From 30755ceecb9aa4cc45cea45cc1cf0acc862dc2cb Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Mon, 20 Nov 2023 10:35:26 +0100 Subject: [PATCH 01/70] Always include 'ExcludeApplication' AADConditionalAccessPolicy: ExcludeApplications are not enforced #3885 --- .../MSFT_AADConditionalAccessPolicy.psm1 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 0a0904a285..a3c4b5420f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -941,10 +941,7 @@ function Set-TargetResource { $conditions.Applications.Add('IncludeApplications', $IncludeApplications) } - if ($ExcludeApplications) - { - $conditions.Applications.Add('ExcludeApplications', $ExcludeApplications) - } + $conditions.Applications.Add('ExcludeApplications', $ExcludeApplications) if ($IncludeUserActions) { $conditions.Applications.Add('IncludeUserActions', $IncludeUserActions) From f23e02258c02108a48d4a6a20403a63f4a9e0747 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Mon, 20 Nov 2023 10:38:18 +0100 Subject: [PATCH 02/70] Add fix to Changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74bdc00ea9..ffcb1f3dac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ * AADServicePrincipal * Added support to define members. FIXES [#3902](https://github.com/microsoft/Microsoft365DSC/issues/3902) +* AADConditionalAccessPolicy + * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * EXOCASMailboxPlan * Fixes an issue where we are not able to set the settings of a CAS Mailbox Plan by specifying the Identity without the GUID in the name. From aaa6e985d9ef16d0a0617fd9e3390003cc1d7c48 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Wed, 22 Nov 2023 15:35:03 +0100 Subject: [PATCH 03/70] Add condition to check attribute presence --- .../MSFT_AADConditionalAccessPolicy.psm1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index a3c4b5420f..9475a7e067 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -941,7 +941,10 @@ function Set-TargetResource { $conditions.Applications.Add('IncludeApplications', $IncludeApplications) } - $conditions.Applications.Add('ExcludeApplications', $ExcludeApplications) + if ($currentParameters.ContainsKey("ExcludeApplications")) + { + $conditions.Applications.Add('ExcludeApplications', $ExcludeApplications) + } if ($IncludeUserActions) { $conditions.Applications.Add('IncludeUserActions', $IncludeUserActions) From 4ad1c3a0ae5174bdf44c1fa965a5f076a8040504 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Tue, 28 Nov 2023 13:02:17 +0100 Subject: [PATCH 04/70] Add Fix to Changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bc5d0e166..2ba9353277 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # Change log for Microsoft365DSC # UNRELEASED +* AADConditionalAccessPolicy + * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * AADRoleSetting * Export sorted by DisplayName for better comparison * Enable Filter property to be used on export From 1758b9f7f7ed94ff8e8a121f3a7ee317decc5e03 Mon Sep 17 00:00:00 2001 From: Sandro <104500912+sandrola@users.noreply.github.com> Date: Fri, 8 Dec 2023 08:41:43 +0100 Subject: [PATCH 05/70] remove duplicate entry --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ba9353277..fdf7893da6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,8 +29,6 @@ * AADServicePrincipal * Added support to define members. FIXES [#3902](https://github.com/microsoft/Microsoft365DSC/issues/3902) -* AADConditionalAccessPolicy - * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * EXOCASMailboxPlan * Fixes an issue where we are not able to set the settings of a CAS Mailbox Plan by specifying the Identity without the GUID in the name. From 50d687caa4529f06f5876c1048fd17914a3966d1 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Thu, 21 Dec 2023 08:58:11 +0100 Subject: [PATCH 06/70] Update Changelog --- CHANGELOG.md | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fdf7893da6..cc8e66b4a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,127 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.23.1220.1 * AADConditionalAccessPolicy * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] +* AADEntitlementManagementAccessPackage + * Retrieve catalog by name instead of id. +* IntuneDeviceAndAppManagementAssignmentFilter + * Add support for remaining platforms supported by this