-
Notifications
You must be signed in to change notification settings - Fork 490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: AADRoleEligibilityScheduleRequest fails on subsequent runs #3787
Comments
Are there any other error thrown in the verbose output? I am failing to repro with the shared config above. |
We are seeing this in the
This is only happening on 2 out of 30 of our |
This is seen in the
|
It look like two of the instances returned by Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest do not have a property PrincipalId or the ID is in a format, that cannot be converted to String. Line 196 in a58b818
Is it possible, that there Roles with outdated groups? Could you that all settings do have current groups? |
Good catch. I was able to reproduce as follow: 1 - Create a role eligibility assignment for a given group. 2 - Soft delete that group 3 - Run the DSC config to monitor the assignment. @techthoughts2 is there a chance that the group assigned to the role eligibility has been deleted? Thanks |
I have verified that the group has not been deleted.
|
Re-opening as we are still seeing ad-hoc instances of this issue surface. |
I have the same problem but only when I specify a AADRoleEligibilityScheduleRequest 'EligibilityGroupAssignment' {
DependsOn = @(
'[AADRoleSetting]3a2c62db-5318-420d-8d74-23affee5d9d5'
'[AADGroup]groupName'
)
Principal = 'groupName'
RoleDefinition = 'Intune Administrator'
PrincipalType = 'Group'
DirectoryScopeId = "/administrativeUnits/5c8d1d0d-3ff7-415e-898f-b166f40f2462";
Action = 'AdminAssign'
Justification = 'Assigning permanent eligibility for AEG team'
IsValidationOnly = $false
ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule {
startDateTime = '2023-09-01T02:40:44Z'
expiration = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
type = 'noExpiration'
}
}
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $Thumbprint
} So I can say for sure that the bug is still present when using a scope on an administrative unit. |
Description of the issue
The
AADRoleEligibilityScheduleRequest
is working without issue for deploying a permanent eligible assignment on the first run ofStart-DSCConfiguration
.We have confirmed that the eligible assingment is in place, and working as intended.
However, subsequent runs of the DSC result fail with the overall error:
The Role assignment already exists.
This seems to be related to the subsequent runs thinking that
Ensure=Absent
for some reason.As a result, it tries to recreate the Role Eligibility request, but fails because it is already present.
Microsoft 365 DSC Version
v1.23.1011.1
Which workloads are affected
Azure Active Directory
The DSC configuration
Verbose logs showing the problem
The text was updated successfully, but these errors were encountered: