Multiple SC Resources: Error Handling Issues #6773
Description
Description of the issue
Multiple SC/Purview resources (SCRoleGroup, SCRoleGroupMember, SCRetentionComplianceRule, possibly others) report false drifts due to various error handling issues.
Root Cause
The issue occurs when the call sequence Test-TargetResource > Test-M365DSCTargetResource > Get-TargetResource encounters errors during execution.
The Get-TargetResource function effectively suppresses the error by logging it and returning $nullReturn with Ensure=Absent, instead of propagating it down the stack:
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullReturn
}Log entry:
Error retrieving data:
{ A server side error has occurred because of which the operation could not be completed. Please try again after some time. If the problem still persists, please reach out to MS support. }
\ at Write-ErrorMessage<Process>, C:\Windows\SystemTemp\tmpEXO_hcpybxgx.ulx\tmpEXO_hcpybxgx.ulx.psm1: line 546
\ at CheckRetryAndHandleWaitTime<Process>, C:\Windows\SystemTemp\tmpEXO_hcpybxgx.ulx\tmpEXO_hcpybxgx.ulx.psm1: line 1191
\ at Execute-Command<Process>, C:\Windows\SystemTemp\tmpEXO_hcpybxgx.ulx\tmpEXO_hcpybxgx.ulx.psm1: line 1545
\ at script:Get-RoleGroup<Process>, C:\Windows\SystemTemp\tmpEXO_hcpybxgx.ulx\tmpEXO_hcpybxgx.ulx.psm1: line 9338
\ at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.910.2\DscResources\MSFT_SCRoleGroupMember\MSFT_SCRoleGroupMember.psm1: line 80
\ at Test-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.25.910.2\DscResources\MSFT_SCRoleGroupMember\MSFT_SCRoleGroupMember.psm1: line 315
TenantId: contoso.onmicrosoft.com
Even if the error were propagated, Test-M365DSCTargetResource would not be able to handle it. Instead, it receives the $nullReturn (with Ensure=Absent) and compares it against the desired configuration, incorrectly detecting drift and logging it to the event log (same issue as #6677):
$CurrentValues = & MSFT_$ResourceName\Get-TargetResource @DesiredValues
$testTargetResource = Compare-M365DSCResourceState -ResourceName $ResourceName `
-DesiredValues $DesiredValues `
-CurrentValues $CurrentValues `
-ExcludedProperties $ExcludedProperties `
-IncludedProperties $IncludedProperties `
-PostProcessing $PostProcessing `
-PostProcessingArgs $PostProcessingArgs
if (-not $testTargetResource)
{
$TenantName = Get-M365DSCTenantNameFromParameterSet -ParameterSet $DesiredValues
Write-M365DSCDriftsToEventLog -Drifts $Global:AllDrifts `
-ResourceName $ResourceName `
-TenantName $TenantName `
-CurrentValues $CurrentValues `
-DesiredValues $DesiredValues
}This triggers unnecessary drift remediation attempts. The module should handle failures properly by throwing non-terminating errors instead of returning values that are interpreted as resource absence.
Microsoft 365 DSC Version
1.25.910.2 (and later)
Which workloads are affected
Security & Compliance Center
The DSC configuration
Verbose logs showing the problem
| TimeStamp | MessageBody |
|---|---|
| 2025-10-28 21:41:09.219 | [LCM-M365DSC]: LCM: [ Start Resource ] [[SCRoleGroupMember]CommunicationComplianceAnalysts] |
| 2025-10-28 21:41:09.219 | [LCM-M365DSC]: LCM: [ Start Test ] [[SCRoleGroupMember]CommunicationComplianceAnalysts] |
| 2025-10-28 21:41:09.219 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Testing Role Group configuration for CommunicationComplianceAnalysts |
| 2025-10-28 21:41:09.219 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Getting Role Group configuration for CommunicationComplianceAnalysts |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Current Values: ApplicationId=*** CertificateThumbprint=*** Description=Analysts of communication compliance that can investigate policy matches, view messages meta data, and take remediation actions. Ensure=Absent Members=() Name=CommunicationComplianceAnalysts TenantId=*** Verbose=True |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Target Values: ApplicationId=*** CertificateThumbprint=*** Description=Analysts of communication compliance that can investigate policy matches, view messages meta data, and take remediation actions. Ensure=Present Members=() Name=CommunicationComplianceAnalysts TenantId=*** Verbose=True |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Test-TargetResource returned False |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: LCM: [ End Test ] [[SCRoleGroupMember]CommunicationComplianceAnalysts] in 3.5960 seconds. |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: LCM: [ Start Set ] [[SCRoleGroupMember]CommunicationComplianceAnalysts] |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Setting Role Group configuration for CommunicationComplianceAnalysts |
| 2025-10-28 21:41:12.791 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Getting Role Group configuration for CommunicationComplianceAnalysts |
| 2025-10-28 21:41:22.261 | [LCM-M365DSC]: [[SCRoleGroupMember]CommunicationComplianceAnalysts] Found Role Group CommunicationComplianceAnalysts |
| 2025-10-28 21:41:22.261 | [LCM-M365DSC]: LCM: [ End Set ] [[SCRoleGroupMember]CommunicationComplianceAnalysts] in 9.8140 seconds. |
| 2025-10-28 21:41:22.261 | [LCM-M365DSC]: LCM: [ End Resource ] [[SCRoleGroupMember]CommunicationComplianceAnalysts] |