Merge pull request #5358 from kasaxena5/M365DataAtRestEncryptionPolic…

…yAssignment

M365 data at rest encryption policy assignment

CHANGELOG.md

@@ -142,7 +142,9 @@
   * Fixes an issue with limited results when more than 25 results are present.
 * Intune workload
   * Fixed missing permissions in settings.json
-* M365DataAtRestEncryptionPolicy
+* EXODataAtRestEncryptionPolicyAssignment
+  * Initial release.
+* EXODataAtRestEncryptionPolicy
   * Initial release.
 * M365DSCRuleEvaluation
   * Changed the name of the Key property from ResourceName to ResourceTypeName.

Modules/Microsoft365DSC/DSCResources/MSFT_M365DataAtRestEncryptionPolicy/MSFT_M365DataAtRestEncryptionPolicy.schema.mof → Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicy/MSFT_EXODataAtRestEncryptionPolicy.schema.mof

@@ -1,5 +1,5 @@
-[ClassVersion("1.0.0.0"), FriendlyName("M365DataAtRestEncryptionPolicy")]
-class MSFT_M365DataAtRestEncryptionPolicy : OMI_BaseResource
+[ClassVersion("1.0.0.0"), FriendlyName("EXODataAtRestEncryptionPolicy")]
+class MSFT_EXODataAtRestEncryptionPolicy : OMI_BaseResource
 {
     [Key, Description("The Identity parameter specifies the data-at-rest encryption policy that you want to modify.")] String Identity;
     [Write, Description("The Name parameter specifies a unique name for the Microsoft 365 data-at-rest encryption policy.")] String Name;

Modules/Microsoft365DSC/DSCResources/MSFT_M365DataAtRestEncryptionPolicy/readme.md → Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicy/readme.md

@@ -1,4 +1,4 @@
-# EXOM365DataAtRestEncryptionPolicy
+# EXODataAtRestEncryptionPolicy
 
 ## Description
 

Modules/Microsoft365DSC/DSCResources/MSFT_M365DataAtRestEncryptionPolicy/settings.json → Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicy/settings.json

@@ -1,5 +1,5 @@
 {
-    "resourceName": "M365DataAtRestEncryptionPolicy",
+    "resourceName": "EXODataAtRestEncryptionPolicy",
     "description": "Microsoft 365 data-at-rest encryption policy for multi-workload usage.",
     "roles": {
         "read": [

Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicyAssignment/MSFT_EXODataAtRestEncryptionPolicyAssignment.psm1

