Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EXOAddressList will not be created when EXOManagementRoleAssignment its provided #2523

Closed
atdheekurteshi opened this issue Nov 10, 2022 · 11 comments · Fixed by #2694, #2705, #2958 or #2986
Closed

EXOAddressList will not be created when EXOManagementRoleAssignment its provided #2523

atdheekurteshi opened this issue Nov 10, 2022 · 11 comments · Fixed by #2694, #2705, #2958 or #2986
Assignees
@malauter
Labels
Exchange Online Pending Information V1.22.1109.1 Version 1.22.1109.1

Comments

@atdheekurteshi
Copy link

atdheekurteshi commented Nov 10, 2022
edited
Loading

Details of the scenario you tried and the problem that is occurring

EXOAddressList / EXOManagementRoleAssignment are not working as supposed in our case the EXOAdressList throw an error please have a look below.

When I run the following commands in the Power-Shell everything seems to be working fine for EXOManagementRoleAssignment but for EXOAddressList it throw an error.:

Publish-DscConfiguration -Path C:\...\MOFs\MainConfig -Force
Start-DscConfiguration -UseExisting -Force -Verbose -Wait

PS C:\Users\src\MOFs> Publish-DscConfiguration -Path C:\Users\src\MOFs\MainConfig -Force
PS C:\Users\src\MOFs> Start-DscConfiguration -UseExisting -Force -Verbose -Wait
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.                                                                                                                                           
VERBOSE: Vom Computer '' mit Benutzer-SID 'S-1-5-21-3768120332-928546867-543785711-4813' ist ein LCM-Methodenaufruf eingegangen.                                                                                                                                                                                                                               
VERBOSE: []:                            [] Das Konsistenzmodul wird gestartet.                                                                                                                                                                                                                                                                                 
VERBOSE: []: LCM:  [ StartenRessource]  [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff]                                                                                                                                                                                                                                      
VERBOSE: []: LCM:  [ StartenTesten   ]  [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff]                                                                                                                                                                                                                                      
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Testing Management Role Assignment for Organization Management Role Adjustment                                                                                                                                                       
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Getting Management Role Assignment for Organization Management Role Adjustment                                                                                                                                                       
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Ex6FF57D|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|Der Vorgang konnte nicht ausgeführt werden, weil das Objekt 'Organization Management Role Adjustment' nicht auf                                    
'.COM' gefunden wurde. Überprüfen Sie den Namen der Verwaltungsrollenzuweisung, und versuchen Sie es erneut. Sie können den Namen der Verwaltungsrollenzuweisung mit dem Cmdlet "Get-ManagementRoleAssignment" abrufen.
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Current Values: ApplicationId=***; CertificateThumbprint=; Ensure=Absent; Name=Organization Management Role Adjustment; Role=Address Lists; SecurityGroup=Organization Management;
TenantId=***; Verbose=True
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Target Values: ApplicationId=***; CertificateThumbprint=; Ensure=Present; Name=Organization Management Role Adjustment; Role=Address Lists; SecurityGroup=Organization Management;
TenantId=***; Verbose=True
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Test-TargetResource returned False
VERBOSE: []: LCM:  [ BeendenTesten   ]  [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff]  in 34.1330 Sekunden.
VERBOSE: []: LCM:  [ StartenFestlegen]  [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff]
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Setting Management Role Assignment for Organization Management Role Adjustment
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Getting Management Role Assignment for Organization Management Role Adjustment
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Ex6FF57D|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|Der Vorgang konnte nicht ausgeführt werden, weil das Objekt 'Organization Management Role Adjustment' nicht auf
'.COM' gefunden wurde. Überprüfen Sie den Namen der Verwaltungsrollenzuweisung, und versuchen Sie es erneut. Sie können den Namen der Verwaltungsrollenzuweisung mit dem Cmdlet "Get-ManagementRoleAssignment" abrufen.
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Management Role Assignment'Organization Management Role Adjustment' does not exist but it should. Create and configure it.
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] Returning precomputed version info: 3.0.0
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] POST https://outlook.office365.com/adminapi/beta/53023a1c-2c85-4bfc-92e4-c5d9ed23fdfc/InvokeCommand with -1-byte payload
VERBOSE: []:                            [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff] received 1167-byte response of content type application/json;charset=utf-8
VERBOSE: []: LCM:  [ BeendenFestlegen]  [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff]  in 0.9790 Sekunden.
VERBOSE: []: LCM:  [ BeendenRessource]  [[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff]
VERBOSE: []: LCM:  [ StartenRessource]  [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3]
VERBOSE: []: LCM:  [ StartenTesten   ]  [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3]
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Testing Address List configuration for All Equipments
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Getting configuration of AddressList for All Equipments
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Current Values: ApplicationId=***; CertificateThumbprint=; Ensure=Absent; Name=All Equipments; RecipientFilter=(Alias -ne $null) -and (RecipientTypeDetails -eq 'EquipmentMailbox'); TenantId=***;
Verbose=True
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Target Values: ApplicationId=***; CertificateThumbprint=; Ensure=Present; Name=All Equipments; RecipientFilter=(Alias -ne $null) -and (RecipientTypeDetails -eq 'EquipmentMailbox'); TenantId=***;
Verbose=True
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Test-TargetResource returned False
VERBOSE: []: LCM:  [ BeendenTesten   ]  [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3]  in 0.7860 Sekunden.
VERBOSE: []: LCM:  [ StartenFestlegen]  [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3]
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Setting Address List configuration for All Equipments
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] Getting configuration of AddressList for All Equipments
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] You can't use RecipientFilter and precanned filters at the same time. All precanned filters will be ignored.
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] You can't use RecipientFilter and precanned filters at the same time. All precanned filters will be ignored.
VERBOSE: []:                            [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] The Address List 'All Equipments' does not exist but it should. Creating Address List.
Die Benennung "New-AddressList" wurde nicht als Name eines Cmdlet, einer Funktion, einer Skriptdatei oder eines ausführbaren Programms erkannt. Überprüfen Sie die Schreibweise des Namens, oder ob der Pfad korrekt ist (sofern enthalten), und wiederholen Sie den Vorgang.
    + CategoryInfo          : ObjectNotFound: (New-AddressList:) [], CimException
    + FullyQualifiedErrorId : CommandNotFoundException
    + PSComputerName        : localhost

