Azure Tenant DSC Configuration Import Error

[MinskyD86]

Details of the scenario you tried and the problem that is occurring

After installing M365DSC Powershell module. and successfully exporting my required components from that tenant, I was able to generate the subsequent MOF. When running Start-DscConfiguration -Path -Force -Wait -Verbose, I receive the following error:
"PowerShell DSC resource MSFT_AADNamedLocationPolicy failed to execute Test-TargetResource functionality with error message: Unable to connect to the remote server."
I'm using a service principal with certificate-based authentication. The service principal has been given all the required API permissions as advised by Microsoft documents.

Verbose logs showing the problem

VERBOSE: [SERVERNAME]: LCM: [ Start Resource ] [[AADNamedLocationPolicy]AADNamedLocationPolicy-Production]
VERBOSE: [SERVERNAME]: LCM: [ Start Test ] [[AADNamedLocationPolicy]AADNamedLocationPolicy-Production]
VERBOSE: [SERVERNAME]: [[AADNamedLocationPolicy]AADNamedLocationPolicy-Production] Testing configuration of AAD Named Location
VERBOSE: [SERVERNAME]: [[AADNamedLocationPolicy]AADNamedLocationPolicy-Production] Getting configuration of AAD Named Location
VERBOSE: [SERVERNAME]: LCM: [ End Test ] [[AADNamedLocationPolicy]AADNamedLocationPolicy-Production] in 189.4920 seconds.
PowerShell DSC resource MSFT_AADNamedLocationPolicy failed to execute Test-TargetResource functionality with error message: Unable to connect
to the remote server
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here
```Powershell version: 5.1
[DSCConfigScripts.zip](https://github.com/microsoft/Microsoft365DSC/files/11878186/DSCConfigScripts.zip)

M365Module version 1.23.621.1

Export-M365DSCConfiguration  -Components @("AADConditionalAccessPolicy","AADNamedLocationPolicy") -ApplicationId  -TenantId -CertificateThumbprint  -Path  -ErrorAction Stop



#### The operating system the target node is running
<!--
Attempted on two different machines.
OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

OsName               : Microsoft Windows Server 2016 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.5989.amd64fre.GitEnlistment.230602-1907
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

-->

#### Version of the DSC module that was used ('dev' if using current dev branch)
M365Module version 1.23.621.1

[MinskyD86]

DSCConfigScripts.zip

[andikrueger]

This looks like an issue with the certificate. Please make sure to store the certificate in the computer certificate store and not your personal one. If you used the M365DSC cmdlets to create the service principal and certificate, you need to export the certificate with the private key from your personal certificate store and re-import the certificate within the computer store. PowerShell DSC's local configuration manager tries to get the certificate in the context of the local machine account....

[NikCharlebois]

Can you also share the config that contains the AADNamedLocationPolicy that fails? The one you shared only contains AADConditionalAccessPolicy instances. Thanks

[andikrueger]

@MinskyD86 any chance you could share the other configuration file?

[RobinDadswell]

@MinskyD86 any chance you could share the other configuration file?

I am getting the same error and it's the following block that is causing it (removing it allowed it to work perfectly)

AADNamedLocationPolicy "AADNamedLocationPolicy-All Compliant Network locations"
        {
            ApplicationId         = $ConfigurationData.NonNodeData.ApplicationId;
            CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
            DisplayName           = "All Compliant Network locations";
            Ensure                = "Present";
            Id                    = "3d46dbda-8382-466a-856d-eb00cbc6b910";
            IsTrusted             = $False;
            OdataType             = "#microsoft.graph.compliantNetworkNamedLocation";
            TenantId              = $OrganizationName;
        }

This is something that MS have added recently as it wasn't in my tenant previously and actually errors in the GUI when I try and read the properties of it

[NikCharlebois]

Not sure how you managed to get the ODataType as 'compliantNetworkNamedLocation', this is not supported. Are you able to confirm that this type is what you have on the tenant by running:

Get-MgBetaIdentityConditionalAccessNamedLocation

[RobinDadswell]

Not sure how you managed to get the ODataType as 'compliantNetworkNamedLocation', this is not supported. Are you able to confirm that this type is what you have on the tenant by running:

Get-MgBetaIdentityConditionalAccessNamedLocation

Hi @NikCharlebois

Just run it in my tenant and got the following:

It's a new object that was automatically added to my Tenant.

Thanks

Robin

[NikCharlebois]

Ok, this is a Global Secure Preview item. Will look at adding this as part of this week's release. Thanks