Multiple resources missing mandatory parameters causing Get-M365DSCResourceKey to fail

[bjoernf73]

Details of the scenario you tried and the problem that is occurring

When creating DeltaReports, Get-M365DSCResourceKey is used, but fails on resources that are not defined with mandatory params.

ipmo Microsoft365DSC
$all = Get-DscResource -Module Microsoft365DSC
(0..$($all.count-1)) |  
foreach { 
    $rname = $all[$_].Name;
    if (($all[$_].Properties | where { 
        $_.IsMandatory -eq $true 
    }).count -eq 0) {
        $rname 
    }
}

outputs:

EXOIRMConfiguration
EXOPerimeterConfiguration
EXOResourceConfiguration
IntuneAppProtectionPolicyiOS
IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator
IntuneDeviceConfigurationPolicyAndroidDeviceOwner
IntuneDeviceConfigurationPolicyAndroidOpenSourceProject
IntuneDeviceConfigurationPolicyIOS
IntuneDeviceConfigurationPolicyMacOS
IntuneWifiConfigurationPolicyAndroidDeviceAdministrator
IntuneWifiConfigurationPolicyAndroidEntrepriseDeviceOwner
IntuneWifiConfigurationPolicyAndroidEntrepriseWorkProfile
IntuneWifiConfigurationPolicyAndroidForWork
IntuneWifiConfigurationPolicyAndroidOpenSourceProject
IntuneWifiConfigurationPolicyIOS
IntuneWifiConfigurationPolicyMacOS
IntuneWifiConfigurationPolicyWindows10
IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled
AADEntitlementManagementAccessPackage
AADEntitlementManagementAccessPackageCatalog
AADEntitlementManagementAccessPackageCatalogResource

Verbose logs showing the problem

n/a

Suggested solution to the issue

Each resource should define at least one mandatory parameter, but as a quick fix, perhaps:

$resourceInfo = Get-DscResource ("MSFT_$($Resource.ResourceName)") -Module 'Microsoft365DSC'
[Array]$mandatoryParameters = $resourceInfo.Properties | Where-Object -FilterScript { $_.IsMandatory }
# for resources where no mandatory params defined: 
if ($null -eq $mandatoryParameters)
{
    Write-Warning "Resource $($Resource.ResourceName) does not have any mandatory parameters, `
    meaning there is still work to be done with this resource. This function may return a plausible identifying property, `
    if such a parameter can be found"
    
    # is it a single instance resource, at least return that
    if ($Resource.Contains('IsSingleInstance')) {
        return @('IsSingleInstance') 
    }

    # return any plausible identifying param
    if ($Resource.Contains('DisplayName'))
    {
        return @('DisplayName')
    }
    elseif ($Resource.Contains('Name'))
    {
        return @('Name')
    }
    elseif ($Resource.Contains('Identity'))
    {
        return @('Identity')
    }
    elseif ($Resource.Contains('Id'))
    {
        return @('Id')
    }
    else
    {
        throw "Resource $($Resource.ResourceName) does not have any mandatory parameters, and no other unique identifier could be guessed"
    }
  }
  elseif ($Resource.Contains('IsSingleInstance') -and $mandatoryParameters.Name.Contains('IsSingleInstance'))
  .....

The DSC configuration that is used to reproduce the issue (as detailed as possible)

(Any call to New-M365DSCDeltaReport that includes one or more of the resources listed above)

The operating system the target node is running

n/a

Version of the DSC module that was used ('dev' if using current dev branch)

Dev

[andikrueger]

Thanks for the list of resources. We should fix the resources to align with the schema files.

[bjoernf73]

Thanks for the list of resources. We should fix the resources to align with the schema files.

