Get-M365DSCCompiledPermissionList with -AccessType Read returns Write permissions

[raandree]

Description of the issue

When calling

Get-M365DSCCompiledPermissionList -ResourceNameList (Get-M365DSCAllResources) -AccessType read -PermissionType Delegated

we get two permissions back that are not expected:

• Sites.FullControl.All
• Policy.ReadWrite.AuthenticationMethod

Is that expected?

Microsoft 365 DSC Version

1.24.313.1

Which workloads are affected

other

The DSC configuration

NA

Verbose logs showing the problem

NA

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

[andikrueger]

Thanks for raising this issue. The cmdLet will return some write permissions as they are required from the API side or are listed within the documentation of the cmdLets as requirement.

In your case with delegation you can assign read-only rights to the account used. This will still narrow down the access scope of the account.