@@ -0,0 +1,316 @@
+function Get-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Collections.Hashtable])]
+    param
+    (
+        [Parameter()]
+        [System.String]
+        $DataEncryptionPolicy,
+
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $IsSingleInstance,
+
+        [Parameter()]
+        [System.Management.Automation.PSCredential]
+        $Credential,
+
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint,
+
+        [Parameter()]
+        [Switch]
+        $ManagedIdentity,
+
+        [Parameter()]
+        [System.String[]]
+        $AccessTokens
+    )
+
+    New-M365DSCConnection -Workload 'ExchangeOnline' `
+        -InboundParameters $PSBoundParameters | Out-Null
+
+    Confirm-M365DSCDependencies
+
+    $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
+    $CommandName = $MyInvocation.MyCommand
+    $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
+        -CommandName $CommandName `
+        -Parameters $PSBoundParameters
+    Add-M365DSCTelemetryEvent -Data $data
+
+    $nullResult = $PSBoundParameters
+    try
+    {
+        $instance = Get-M365DataAtRestEncryptionPolicyAssignment -ErrorAction Stop
+        if ($null -eq $instance)
+        {
+            throw 'Could not retrieve the M365DataAtRestEncryption Policy Assignment.'
+        }
+
+        $results = @{
+            DataEncryptionPolicy   = [System.String]$instance.Name
+            IsSingleInstance       = 'Yes'
+            Credential             = $Credential
+            ApplicationId          = $ApplicationId
+            TenantId               = $TenantId
+            CertificateThumbprint  = $CertificateThumbprint
+            ManagedIdentity        = $ManagedIdentity.IsPresent
+            AccessTokens           = $AccessTokens
+        }
+        return [System.Collections.Hashtable] $results
+    }
+    catch
+    {
+        New-M365DSCLogEntry -Message 'Error retrieving data:' `
+            -Exception $_ `
+            -Source $($MyInvocation.MyCommand.Source) `
+            -TenantId $TenantId `
+            -Credential $Credential
+
+        return $nullResult
+    }
+}
+
+function Set-TargetResource
+{
+    [CmdletBinding()]
+    param
+    (
+        [Parameter()]
+        [System.String]
+        $DataEncryptionPolicy,
+
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $IsSingleInstance,
+
+        [Parameter()]
+        [System.Management.Automation.PSCredential]
+        $Credential,
+
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint,
+
+        [Parameter()]
+        [Switch]
+        $ManagedIdentity,
+
+        [Parameter()]
+        [System.String[]]
+        $AccessTokens
+    )
+
+    #Ensure the proper dependencies are installed in the current environment.
+    Confirm-M365DSCDependencies
+
+    #region Telemetry
+    $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
+    $CommandName = $MyInvocation.MyCommand
+    $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
+        -CommandName $CommandName `
+        -Parameters $PSBoundParameters
+    Add-M365DSCTelemetryEvent -Data $data
+    #endregion
+
+    $currentInstance = Get-TargetResource @PSBoundParameters
+
+    $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
+    $setParameters.Remove('IsSingleInstance') | Out-Null
+    Set-M365DataAtRestEncryptionPolicyAssignment @SetParameters
+}
+
+function Test-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Boolean])]
+    param
+    (
+        [Parameter()]
+        [System.String]
+        $DataEncryptionPolicy,
+
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $IsSingleInstance,
+
+        [Parameter()]
+        [System.Management.Automation.PSCredential]
+        $Credential,
+
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint,
+
+        [Parameter()]
+        [Switch]
+        $ManagedIdentity,
+
+        [Parameter()]
+        [System.String[]]
+        $AccessTokens
+    )
+
+    #Ensure the proper dependencies are installed in the current environment.
+    Confirm-M365DSCDependencies
+
+    #region Telemetry
+    $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
+    $CommandName = $MyInvocation.MyCommand
+    $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
+        -CommandName $CommandName `
+        -Parameters $PSBoundParameters
+    Add-M365DSCTelemetryEvent -Data $data
+    #endregion
+
+    $CurrentValues = Get-TargetResource @PSBoundParameters
+    $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
+
+    Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
+    Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
+
+    $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
+        -Source $($MyInvocation.MyCommand.Source) `
+        -DesiredValues $PSBoundParameters `
+        -ValuesToCheck $ValuesToCheck.Keys
+
+    Write-Verbose -Message "Test-TargetResource returned $testResult"
+
+    return $testResult
+}
+
+function Export-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.String])]
+    param
+    (
+        [Parameter()]
+        [System.Management.Automation.PSCredential]
+        $Credential,
+
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.Management.Automation.PSCredential]
+        $ApplicationSecret,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint,
+
+        [Parameter()]
+        [Switch]
+        $ManagedIdentity,
+
+        [Parameter()]
+        [System.String[]]
+        $AccessTokens
+    )
+
+    $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' `
+        -InboundParameters $PSBoundParameters
+
+    Confirm-M365DSCDependencies
+
+    #region Telemetry
+    $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
+    $CommandName = $MyInvocation.MyCommand
+    $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
+        -CommandName $CommandName `
+        -Parameters $PSBoundParameters
+    Add-M365DSCTelemetryEvent -Data $data
+    #endregion
+
+    try
+    {
+        $Script:ExportMode = $true
+        [array] $Script:exportedInstances = Get-M365DataAtRestEncryptionPolicyAssignment -ErrorAction Stop
+
+        $i = 1
+        $dscContent = ''
+        if ($Script:exportedInstances.Length -eq 0)
+        {
+            Write-Host $Global:M365DSCEmojiGreenCheckMark
+        }
+        else
+        {
+            Write-Host "`r`n" -NoNewline
+        }
+        foreach ($config in $Script:exportedInstances)
+        {
+            $displayedKey = 'Data Encryption Policy Assignment'
+            Write-Host "    |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
+            $params = @{
+                IsSingleInstance      = 'Yes'
+                Credential            = $Credential
+                ApplicationId         = $ApplicationId
+                TenantId              = $TenantId
+                CertificateThumbprint = $CertificateThumbprint
+                ManagedIdentity       = $ManagedIdentity.IsPresent
+                AccessTokens          = $AccessTokens
+            }
+
+            $Results = Get-TargetResource @Params
+            $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
+                -Results $Results
+
+            $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
+                -ConnectionMode $ConnectionMode `
+                -ModulePath $PSScriptRoot `
+                -Results $Results `
+                -Credential $Credential
+            $dscContent += $currentDSCBlock
+            Save-M365DSCPartialExport -Content $currentDSCBlock `
+                -FileName $Global:PartialExportFileName
+            $i++
+            Write-Host $Global:M365DSCEmojiGreenCheckMark
+        }
+        return $dscContent
+    }
+    catch
+    {
+        Write-Host $Global:M365DSCEmojiRedX
+
+        New-M365DSCLogEntry -Message 'Error during Export:' `
+            -Exception $_ `
+            -Source $($MyInvocation.MyCommand.Source) `
+            -TenantId $TenantId `
+            -Credential $Credential
+
+        return ''
+    }
+}

Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicyAssignment/MSFT_EXODataAtRestEncryptionPolicyAssignment.schema.mof

@@ -0,0 +1,12 @@
+[ClassVersion("1.0.0.0"), FriendlyName("EXODataAtRestEncryptionPolicyAssignment")]
+class MSFT_EXODataAtRestEncryptionPolicyAssignment : OMI_BaseResource
+{
+    [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
+    [Write, Description("The DataEncryptionPolicy parameter specifies the Microsoft 365 data-at-rest encryption policy.")] String DataEncryptionPolicy;
+    [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
+    [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
+    [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
+    [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
+    [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
+    [Write, Description("Access token used for authentication.")] String AccessTokens[];
+};

Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicyAssignment/readme.md

@@ -0,0 +1,5 @@
+# EXODataAtRestEncryptionPolicyAssignment
+
+## Description
+
+Use the Set-M365DataAtRestEncryptionPolicyAssignment cmdlet to assign a Microsoft 365 data-at-rest encryption policy at the tenant level.

Modules/Microsoft365DSC/DSCResources/MSFT_EXODataAtRestEncryptionPolicyAssignment/settings.json

@@ -0,0 +1,30 @@
+{
+    "resourceName": "EXODataAtRestEncryptionPolicyAssignment",
+    "description": "Use the Set-M365DataAtRestEncryptionPolicyAssignment cmdlet to assign a Microsoft 365 data-at-rest encryption policy at the tenant level.",
+    "roles": {
+        "read": [
+            "Global Reader"
+        ],
+        "update": [
+            "Exchange Administrator"
+        ]
+    },
+    "permissions": {
+        "graph": {
+            "delegated": {
+                "read": [],
+                "update": []
+            },
+            "application": {
+                "read": [],
+                "update": []
+            }
+        },
+        "exchange": {
+            "requiredroles": [
+                "Compliance Admin"
+            ],
+            "requiredrolegroups": "Organization Management"
+        }
+    }
+}