Debug Certificate Authentication Issues

[meggenberger]

Description of the issue

I'm using MicrosoftDSC to extract the settings and save them for archival purposes. Now I have to change the authentication to Service Principal with Certificate Thumbprint.

When I run the script locally everything works and I can extract the values from AAD workload. When running it in the pipeline I just get the following:

VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy

Authentication methods specified:

• Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1

Within the pipeline I download the cert and the private key from an Azure Key Vault and save it into the local cert store of the agent where the job is running. This works and I see the cert is installed and we have the private key:

PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\F3FB2E541495962FD6070B57811F9B54D8
C471B1
PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName : F3FB2E541495962FD6070B57811F9B54D8C471B1
PSIsContainer : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 5/23/2024 1:58:13 PM
NotBefore : 5/23/2023 1:38:13 PM
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 3, 14...}
SerialNumber : 1A32DAC5159BAD814D84D14DABA3685F
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : F3FB2E541495962FD6070B57811F9B54D8C471B1
Version : 3
Handle : 2952549909680
Issuer : CN=MicrosoftDSC365
Subject : CN=MicrosoftDSC365
EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList : {MicrosoftDSC365}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :

How can I get more information where it's actually failing? I added -debug and -verbose to the command but the output above is all I get.

Microsoft 365 DSC Version

1.23.712.1

Workload

Azure Active Directory

The DSC configuration

Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy", "AADAuthorizationPolicy", "AADGroup", "AADAdministrativeUnit", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADRoleSetting", "AADSecurityDefaults", "AADTenantDetails", "AADTokenLifetimePolicy") -ApplicationId 0477c4d5-1234-48d1-afd9-16a8c30921be -TenantId testli01.onmicrosoft.com -CertificateThumbprint F3FB2E541495962FD6070B57AB1F9B54D8C471B1 -Path D:\a_temp -Filters @("AADGroup": "startsWith(DisplayName,'ABCZ')") -FileName "AAD_Components"

Verbose logs showing the problem

VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy

Authentication methods specified:

• Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1
##[error]The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Function Export-TargetResource cannot be created because function capacity 4096 has been exceeded for this scope.
##[error]PowerShell exited with code '1'.
Finishing: Export the current config

Environment Information + PowerShell Version

@{OsName=; OsOperatingSystemSKU=; OsArchitecture=; WindowsVersion=1809; WindowsBuildLabEx=17763.1.amd64fre.rs5_release.180914-1434; OsLanguage=; OsMuiLanguages=}
-Message PSVersion: 5.1.17763.4644
-Message PSEdition: Desktop
-Message Compatible Versions:
-Message 1.0 2.0 3.0 4.0 5.0 5.1.17763.4644

[ricmestre]

@meggenberger I already reported this here #3454 , please go through the thread to understand the issue.

Still waiting for @andikrueger for further testing on how to tackle this.

[meggenberger]

@ricmestre Thank you very much for the pointer to the existing issue. I'll try some workarounds mentioned there.

[andikrueger]

Please let us know, what works for you or if you see any other issues. Any feedback / test results are a big help to figure out what to fix.

[andikrueger]

Closing due to inactivity.