Failure in Connect-mgGraph with certificate after upgrading to Microsoft365DSC 1.24.1016.1

[subhashvinjamuri]

Description of the issue

While working to create AADApplication in DSC, I upgraded to Microsoft365DSC verstion 1.24.1016.1 (from 1.24.417.1, as new features go added for AADApplication). Performed dependency updates and removed unsupported versions etc as per standard procedure. Now I have Microosfot365DSC 1.24.1016.1 & Microsoft.Graph.Authentication 2.23.0 installed.
Create New configuration for AADApplication (basic details) with certificate authentication of my DSC service principle which has permission to create new App Reg in AAD.
mof file gets created. But send configuration fails for this mof file with below error. This is happening at -
###############
This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_AADApplication DSC resource. FullyQualifiedErrorId :

ClientCertificateCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy
in ClientOptions.RetryPolicy.
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
+ PSComputerName : localhost
##################
However, export works fine with same service principle and corresponding cert authentication. But Apply configuration fails.
please suggest.

Microsoft 365 DSC Version

1.24.1016.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

# Generated with Microsoft365DSC version 1.24.417.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
)

Configuration AAD_dev_Appreg
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    #Install-Module -Name Microsoft365DSC -RequiredVersion 1.24.1016.1 -AllowClobber
    #Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.417.1'
    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.1016.1'

    Node localhost
    {

        # For information on how to use this resource, please refer to:
        # https://github.com/microsoft/Microsoft365DSC/wiki/AADApplication
        AADApplication "AADApplication-Test-for-DSC-POC"
        {
            
            ApplicationId           = $ConfigurationData.NonNodeData.ApplicationId;
            AvailableToOtherTenants = $False;
            CertificateThumbprint   = $ConfigurationData.NonNodeData.CertificateThumbprint;
            DisplayName             = "Test-for-DSC-POC";
            Ensure                  = "Present";
            IdentifierUris          = @();
            IsFallbackPublicClient  = $False;
            KnownClientApplications = @();
            ObjectId                = "";
            AppId                   = "";
            Owners                  = @("[email protected]","0d106046-2a07-43c2-9de0-c4756f5af2d6");
            Permissions             = @(
            
            MSFT_AADApplicationPermission {
                Name                = 'User.Read'
                Type                = 'Delegated'
                SourceAPI           = 'Microsoft Graph'
                AdminConsentGranted = $False
            }
            MSFT_AADApplicationPermission {
                Name                = 'Group.Read.All'
                Type                = 'AppOnly'
                SourceAPI           = 'Microsoft Graph'
                AdminConsentGranted = $True
            }
            );
<#
            KeyCredentials          = @(
            MSFT_MicrosoftGraphkeyCredential {
                endDateTime = "2024-12-11T15:31:26Z",
                startDateTime = "2023-01-12T15:31:26Z",
                type= "AsymmetricX509Cert",
                usage = "Verify",
                key  "base64MIIDADCCAeigAwIBAgIQP6HEGDdZ65xJTcK4dCBvZzANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAgyMDIzMDExMjAeFw0yMzAxMTIwODExNTZaFw0yNDAxMTIwODMxNTZaMBMxETAPBgNVBAMMCDIwMjMwMTEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAseKf1weEacJ67D6/...laxQPUbuIL+DaXVkKRm1V3GgIpKTBqMzTf4tCpy7rpUZbhcwAFw6h9A==",
                displayName = "CN=20230112"

            
            }

            );
#>
            PasswordCredentials = @(

            MSFT_MicrosoftGraphpasswordCredential {
                DisplayName = 'Test pwd'
                EndDateTime = '2024-12-30T00:00:00Z'
                StartDateTime = '2024-11-22T00:00:00Z'


            }
            );
            
            PublicClient            = $False;
            ReplyURLs               = @();
            TenantId                = $OrganizationName;

        }
    
    }
}

AAD_dev_Appreg -ConfigurationData .\ConfigurationData.psd1

Verbose logs showing the problem

ClientCertificateCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy 
in ClientOptions.RetryPolicy.
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
    + PSComputerName        : localhost

Environment Information + PowerShell Version

OsName               : Microsoft Windows 10 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.19041.5129
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.19041.5129
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[subhashvinjamuri]

Can anyone suggest the code flow, during Start-dscconfiguration ? Export commands are going to various util scripts under .\modules\Microsoft365DSc<version>\Modules. But to debug the code flow for start-dscconfiguration to fidn where it is failing, its being unkown.

