Graph beta modules also return a ResponseHeaders object which is currently not handled correctly in Export-TargetResource

[mpiederiet]

Description of the issue

Something changed in Microsoft Graph beta version 2.13.2 which causes the Get-* cmdlets to return a ResponseHeaders object. Example with Graph version 2.13.2:

PS> Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId X509Certificate

Id              State
--              -----
X509Certificate disabled

ResponseHeaders : {df42dfe6-1c19-4f1d-9b7b-7a76c794b4d9}

Example with version 2.12.0:

PS> Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId X509Certificate

Id              State
--              -----
X509Certificate disabled

The extra returned object is not handled by export-targetresource and makes it return an error for every single object exported. See the "verbose Logs" below, All these Authentication Method policies are single object, but Microsoft365DSC thinks there are two because of the extra returned object by the Graph SDK. I think the dependency should be reverted to 2.12.0

Microsoft 365 DSC Version

1.24.214.2

Which workloads are affected

Azure Active Directory, other

The DSC configuration

Just export any Authentication Policy method (AADAuthenticationMethodPolicy* resources)

Verbose logs showing the problem

Selected BluePrint contains (11) components to assess.
Initiating the Export of those (11) components from the tenant...
Exporting Microsoft 365 configuration for Components: AADAuthorizationPolicy, AADAuthenticationMethodPolicy, AADAuthenticationMethodPolicyAuthenticator, AADAuthenticationMethodPolicyEmail, AADAuthenticationMethodPolicyFido2, AADAuthenticationMethodPolicySms, AADAuthenticationMethodPolicySoftware, AADAuthenticationMethodPolicyVoice, AADAuthenticationMethodPolicyTemporary, AADAuthenticationMethodPolicyX509, AADSecurityDefaults
 
Authentication methods specified:
- Service Principal with Certificate Thumbprint

Connecting to {MicrosoftGraph}...✅
[1/11] Extracting [AADAuthenticationMethodPolicy] using {CertificateThumbprint}...
    |---[1/2] Authentication Methods Policy✅
    |---[2/2] ❌
 Error Log created at {file://C:/code/39904-M365DSC-ErrorLog.log}
[2/11] Extracting [AADAuthenticationMethodPolicyAuthenticator] using {CertificateThumbprint}...
    |---[1/2] MicrosoftAuthenticator✅
    |---[2/2] ❌
 Error Log created at {file://C:/code/39904-M365DSC-ErrorLog.log}
[3/11] Extracting [AADAuthenticationMethodPolicyEmail] using {CertificateThumbprint}...
    |---[1/2] Email✅
    |---[2/2] ❌
 Error Log created at {file://C:/code/39904-M365DSC-ErrorLog.log}

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US, en-GB}

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

[ricmestre]

The latest Graph releases shipped have been very very buggy, 2.13.0 had a major problem and instantly people started complaining on that same Friday 2.13.1 was released but still had this issue you reported which already bite me and had to change some code around to cope with it.

@andikrueger @NikCharlebois Would it be possible to not merge the Graph version right just upon their release and instead run the integration tests first to ensure everything still works and if it does then merge it? In the past their releases were robust but they seem to have lost some quality over time and I'd recommend some prior testing before jumping ship to their latest version.

[NikCharlebois]

Yes, we are on it. The challenge is that not all cmdlets seem to be returning the Headers. We've identify a few around AADAuthenticationPolicyMethods and Intune, but others remained unchanged. We are following up with the Graph team, and yes, we will need to review how we update to the latest versions in our releases to make the process more robust when we depend on other modules.

[andikrueger]

Maybe we can takle this with #3458 and implement an extended check for all dependencies.

[ricmestre]

As mentioned in my PR to fix something else, I found a problem caused by Graph where I can't export these resources because they have a condition checking if $getValue is an array, coincidentally these are the only resources in M365DSC that have this specific condition, but I bet many more will have something like $getValue.Count -eq 1 which also fails.

MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1:152: if($getValue -is [Array])
MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1:130: if($getValue -is [Array])

[salbeck-sit]

Graph SDK v2.14.1 appears to have fixed the issue. It was introduced in 2.13.1 and made even worse in 2.14.0

[andikrueger]

There will be an intermediate release #4348