"
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365ExternalConnection\MSFT_O365ExternalConnection.psm1: line 110
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365ExternalConnection\MSFT_O365ExternalConnection.psm1: line 418
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCUtil.psm1: line 1460
at <ScriptBlock>, D:\Microsoft365DSC.ps1: line 384
TenantId: *.onmicrosoft.com
[2024.10.07 01:33:11]
{OperationStopped}
System.Management.Automation.RuntimeException: Could not find referenced application {56c1da01-2129-48f7-9355-af6d59d42766} in the tenant.
"Error retrieving data:"
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365ExternalConnection\MSFT_O365ExternalConnection.psm1: line 110
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365ExternalConnection\MSFT_O365ExternalConnection.psm1: line 418
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCUtil.psm1: line 1460
at <ScriptBlock>, D:\Microsoft365DSC.ps1: line 384
TenantId: *.onmicrosoft.com
[2024.10.07 01:33:23]
{ProtocolError}
Microsoft.Exchange.Management.RestApiClient.RestClientException: The following authorization requirements are not satisfied: ((TokenTypeAuthorizationRequirement(UserActAs, AppOnly)&ScopeAuthorizationRequirement(OrganizationSettings.Read, OrganizationSettings.ReadWrite, OrganizationSettings.Read, OrganizationSettings.ReadWrite))|WidsAuthorizationRequirement(62e90394-69f5-4237-9190-012177145e10,29232cdf-9323-42fd-ade2-1d097af3e4de,69091246-20e8-4a56-aa4d-066075b2a7a8,eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c)).
at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.HandleErrorResponse(HttpResponseMessage response, String settingsName)
at Microsoft.Exchange.Management.RestApiClient.M365Insights.WeveAdminCmdlet`2.MakeAndSendGetRequest[T](String settingsName, Uri uri)
at Microsoft.Exchange.Management.RestApiClient.Analytics.GetDefaultTenantMyAnalyticsFeatureConfig.InternalProcessRecord()
at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.<ProcessRecord>b__34_0()
at Microsoft.Exchange.Management.RestApiClient.AdminCmdlet`2.ExecuteWithExceptionHandling(Action action, Exception& exception)
"Error retrieving data:"
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 294
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1102
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCUtil.psm1: line 1460
at <ScriptBlock>, D:\Microsoft365DSC.ps1: line 384
TenantId: *.onmicrosoft.com
[2024.10.07 01:33:25]
{InvalidOperation}
System.Management.Automation.RuntimeException: You cannot call a method on a null-valued expression.
at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
at System.Management.Automation.PSScriptCmdlet.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
at System.Management.Automation.PSScriptCmdlet.DoEndProcessing()
at System.Management.Automation.CommandProcessorBase.Complete()
"Error during Export:"
at Get-M365DSCExportContentForResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCUtil.psm1: line 3915
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1: line 1107
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1002.1\Modules\M365DSCUtil.psm1: line 1460
at <ScriptBlock>, D:\Microsoft365DSC.ps1: line 384
TenantId: *.onmicrosoft.com
Environment Information + PowerShell Version
Name Value
---- -----
PSVersion 5.1.14393.7330
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.7330
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
For the External Connection, it's looking for the AppId of the application registration for the Graph Connector Service for 56c1da01-2129-48f7-9355-af6d59d42766 and Viva Learning for 2c9e12e5-a56c-4ba1-b768-7a141586c6fe. They are both in this list: https://gist.github.com/petergs/069a34fcd115dcbf149b1b66817b6863
You can probably find it as an Enterprise Application in your tenant, but the application registration (which is what DSC is trying to get) will be in the Microsoft tenant, so you can't access it/export it and the DSC cmd fails.
Not sure the right way to fix it for general use, but I played around with falling back to the enterprise app if the app reg is not found, this works for me and gets past the error.
In: \WindowsPowerShell\Modules\Microsoft365DSC\1.25.122.1\DSCResources\MSFT_O365ExternalConnection\MSFT_O365ExternalConnection.psm1
Replace this
$appInstance = Get-MgApplication -Filter "AppId eq '$app'" -ErrorAction SilentlyContinue if ($null -ne $appInstance) { $AuthorizedAppIdsValue += $appInstance.DisplayName } else { throw "Could not find referenced application {$app} in the tenant." }
With this
$appInstance = Get-MgApplication -Filter "AppId eq '$app'" -ErrorAction SilentlyContinue if ($null -eq $appInstance) { # Try to find it as a service principal $sp = Get-MgServicePrincipal -Filter "AppId eq '$app'" -ErrorAction SilentlyContinue if ($null -ne $sp) { $AuthorizedAppIdsValue += $sp.DisplayName } else { throw "Could not find referenced application or service principal {$app} in the tenant." } } else { $AuthorizedAppIdsValue += $appInstance.DisplayName }
(Sorry for the bad formatting, I tried using the 'code' markup but it lost all formatting when I pasted there.)