[FabienTschanz]

What does it show in the Entra portal under your app registration in the sign-in logs? Anything related that the login failed? Is the certificate you're using in the certificate store of the machine and the user? Start-DscConfiguration runs as the SYSTEM account, that's why the certificate needs to be available in the certificate store of the machine and not only the current user.

[subhashvinjamuri]

Yes, the certificate im using is in the machine store (authentication works fine if I use the version '1.24.417.1' ). Entra portal does not show any failure log entry. I am assuming the information of the cert seems not being properly passed during connect-mgGraph..

Is there a way to debug, when I do 'start-DSCConfiguration' ? I tried to put break points in 'Get-TargetResource' function in MSFt_AADApplication.psm1 (the resource im trying to create) . But session is not even reaching there it seems. So trying to understand the flow, what all other scripts are called (once authentication Type was identified as 'ServicePrincipalWithThumbprint' ie Line # 2053 in M365DSCUtil.psm1) ?
Or any similar guidance on this is appreciated.

[subhashvinjamuri]

Trying with 1.24.1106.3 too. same error. Assuming some thing with Graph Auth. not working fine.

---

Import-module Microsoft365DSC -RequiredVersion 1.24.1106.3 -Force

PS C:\Subhash> Update-M365DSCDependencies -Force
Installing Az.Accounts version {3.0.2}
Installing Az.ResourceGraph version {1.0.0}
Installing Az.Resources version {7.2.0}
Installing Az.SecurityInsights version {3.1.2}
Installing DSCParser version {2.0.0.11}
Installing ExchangeOnlineManagement version {3.4.0}
Installing Microsoft.Graph.Applications version {2.24.0}
Installing Microsoft.Graph.Beta.Applications version {2.24.0}
Installing Microsoft.Graph.Authentication version {2.24.0}
Installing Microsoft.Graph.Beta.DeviceManagement version {2.24.0}
Installing Microsoft.Graph.Beta.Devices.CorporateManagement version {2.24.0}
Installing Microsoft.Graph.Beta.DeviceManagement.Administration version {2.24.0}
Installing Microsoft.Graph.Beta.DeviceManagement.Enrollment version {2.24.0}
Installing Microsoft.Graph.Beta.NetworkAccess version {2.24.0}
Installing Microsoft.Graph.Beta.Identity.DirectoryManagement version {2.24.0}
Installing Microsoft.Graph.Beta.Identity.Governance version {2.24.0}
Installing Microsoft.Graph.Beta.Identity.SignIns version {2.24.0}
Installing Microsoft.Graph.Beta.Reports version {2.24.0}
Installing Microsoft.Graph.Beta.Search version {2.24.0}
Installing Microsoft.Graph.Beta.Teams version {2.24.0}
Installing Microsoft.Graph.DeviceManagement.Administration version {2.24.0}
Installing Microsoft.Graph.Beta.DirectoryObjects version {2.24.0}
Installing Microsoft.Graph.Groups version {2.24.0}
Installing Microsoft.Graph.Beta.Groups version {2.24.0}
Installing Microsoft.Graph.Planner version {2.24.0}
Installing Microsoft.Graph.Sites version {2.24.0}
Installing Microsoft.Graph.Users version {2.24.0}
Installing Microsoft.Graph.Users.Actions version {2.24.0}
Installing Microsoft.PowerApps.Administration.PowerShell version {2.0.199}
Installing MicrosoftTeams version {6.6.0}
Installing MSCloudLoginAssistant version {1.1.27}
Installing PnP.PowerShell version {1.12.0}
WARNING: The dependency {PSDesiredStateConfiguration} requires PowerShell Core. Please run Update-M365DSCDependencies in PowerShell Core.
Installing ReverseDSC version {2.0.0.22}

[FabienTschanz]

The flow is hard to debug unfortunately. Start-DscConfiguration runs in the system context, so you won't be able to debug from there. And I personally also haven't tried to debug it from there, so I can't really help here either. After updating the dependencies, is the result the same?

[ricmestre]

@FabienTschanz Actually you can debug DSC, it's a pain in the rear let me tell you but you can. Just follow the instructions on https://learn.microsoft.com/en-us/powershell/dsc/troubleshooting/debugresource?view=dsc-1.1

[FabienTschanz]

Uhh that's bloody ugly... I'd rather stay as many miles away from there as humanly possible 😅

[ricmestre]

You gotta try it someday, it's so enfuriating when you're following the debug line by line, like 15 or more minutes into it,and by mistake you press the key and step into the function instead which will take you to the end of the process and have to restart the whole thing from the start...

Nothing beats the good and ol' printf!

[ricmestre]

@subhashvinjamuri Do you at least see the correct values for appid, cert thumbprint, and tenantid in the resulting mof and confirm they're all correct?