Problem exporting OrgSettings and PPTenantIsolationSettings about microsoft365dsc HOT 11 OPEN

Could you please share a screenshot of the assigned API permissions for your application and the assigned roles? Thanks.

from microsoft365dsc.

Could you please share a screenshot of the assigned API permissions for your application and the assigned roles? Thanks.

The app registration only has the Global Reader role and is a Power Platform admin management application.

from microsoft365dsc.

Please check if you did assign:

OrganizationSettings.Read or if you need write access as well:

OrganizationSettings.ReadWrite

I did not see this API permission within the screenshot.

from microsoft365dsc.

I do not see that permission listed in my Azure portal. I also checked which permissions the application would need using Get-M365DSCCompiledPermissionList and that API permission doesn't appear.

Could this be a problem with how my app registration was created?

from microsoft365dsc.

Please check if you did assign:

OrganizationSettings.Read or if you need write access as well:

OrganizationSettings.ReadWrite

I did not see this API permission within the screenshot.

Is this a permission that I need to assign via PowerShell and not GUI?

from microsoft365dsc.

You could add the permission by using Graph PowerShell or the EntraId Admin Center.

Using Graph PowerShell you need to add the scope parameter to Connect-MGGraph with one of the scopes above.

Within EntraID you could update your app registration in the section api permissions.

from microsoft365dsc.

@andikrueger PP workload app doesn't require any API permissions, it just needs to be added to Power Apps as a mgmt app by an admin.

"Service principal applications are treated within Power Platform similar to how normal users are with the Power Platform Administrator role assigned. Granular roles and permissions can't be assigned to limit their capabilities. The application doesn't get any special role assigned in Microsoft Entra ID, as this is how platform services treat requests made by service principals."

https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#power-apps-permissions

https://learn.microsoft.com/en-us/power-platform/admin/powershell-create-service-principal#registering-an-admin-management-application

from microsoft365dsc.

That is absolutely correct.

I was referring to the Exchange error message.

from microsoft365dsc.

Oh right, I didn't even see that resource there, O365 workload and specially O365OrgSettings is really a pain in the neck...

The log shows that it's failing on line 294 which corresponds for calling Get-DefaultTenantMyAnalyticsFeatureConfig, this requires either Global admin, EXO admin or Insights admin Entra roles as per https://learn.microsoft.com/en-us/powershell/module/exchange/get-defaulttenantmyanalyticsfeatureconfig?view=exchange-ps

In my case I've assigned Insights administrator since it's the most restrictive, please bear in mind that assigning any one of these Entra roles is required even if only reading is required.

from microsoft365dsc.