Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Core: 'Microsoft Graph PowerShell' asked for scope 'Tasks.ReadWrite.All' that doesn't exist on the resource #2629

Closed
Maar10tech opened this issue Dec 8, 2022 · 4 comments · Fixed by #2634 or #2667
Closed

Core: 'Microsoft Graph PowerShell' asked for scope 'Tasks.ReadWrite.All' that doesn't exist on the resource #2629

Maar10tech opened this issue Dec 8, 2022 · 4 comments · Fixed by #2634 or #2667
Labels
Authentication Bug Something isn't working Pending Information

Comments

@Maar10tech
Copy link

Details of the scenario you tried and the problem that is occurring

When trying Update-M365DSCAllowedGraphScopes -All -Type Update -Environment 'Global' I got the error

Connect-MgGraph : AADSTS650053: The application 'Microsoft Graph PowerShell' asked for scope 'Tasks.ReadWrite.All' that doesn't exist on the resource
'00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Trace ID: 23c55fe0-3ccf-4a59-ab41-e13665e73200
Correlation ID: 4638e2c3-2663-466b-90c5-655972d00f9e

Verbose logs showing the problem

Verbose is fine. Last statement is Connecting to MS Graph to update permissions

Suggested solution to the issue

image
As the MS Doc shows, the Permission with ".all" ending does not exist.
The Permissions without ".All" refer to exchange and not planner applications

I changed the settings of the planner module as follows (in all files):

{
    "name": "NotSupported",
    "_comment": "Tasks.Read.All - Task.Read is Exchange"
}

And add following to the function Get-M365DSCCompiledPermissionList:

# Update permissions
                        foreach ($updatePermission in $resourceSettings.permissions.graph.$PermissionsType.update)
                        {
                            if ($updatePermission.name -eq "NotSupported"){
								Write-Verbose -Message "Update permission {$($updatePermission.name)} not supported"
								if($null -ne $updatePermission._comment){
									Write-Verbose -Message "Comment: {$($updatePermission._comment)}"
								}
							}
                            elseif (-not $results.UpdatePermissions.Contains($updatePermission.name))
                            {
                                Write-Verbose -Message "Found new Update permission {$($updatePermission.name)}"
                                $results.UpdatePermissions += $updatePermission.name
                            }
                            else
                            {
                                Write-Verbose -Message "Update permission {$($updatePermission.name)} was already added"
                            }
                        }

                        # Read permissions
                        foreach ($readPermission in $resourceSettings.permissions.graph.$PermissionsType.read)
                        {
                            if ($readPermission.name -eq "NotSupported"){
								Write-Verbose -Message "Update permission {$($readPermission.name)} not supported"
								if($null -ne $readPermission._comment){
									Write-Verbose -Message "Comment: {$($readPermission._comment)}"
								}
							}
                            elseif (-not $results.ReadPermissions.Contains($readPermission.name))
                            {
                                Write-Verbose -Message "Found new Read permission {$($readPermission.name)}"
                                $results.ReadPermissions += $readPermission.name
                            }
                            else
                            {
                                Write-Verbose -Message "Read permission {$($readPermission.name)} was already added"
                            }
                        }

The DSC configuration that is used to reproduce the issue (as detailed as possible)

as described above

The operating system the target node is running

Not important

Version of the DSC module that was used ('dev' if using current dev branch)

last release (Install Module)
@SebastianGoers
Copy link

I am seeing the same issue and would love to see this fixed .

@Maar10tech
Copy link
Author

Maar10tech commented Dec 8, 2022
edited
Loading

I am seeing the same issue and would love to see this fixed .

WPS Modules.zip

You can use the suggested solution as a fix / workaround.
Just replace attached files.

@NikCharlebois
Copy link
Collaborator

No sure I fully understand the problem at hand. I agree that there is a bug in that the permissions Tasks.Read.All and Tasks.ReadWrite.All do not exist. However, replacing those by the Tasks.Read and Tasks.ReadWrite permissions in the settings.json file will take care of the issue. Not sure why we need to add support for unsupported types.

@SebastianGoers
Copy link

I agree, fixing the permissions should be enough to close this issue.

NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Dec 8, 2022
@NikCharlebois
Fixes microsoft#2629
1ae7e4c
@NikCharlebois NikCharlebois mentioned this issue Dec 8, 2022
Merged
NikCharlebois added a commit that referenced this issue Dec 8, 2022
@NikCharlebois
Merge pull request #2634 from NikCharlebois/Fix-#2629
bd41ced 
Fixes #2629
@NikCharlebois NikCharlebois mentioned this issue Dec 14, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Authentication Bug Something isn't working Pending Information
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #2629 NikCharlebois/Microsoft365DSC
Release 1.22.1214.1 NikCharlebois/Microsoft365DSC
3 participants
@NikCharlebois @SebastianGoers @Maar10tech