VERBOSE: []: LCM:  [ BeendenFestlegen]  [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3]  in 2.7950 Sekunden.
Die PowerShell DSC-Ressource "[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3" mit SourceInfo "::332::3::EXOAddressList" hat beim Ausführen der Funktion "Set-TargetResource" mindestens einen Fehler ohne Abbruch ausgegeben. Diese Fehler werden im ETW-Kanal namens "Microsoft-Windows-DSC/Operational" protokolliert. Weitere Informationen finden
Sie in diesem Kanal.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: []:                            [] Die Konsistenzprüfung ist abgeschlossen.
Mindestens eine der partiellen Konfigurationen konnte nicht angewendet werden. Es konnte keine Konfiguration erstellt werden.  Der lokale Konfigurations-Manager (LCM) konnte Desired State Configuration nicht manuell starten.
    + CategoryInfo          : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 40.177 seconds

The DSC configuration that is used to reproduce the issue (as detailed as possible)

MOF file extract:

/*
@TargetNode='localhost'
@GeneratedBy=
@GenerationDate=
@GenerationHost=
*/

instance of MSFT_EXOManagementRoleAssignment as $MSFT_EXOManagementRoleAssignment1ref
{
 ResourceID = "[EXOManagementRoleAssignment]Container-230-73e02091-7473-474b-8f2b-392a33dce6ff";
 Ensure = "Present";
 CertificateThumbprint = "";
 Role = "Address Lists";
 ApplicationId = "";
 SourceInfo = "::322::3::EXOManagementRoleAssignment";
 Name = "Organization Management Role Adjustment";
 TenantId = "";
 ModuleName = "Microsoft365DSC";
 SecurityGroup = "Organization Management";
 ModuleVersion = "1.22.1109.1";

 ConfigurationName = "MainConfig";

};
instance of MSFT_EXOAddressList as $MSFT_EXOAddressList1ref
{
 ResourceID = "[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3";
 TenantId = "";
 CertificateThumbprint = "";
 Ensure = "Present";
 ApplicationId = "";
 SourceInfo = "::332::3::EXOAddressList";
 Name = "All Equipments";
 RecipientFilter = "(Alias -ne $null) -and (RecipientTypeDetails -eq 'EquipmentMailbox')";
 ModuleName = "Microsoft365DSC";
 ModuleVersion = "1.22.1109.1";

 ConfigurationName = "MainConfig";

};
instance of OMI_ConfigurationDocument


                    {
 Version="2.0.0";
 

                        MinimumCompatibleVersion = "1.0.0";
 

                        CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
 

                        Author="xgxtan4";
 

                        GenerationDate=
 

                        GenerationHost=


                        ContentType="PasswordEncrypted";
 

                        Name="MainConfig";


                    };


#### The operating system the target node is running
<!--
    Please provide as much as possible about the target node, for example
    edition, version, build and language.
    On OS with WMF 5.1 the following command can help get this information.

