AADSecurityDefaults: False Drift Detection on Errors in Test #6770
Description
Description of the issue
The AADSecurityDefaults resource intermittently reports false positive drift when encountering errors during Test-TargetResource operations.
Root Cause
Similar to issue #6677, the resource lacks proper error handling. The resource must not log drift when experiencing an error during Test operations.
Problem
When Microsoft Graph API returns errors (such as Internal Server Error), the resource returns a non-terminating error (expected) while incorrectly reporting configuration drift.
Expected Behavior
The resource should handle errors gracefully without reporting configuration drift when the actual state cannot be determined.
Impact
- False positive drift detection
- Errors logged to ETW
Microsoft-Windows-DSC/Operationalchannel
Microsoft 365 DSC Version
1.25.1203.2
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
Verbose logs showing the problem
<M365DSCEvent>
<ConfigurationDrift Source="MSFT_AADSecurityDefaults" TenantId="contoso.onmicrosoft.com" LCMState="ConsistencyCheck">
<ParametersNotInDesiredState>
<Param Name="IsEnabled">
<CurrentValue></CurrentValue>
<DesiredValue>False</DesiredValue>
</Param>
<Param Name="Description">
<CurrentValue></CurrentValue>
<DesiredValue>Security defaults is a set of basic identity security mechanisms recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. Administrators and users will be better protected from common identity related attacks.</DesiredValue>
</Param>
<Param Name="DisplayName">
<CurrentValue></CurrentValue>
<DesiredValue>Security Defaults</DesiredValue>
</Param>
</ParametersNotInDesiredState>
</ConfigurationDrift>
<DesiredValues>
<Param Name ="Description">Security defaults is a set of basic identity security mechanisms recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. Administrators and users will be better protected from common identity related attacks.</Param>
<Param Name ="DisplayName">Security Defaults</Param>
<Param Name ="IsEnabled">False</Param>
<!-- Redacted -->
</DesiredValues>
<CurrentValues>
<Param Name ="Description">$null</Param>
<Param Name ="DisplayName">$null</Param>
<Param Name ="IsEnabled">$null</Param>
<!-- Redacted -->
</CurrentValues>
</M365DSCEvent>============================ HTTP RESPONSE ============================
Status Code:
InternalServerError
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : REDACTED
client-request-id : REDACTED
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"001","RoleInstance":"MW2PEPF00012EF6"}}
Cache-Control : no-cache
Date : Fri, 05 Dec 2025 18:08:52 GMT
Body:
{
"error": {
"code": "Internal Server Error",
"message": "There was an internal server error while processing the request. Error ID: REDACTED",
"innerError": {
"date": "2025-12-05T18:08:52",
"request-id": "REDACTED",
"client-request-id": "REDACTED"
}
}
}