The problem is that the schema files are missing a "Key", for instance MSFT_EXOIRMConfiguration.schema.mof:

[ClassVersion("1.0.0.0"), FriendlyName("EXOIRMConfiguration")]
class MSFT_EXOIRMConfiguration : OMI_BaseResource
{
    [Write, Description("The Identity parameter specifies the Perimeter Configuration policy that you want to modify.")] String Identity;
    [Write, Description("The AutomaticServiceUpdateEnabled parameter specifies whether to allow the automatic addition of new features within Azure Information Protection for your cloud-based organization.")] Boolean AutomaticServiceUpdateEnabled;
    [Write, Description("The AzureRMSLicensingEnabled parameter specifies whether the Exchange Online organization can to connect directly to Azure Rights Management.")] Boolean AzureRMSLicensingEnabled;
    [Write, Description("The DecryptAttachmentForEncryptOnly parameter specifies whether mail recipients have unrestricted rights on the attachment or not for Encrypt-only mails sent using Microsoft Purview Message Encryption.")] Boolean DecryptAttachmentForEncryptOnly;
    [Write, Description("The EDiscoverySuperUserEnabled parameter specifies whether members of the Discovery Management role group can access IRM-protected messages in a discovery mailbox that were returned by a discovery search.")] Boolean EDiscoverySuperUserEnabled;
    [Write, Description("The EnablePdfEncryption parameter specifies whether to enable the encryption of PDF attachments using Microsoft Purview Message Encryption. ")] Boolean EnablePdfEncryption;
    [Write, Description("The InternalLicensingEnabled parameter specifies whether to enable IRM features for messages that are sent to internal and external recipients.")] Boolean InternalLicensingEnabled;
    [Write, Description("The JournalReportDecryptionEnabled parameter specifies whether to enable journal report decryption.")] Boolean JournalReportDecryptionEnabled;
    [Write, Description("The LicensingLocation parameter specifies the RMS licensing URLs. You can specify multiple URL values separated by commas.")] String LicensingLocation[];
    [Write, Description("This parameter is available only in the cloud-based service.")] Boolean RejectIfRecipientHasNoRights;
    [Write, Description("The RMSOnlineKeySharingLocation parameter specifies the Azure Rights Management URL that's used to get the trusted publishing domain (TPD) for the Exchange Online organization.")] String RMSOnlineKeySharingLocation;
    [Write, Description("The SearchEnabled parameter specifies whether to enable searching of IRM-encrypted messages in Outlook on the web (formerly known as Outlook Web App).")] Boolean SearchEnabled;
    [Write, Description("The SimplifiedClientAccessDoNotForwardDisabled parameter specifies whether to disable Do not forward in Outlook on the web.")] Boolean SimplifiedClientAccessDoNotForwardDisabled;
    [Write, Description("The SimplifiedClientAccessEnabled parameter specifies whether to enable the Protect button in Outlook on the web.")] Boolean SimplifiedClientAccessEnabled;
    [Write, Description("The SimplifiedClientAccessEncryptOnlyDisabled parameter specifies whether to disable Encrypt only in Outlook on the web. ")] Boolean SimplifiedClientAccessEncryptOnlyDisabled;
    [Write, Description("The TransportDecryptionSetting parameter specifies the transport decryption configuration."), ValueMap{"Disabled","Mandatory","Optional"}, Values{"Disables","Mandatory","Optional"}] String TransportDecryptionSetting;
    [Write, Description("Specifies if this Outbound connector should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
    [Write, Description("Credentials of the Exchange Global Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
    [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
    [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
    [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
    [Write, Description("Username can be made up to anything but password will be used for CertificatePassword"), EmbeddedInstance("MSFT_Credential")] String CertificatePassword;
    [Write, Description("Path to certificate used in service principal usually a PFX file.")] String CertificatePath;
    [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
};

[andikrueger]

On it right now. This looks like it is going to be a breaking change as we change the required parameters. On the other hand, these params had to be set for those resources to work...

@William-Francillette Could you have a look at this issue as well as there are many resource within that were created with the DRG. I kind of get the feeling, that somehow the KEYs are not properly selected for those resource. I would wait for your feedback.

[andikrueger]

I pushed my first changes to this branch: https://github.com/andikrueger/Microsoft365DSC/tree/issue2925

@NikCharlebois Is this going to be a breaking change? I kind of get the feeling, that we could proceed with these changes without waiting for the First April Release...

[ykuijs]

This is definitely a breaking change, since it will require parameters that might not have been provided earlier.

I am working on adding a QA test to check if all resources have at least on key parameter. Will submit a PR for that as well, which also fixes this issue for all resources. This PR can't be merged until out next breaking changes release (April 5th).