OsName               : Microsoft Windows 10 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage           : en-US
OsMuiLanguages       : {en-US, de-DE}

-->

#### Version of the DSC module that was used ('dev' if using current dev branch)
1.22.1109.1
@malauter
Copy link
Member

Do you get an error message, or can you describe the error in more detail please?

@andikrueger andikrueger added the V1.22.1109.1 Version 1.22.1109.1 label Nov 10, 2022
@atdheekurteshi
Copy link
Author

atdheekurteshi commented Nov 10, 2022
edited
Loading

@malauter Yes here it is the error that I get after Start-DscConfiguration:

VERBOSE: []: [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] The Address List 'All Equipments' does not exist but it should. Creating Address List.
The term "New-AddressList" was not recognized as a cmdlet, function, script file, or executable program name. Check the spelling of the name, or the path (if included) is correct and try again.
    + CategoryInfo : ObjectNotFound: (New-AddressList:) [], CimException
    + FullyQualifiedErrorId : CommandNotFoundException
    + PSComputerName : localhost

VERBOSE: []: LCM: [ QuitSet] [[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3] in 2.7950 seconds.
The PowerShell DSC resource "[EXOAddressList]Container-231-55113867-ee8d-4256-af39-163df34354d3" with SourceInfo "::332::3::EXOAddressList" has at least one error when executing the function "Set-TargetResource" without cancellation issued. These errors are logged in the ETW channel named "Microsoft-Windows-DSC/Operational". Find more information
you in this channel.
    + CategoryInfo : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName : localhost

VERBOSE: []: [] The consistency check is complete.
At least one of the partial configurations could not be applied. A configuration could not be created. The Local Configuration Manager (LCM) could not start Desired State Configuration manually.
    + CategoryInfo : ObjectNotFound: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 6
    + PSComputerName : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 40.177 seconds

@malauter malauter self-assigned this Nov 10, 2022
@malauter
Copy link
Member

It seems like the New-AddressList cmdlet is not available in the PowerShell session. Was the Address List role already assigned to your account you are using for DSC?
Adding the role and creating a new address list in one step might cause problems because the new role is not yet effective.

@atdheekurteshi
Copy link
Author

atdheekurteshi commented Nov 10, 2022
edited
Loading

@malauter Thats true I have also tested this testcase.

First I have created AddressList Role through EXOManagementRoleAssignment and than on a separate PowerShell session I have created AddressList and its working.

On the same PowerShell session simultaneously with EXOManagementRoleAssignment it's not working we need this testcase.

@NikCharlebois NikCharlebois reopened this Nov 18, 2022
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Nov 18, 2022
@NikCharlebois
Merge remote-tracking branch 'upstream/dev' into Fix-microsoft#2523
467c9b1
@NikCharlebois
Copy link
Collaborator

Folks, I have tried multiple ways to replicate this issue but can't. Can you confirm what the repro steps are and that you are still getting this with v1.22.1116.1? Thanks

@atdheekurteshi
Copy link
Author

I will try with new version and will let you know.

@remyloy
Copy link

remyloy commented Dec 14, 2022

Hi @NikCharlebois,
I got this issue internally reassigned from Atdhe and I've retested it with the version 1.22.1207.1.
My MOF file is essentially the same as the one that Atdhe outlined initially, but for completeness here is the script that I've used to create it:

Configuration MainConfig
{
    param
    (
    )
    Import-DscResource -ModuleName "Microsoft365DSC"
    Node localhost
    {
		EXOManagementRoleAssignment Container-180-ef28d3f7-94db-4a5c-8cec-87626cc9e939
		{
			SecurityGroup = "Organization Management";
			Name = "Organization Management Role Adjustment";
			Ensure = "Present";
			Role = "Address Lists";
			ApplicationID = "[APP-ID]";
			TenantID = "[TENANT-ID]";
			CertificateThumbprint = "[CERT-THUMBPRINT]";
		}
		EXOAddressList Container-182-7f0f4d22-0f79-4964-a174-b82c30769cc9
		{
			RecipientFilter = "((RecipientType -eq 'UserMailbox') -and (RecipientTypeDetails -eq 'EquipmentMailbox'))";
			Name = "All Equipments";
			Ensure = "Present";
			ApplicationID = "[APP-ID]";
			TenantID = "[TENANT-ID]";
			CertificateThumbprint = "[CERT-THUMBPRINT]";
		}
      }
}

It fails in the scenario that @malauter has described, i.e. I've removed the AddressList permission from Organization Management and removed the address list. And then I'm trying to create both in one go.
And it fails with the error that the cmdlet or function New-AddressList could not be found.

