When using the Export-M365DSCConfiguration command with the Security & Compliance components I get odd errors that it is missing parameters

[rick-engle]

Description of the issue

I've been using Export-M365DSCConfiguration for exporting a lot of components from my source tenant. But if I use that for any of the Security & Compliance components, I get this error:
Export-M365DSCConfiguration -Components @("SCAuditConfigurationPolicy" ) -ApplicationId $clientId -TenantId $tenantIdDomainName -ApplicationSecret $clientSecretValue -Path $SavePath -FileName $SaveFileName

Exporting Microsoft 365 configuration for Components: SCAuditConfigurationPolicy

Authentication methods specified:

• Service Principal with Application Secret

Connecting to {SecurityComplianceCenter}...✅
[1/1] Extracting [SCAuditConfigurationPolicy] using {}...Partial Export file was saved at: C:\Users\RICKE~1.RED\AppData\Local\Temp\15bd646a-ba9f-456e-94f5-969215a1c05c.partial.ps1
You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1120.1\Modules\M365DSCUtil.psm1:1971 char:9

•     throw $errorText
  

•     ~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (You must specif...int parameters.:String) [], RuntimeException
  • FullyQualifiedErrorId : You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.

That exact command used with the very same parameter values works for AAD, Intune and Office 365 components with no errors. For example this command works fine for an AAD component:
Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy" ) -ApplicationId $clientId -TenantId $tenantIdDomainName -ApplicationSecret $clientSecretValue -Path $SavePath -FileName $SaveFileName
while this very similar command for component "SCAuditConfigurationPolicy" fails:
Export-M365DSCConfiguration -Components @("SCAuditConfigurationPolicy" ) -ApplicationId $clientId -TenantId $tenantIdDomainName -ApplicationSecret $clientSecretValue -Path $SavePath -FileName $SaveFileName

Microsoft 365 DSC Version

1.24.1120.1

Which workloads are affected

Security & Compliance Center

The DSC configuration

Verbose logs showing the problem

Export-M365DSCConfiguration -Components @("SCAuditConfigurationPolicy" ) -ApplicationId $clientId -TenantId $tenantIdDomainName -ApplicationSecret $clientSecretValue -Path $SavePath -FileName $SaveFileName

Exporting Microsoft 365 configuration for Components: SCAuditConfigurationPolicy
 
Authentication methods specified:
- Service Principal with Application Secret
 
Connecting to {SecurityComplianceCenter}...✅
[1/1] Extracting [SCAuditConfigurationPolicy] using {}...Partial Export file was saved at: C:\Users\RICKE~1.RED\AppData\Local\Temp\15bd646a-ba9f-456e-94f5-969215a1c05c.partial.ps1
You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.
At C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.1120.1\Modules\M365DSCUtil.psm1:1971 char:9
+         throw $errorText
+         ~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (You must specif...int parameters.:String) [], RuntimeException
    + FullyQualifiedErrorId : You must specify either the Credential or ApplicationId, TenantId and CertificateThumbprint parameters.

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 26100.1.amd64fre.ge_release.240331-1435
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.26100.2161
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.26100.2161
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[FabienTschanz]

@rick-engle That is because e.g. SCAuditConfigurationPolicy does not support the ApplicationSecret authentication method. It only supports Credential, CertificateThumbprint, CertificatePassword (with CertificatePath) and AccessTokens. Other methods are not supported.

[rick-engle]

Oh, that is a good detail @FabienTschanz. Would you have a complete PowerShell script snippet that shows the proper way to create credentials and call Export-M365DSCConfiguration -Components that consumes that credential? I was using ApplicationSecret because we are mandated to use MFS in our company and @NikCharlebois recommended that I instead use the ApplicationSecret method.

[FabienTschanz]

The resource page of SCAuditConfigurationPolicy contains an example on how to do it, but I am not familiar with the Credential object myself. From what I was able to gather, you can either specify the Credential object in the ConfigurationData.psd1 file (and then reference that in the configuration from a parameter) or you can also directly request it in the configuration like so: $cred = Get-Credential -UserName contoso\genericuser -Message "Password please"

More information about credentials can be found here: https://learn.microsoft.com/en-us/powershell/dsc/configurations/configdatacredentials?view=dsc-1.1
General informations about deploying the configurations (with some more links): https://microsoft365dsc.com/user-guide/get-started/deploying-configurations/

Hope that helps.