Since @malauter said

Adding the role and creating a new address list in one step might cause problems because the new role is not yet effective.

how much hope is there that this can be fixed?

@NikCharlebois NikCharlebois reopened this Dec 15, 2022
@NikCharlebois
Copy link
Collaborator

@remyloy let's connect offline if you don't mind. I need additional details on this one as I am not able to replicate in any of my environments.

@NikCharlebois
Copy link
Collaborator

We have introduced a new Disconnect function in the EXO workload inside of MSCloudLoginAssistant. The EXOManagementRoleAssignment resource will now wait for the changes to be effective inside of the Set-targetResource function and once the new permissions are effective, it will disconnect from Exchange Online, forcing the next resources to be loaded to refresh the connection and load the appropriate cmdlets based on the newly applied permissions.

NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Dec 20, 2022
@NikCharlebois
Fixes microsoft#2523
1bd1f0b
@NikCharlebois NikCharlebois mentioned this issue Dec 20, 2022
Merged
NikCharlebois added a commit that referenced this issue Dec 21, 2022
@NikCharlebois
Merge pull request #2694 from NikCharlebois/Fix#2523
f4e9ce0 
Fixes #2523
@NikCharlebois NikCharlebois mentioned this issue Dec 21, 2022
Merged
@remyloy
Copy link

remyloy commented Feb 22, 2023

Hi @NikCharlebois,
I've finally managed to integrate the release 1.23.125.1 and re-test the fix you've made in EXOManagementRoleAssignment.
Sadly it is still not working for us. I've cloned the repo and played around a little bit and to me it seems the call to Test-TargetResource inside Set-TargetResource returns "too fast" successfully.

I've also tried it on a different tenant (a fresh M365 E5 developer tenant), but got the same result.

What I observed in my tests is that during all my tests the 10s sleep never happened and therefore the EXO re-connect from EXOAddressList happens too early. I've modified the loop locally to at least sleep once and that fixed the issue, but I know that this is less than ideal.

I've also looked for alternatives to replace Test-TargetResource with, but the only working method I found was to actually check for the missing cmdlet, i.e. $testResults = Get-Command 'New-AddressList' -ErrorAction SilentlyContinue -ne $null.
Of course this is no general solution, too.

By the way this is the snippet I used to play around and debug into it.

$Creds = @{
    TenantID              = ''
    ApplicationId         = ''
    CertificateThumbprint = ''
}

MSFT_EXOAddressList\Set-TargetResource -Name 'All Equipments' -RecipientFilter "((RecipientType -eq 'UserMailbox') -and (RecipientTypeDetails -eq 'EquipmentMailbox'))" @Creds -Ensure Absent
MSFT_EXOManagementRoleAssignment\Set-TargetResource -Name 'Organization Management Role Adjustment' -Role 'Address Lists' -SecurityGroup 'Organization Management' @Creds -Ensure Absent

Start-Sleep -Seconds 5

MSFT_EXOManagementRoleAssignment\Set-TargetResource -Name 'Organization Management Role Adjustment' -Role 'Address Lists' -SecurityGroup 'Organization Management' @Creds
MSFT_EXOAddressList\Set-TargetResource -Name 'All Equipments' -RecipientFilter "((RecipientType -eq 'UserMailbox') -and (RecipientTypeDetails -eq 'EquipmentMailbox'))" @Creds

If it helps, I'm open to another offline session

@NikCharlebois
Copy link
Collaborator

We are not able to replicate this on our end. The Set-TargetResource never enters the Start-Sleep loop and everything gets configured accordingly on every run.
image

@NikCharlebois NikCharlebois reopened this Mar 1, 2023
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Mar 2, 2023
@NikCharlebois
Merge remote-tracking branch 'upstream/dev' into Fix-microsoft#2523
77fcfac
NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Mar 2, 2023
@NikCharlebois
Fixes microsoft#2523
6c18051
@NikCharlebois NikCharlebois mentioned this issue Mar 2, 2023
Merged
NikCharlebois added a commit that referenced this issue Mar 2, 2023
@NikCharlebois
Merge pull request #2958 from NikCharlebois/Fix-#2523
749a557 
Fix #2523
@ykuijs ykuijs mentioned this issue Mar 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@malauter malauter

Labels
Exchange Online Pending Information V1.22.1109.1 Version 1.22.1109.1
Projects
None yet
Milestone
No milestone
5 participants
@atdheekurteshi @NikCharlebois @andikrueger @remyloy @malauter