policy + FIXES [#4065](https://github.com/microsoft/Microsoft365DSC/issues/4065) +* IntuneDeviceConfigurationCustomPolicyWindows10 + * Add support to decrypt encrypted OmaSettings and export them in plaintext + FIXES [#3655](https://github.com/microsoft/Microsoft365DSC/issues/3655) +* IntuneDeviceEnrollmentPlatformRestriction + * Fix Set-TargetResource due to an issue were the bodyparameter not cast correctly + FIXES [#3730](https://github.com/microsoft/Microsoft365DSC/issues/3730) +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Fix issue when trying to remove policy and Identity is set to a random GUID + or from another tenant + FIXES [#4041](https://github.com/microsoft/Microsoft365DSC/issues/4041) +* IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled + * Added Assignments + FIXES [#2932](https://github.com/microsoft/Microsoft365DSC/issues/2932) +* SCAutoSensitivieyLabelPolicy + FIXES [#4036] Don't see any limits on our docs for priority +* M365DSCDRGUtil + * Fix empty BaseUrl since MSCloudLoginAssistant removed Intune workload + FIXES [#4057](https://github.com/microsoft/Microsoft365DSC/issues/4057) +* DEPENDENCIES + * Updated MSCloudLoginAssistant to version 1.1.4. + +# 1.23.1213.1 + +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Fix issue with assignments + FIXES [#3904](https://github.com/microsoft/Microsoft365DSC/issues/3904) +* IntuneAntivirusPolicyWindows10SettingCatalog + * Fix issue with Set-TargetResource when retrieving a policy from displayName + FIXES [#4003](https://github.com/microsoft/Microsoft365DSC/issues/4003) +* IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 + * Fix parameter name in assignment cmdlet + FIXES [#4007](https://github.com/microsoft/Microsoft365DSC/issues/4007) +* DEPENDENCIES + * Updated Microsoft.Graph to version 2.11.1. + * Updated MSCloudLoginAssistant to version 1.1.3. + +# 1.23.1206.1 + +* IntuneAntivirusPolicyWindows10SettingCatalog + * Fix condition in Test-TargetResource to check if resource was removed or not + FIXES [#3958](https://github.com/microsoft/Microsoft365DSC/issues/3958) +* IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 + * Fix typo in assignment cmdlet + FIXES [#3996](https://github.com/microsoft/Microsoft365DSC/issues/3996) +* DEPENDENCIES + * Updated MSCloudLoginAssistant to version 1.1.2. +* MISC + * Fix Compare-M365DSCConfigurations to exclude resources correctly + FIXES [#4000](https://github.com/microsoft/Microsoft365DSC/issues/4000) + +# 1.23.1129.1 + * AADRoleSetting * Export sorted by DisplayName for better comparison * Enable Filter property to be used on export FIXES [#3919](https://github.com/microsoft/Microsoft365DSC/issues/3919) +* AADUser + * Added the MemberOf Property. +* IntuneAntivirusPolicyWindows10SettingCatalog + * Skipped settingValueTemplateReference and settingInstanceTemplateReference + for severethreats, highseveritythreats, moderateseveritythreats, + lowseveritythreats as per API requirements observed in the Intune portal. + FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818) + FIXES [#3955](https://github.com/microsoft/Microsoft365DSC/issues/3955) +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy, + IntuneAccountProtectionLocalUserGroupMembershipPolicy, + IntuneAccountProtectionPolicy, + * Fixes export if Assignments is set on existing policies + FIXES [3913](https://github.com/microsoft/Microsoft365DSC/issues/3913) + * Add groupDisplayName to Assignments embedded instance +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, + IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, + IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, + IntuneDeviceConfigurationEndpointProtectionPolicyWindows10, + IntuneDeviceEnrollmentStatusPageWindows10, + IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, + IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) +* IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* IntuneDeviceEnrollmentStatusPageWindows10 + * Fixed assignments using API call + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) +* IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) +* IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment +* IntuneDeviceConfigurationPolicyWindows10 + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* IntuneDeviceEnrollmentStatusPageWindows10 + * Fixed assignments using API call + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* TeamsMessagingPolicy + * Added support for properties AllowCommunicationComplianceEndUserReporting, + AllowFluidCollaborate and AllowSecurityEndUserReporting. + FIXES [#3968](https://github.com/microsoft/Microsoft365DSC/issues/3968) +* TeamsTeam + * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] + FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) * DEPENDENCIES + * Updated DSCParser to version 1.4.0.1. * Updated Microsoft.Graph to version 2.10.0. * Updated MSCloudLoginAssistant to version 1.1.0. +* MISC + * M365DSCDRGUtil + * Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + * Support for Multi-Tenancy (Credentials + TenantId). # 1.23.1122.1 From c8d03cf5b3071d8a8bfa32493084bf132e1fd192 Mon Sep 17 00:00:00 2001 From: mario Date: Wed, 27 Dec 2023 14:42:21 +0100 Subject: [PATCH 07/70] Ignore SendAs permissions during export --- CHANGELOG.md | 5 +++++ .../MSFT_EXOMailboxPermission/MSFT_EXOMailboxPermission.psm1 | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70a49f2e9e..0096e436a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED +* EXOMailboxPermission + * Ignore SendAs permissions during export + FIXES [#3942](https://github.com/microsoft/Microsoft365DSC/issues/3942) + # 1.23.1220.1 * AADEntitlementManagementAccessPackage diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxPermission/MSFT_EXOMailboxPermission.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxPermission/MSFT_EXOMailboxPermission.psm1 index 7b145cd1c5..f0d26bcf6f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxPermission/MSFT_EXOMailboxPermission.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxPermission/MSFT_EXOMailboxPermission.psm1 @@ -425,7 +425,7 @@ function Export-TargetResource Write-Host " |---[$j/$($permissions.Count)] $($permission.Identity)" -NoNewline $Params = @{ Identity = $mailbox.UserPrincipalName - AccessRights = [Array]$permission.AccessRights.Replace(' ','').Split(',') + AccessRights = [Array]$permission.AccessRights.Replace(' ','').Replace('SendAs,','').Split(',') # ignore SendAs permissions since they are not supported by *-MailboxPermission cmdlets InheritanceType = $permission.InheritanceType User = $permission.User Credential = $Credential From 708ca9bda6681602b9226ac5e4325decd718373d Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Fri, 29 Dec 2023 23:14:23 +0100 Subject: [PATCH 08/70] Added support for Custom Attributes and Extension Custom Attributes --- .../MSFT_EXOMailContact.psm1 | 309 ++++++++++++++++-- .../MSFT_EXOMailContact.schema.mof | 21 ++ .../EXOMailContact/1-NewMailContact.ps1 | 32 +- 3 files changed, 321 insertions(+), 41 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 index 6681f5f6fb..b02976181f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 @@ -70,6 +70,86 @@ function Get-TargetResource [System.Boolean] $UsePreferMessageFormat, + [Parameter()] + [System.String] + $CustomAttribute1, + + [Parameter()] + [System.String] + $CustomAttribute2, + + [Parameter()] + [System.String] + $CustomAttribute3, + + [Parameter()] + [System.String] + $CustomAttribute4, + + [Parameter()] + [System.String] + $CustomAttribute5, + + [Parameter()] + [System.String] + $CustomAttribute6, + + [Parameter()] + [System.String] + $CustomAttribute7, + + [Parameter()] + [System.String] + $CustomAttribute8, + + [Parameter()] + [System.String] + $CustomAttribute9, + + [Parameter()] + [System.String] + $CustomAttribute10, + + [Parameter()] + [System.String] + $CustomAttribute11, + + [Parameter()] + [System.String] + $CustomAttribute12, + + [Parameter()] + [System.String] + $CustomAttribute13, + + [Parameter()] + [System.String] + $CustomAttribute14, + + [Parameter()] + [System.String] + $CustomAttribute15, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute1, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute2, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute3, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute4, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute5, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -135,7 +215,7 @@ function Get-TargetResource try { - $contact = Get-MailContact -Identity $Name -ErrorAction Continue + $contact = Get-MailContact -Identity $Name -ErrorAction SilentlyContinue if ($null -eq $contact) { @@ -170,6 +250,21 @@ function Get-TargetResource TenantId = $TenantId } + foreach ($i in (1..15)) + { + if ($contact."CustomAttribute$i") + { + $result."CustomAttribute$i" = $contact."CustomAttribute$i" + } + } + foreach ($i in (1..5)) + { + if ($contact."ExtensionCustomAttribute$i") + { + $result."ExtensionCustomAttribute$i" = $contact."ExtensionCustomAttribute$i" + } + } + Write-Verbose -Message "Found Mail Contact $($Name)" Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" return $result @@ -258,6 +353,86 @@ function Set-TargetResource [System.Boolean] $UsePreferMessageFormat, + [Parameter()] + [System.String] + $CustomAttribute1, + + [Parameter()] + [System.String] + $CustomAttribute2, + + [Parameter()] + [System.String] + $CustomAttribute3, + + [Parameter()] + [System.String] + $CustomAttribute4, + + [Parameter()] + [System.String] + $CustomAttribute5, + + [Parameter()] + [System.String] + $CustomAttribute6, + + [Parameter()] + [System.String] + $CustomAttribute7, + + [Parameter()] + [System.String] + $CustomAttribute8, + + [Parameter()] + [System.String] + $CustomAttribute9, + + [Parameter()] + [System.String] + $CustomAttribute10, + + [Parameter()] + [System.String] + $CustomAttribute11, + + [Parameter()] + [System.String] + $CustomAttribute12, + + [Parameter()] + [System.String] + $CustomAttribute13, + + [Parameter()] + [System.String] + $CustomAttribute14, + + [Parameter()] + [System.String] + $CustomAttribute15, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute1, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute2, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute3, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute4, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute5, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -320,21 +495,24 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $setParameters = $PSBoundParameters - $setParameters.Remove('Credential') | Out-Null - $setParameters.Remove('ApplicationId') | Out-Null - $setParameters.Remove('TenantId') | Out-Null - $setParameters.Remove('CertificateThumbprint') | Out-Null - $setParameters.Remove('CertificatePath') | Out-Null - $setParameters.Remove('CertificatePassword') | Out-Null - $setParameters.Remove('ManagedIdentity') | Out-Null - $setParameters.Remove('Ensure') | Out-Null - # Mail Contact doesn't exist but it should if ($Ensure -eq 'Present' -and $currentContact.Ensure -eq 'Absent') { + $parameters = Sync-Parameter -Command (Get-Command -Name New-MailContact) -Parameters $PSBoundParameters Write-Verbose -Message "The Mail Contact '$($Name)' does not exist but it should. Creating Mail Contact." - New-MailContact @setParameters + + try + { + New-MailContact @parameters -ErrorAction Stop + + $parameters = Sync-Parameter -Command (Get-Command -Name Set-MailContact) -Parameters $PSBoundParameters + $parameters.Identity = $Name + Set-MailContact @parameters -ErrorAction Stop + } + catch + { + Write-Error -ErrorRecord $_ + } } # Mail Contact exists but shouldn't elseif ($Ensure -eq 'Absent' -and $currentContact.Ensure -eq 'Present') @@ -345,10 +523,10 @@ function Set-TargetResource elseif ($Ensure -eq 'Present' -and $currentContact.Ensure -eq 'Present') { Write-Verbose -Message "Mail Contact '$($Name)' already exists. Updating settings" - Write-Verbose -Message "Updating Mail Contact '$($Name)' with values: $(Convert-M365DscHashtableToString -Hashtable $setParameters)" - $setParameters.Add('Identity', $Name) - $setParameters.Remove('OrganizationalUnit') | Out-Null - Set-MailContact @setParameters + $parameters = Sync-Parameter -Command (Get-Command -Name Set-MailContact) -Parameters $PSBoundParameters + Write-Verbose -Message "Updating Mail Contact '$($Name)' with values: $(Convert-M365DscHashtableToString -Hashtable $parameters)" + $parameters.Identity = $Name + Set-MailContact @parameters } } @@ -424,6 +602,86 @@ function Test-TargetResource [System.Boolean] $UsePreferMessageFormat, + [Parameter()] + [System.String] + $CustomAttribute1, + + [Parameter()] + [System.String] + $CustomAttribute2, + + [Parameter()] + [System.String] + $CustomAttribute3, + + [Parameter()] + [System.String] + $CustomAttribute4, + + [Parameter()] + [System.String] + $CustomAttribute5, + + [Parameter()] + [System.String] + $CustomAttribute6, + + [Parameter()] + [System.String] + $CustomAttribute7, + + [Parameter()] + [System.String] + $CustomAttribute8, + + [Parameter()] + [System.String] + $CustomAttribute9, + + [Parameter()] + [System.String] + $CustomAttribute10, + + [Parameter()] + [System.String] + $CustomAttribute11, + + [Parameter()] + [System.String] + $CustomAttribute12, + + [Parameter()] + [System.String] + $CustomAttribute13, + + [Parameter()] + [System.String] + $CustomAttribute14, + + [Parameter()] + [System.String] + $CustomAttribute15, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute1, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute2, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute3, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute4, + + [Parameter()] + [System.String[]] + $ExtensionCustomAttribute5, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -477,15 +735,14 @@ function Test-TargetResource Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = $PSBoundParameters - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('CertificateThumbprint') | Out-Null - $ValuesToCheck.Remove('CertificatePath') | Out-Null - $ValuesToCheck.Remove('CertificatePassword') | Out-Null - $ValuesToCheck.Remove('ManagedIdentity') | Out-Null - - $ValuesToCheck.Remove('OrganizationalUnit') | Out-Null + [void]$ValuesToCheck.Remove('Credential') + [void]$ValuesToCheck.Remove('ApplicationId') + [void]$ValuesToCheck.Remove('TenantId') + [void]$ValuesToCheck.Remove('CertificateThumbprint') + [void]$ValuesToCheck.Remove('CertificatePath') + [void]$ValuesToCheck.Remove('CertificatePassword') + [void]$ValuesToCheck.Remove('ManagedIdentity') + [void]$ValuesToCheck.Remove('OrganizationalUnit') $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` @@ -581,7 +838,7 @@ function Export-TargetResource -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential - $dscContent.Append($currentDSCBlock) | Out-Null + [void]$dscContent.Append($currentDSCBlock) Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof index 6cd8241225..79a6fd9656 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof @@ -16,6 +16,27 @@ class MSFT_EXOMailContact : OMI_BaseResource [Write, Description("The OrganizationalUnit parameter specifies the location in Active Directory where the new contact is created.")] String OrganizationalUnit; [Write, Description("The SendModerationNotifications parameter specifies when moderation notification messages are sent. Valid values are: ALways, Internal, Never"), ValueMap{"Always","Internal","Never"}, Values{"Always","Internal","Never"}] String SendModerationNotifications; [Write, Description("The UsePreferMessageFormat specifies whether the message format settings configured for the mail user or mail contact override the global settings configured for the remote domain or configured by the message sender")] Boolean UsePreferMessageFormat; + [Write, Description("The CustomAttribute1 parameter specifies the value of the CustomAttribute1")] String CustomAttribute1; + [Write, Description("The CustomAttribute2 parameter specifies the value of the CustomAttribute2")] String CustomAttribute2; + [Write, Description("The CustomAttribute3 parameter specifies the value of the CustomAttribute3")] String CustomAttribute3; + [Write, Description("The CustomAttribute4 parameter specifies the value of the CustomAttribute4")] String CustomAttribute4; + [Write, Description("The CustomAttribute5 parameter specifies the value of the CustomAttribute5")] String CustomAttribute5; + [Write, Description("The CustomAttribute6 parameter specifies the value of the CustomAttribute6")] String CustomAttribute6; + [Write, Description("The CustomAttribute7 parameter specifies the value of the CustomAttribute7")] String CustomAttribute7; + [Write, Description("The CustomAttribute8 parameter specifies the value of the CustomAttribute8")] String CustomAttribute8; + [Write, Description("The CustomAttribute9 parameter specifies the value of the CustomAttribute9")] String CustomAttribute9; + [Write, Description("The CustomAttribute10 parameter specifies the value of the CustomAttribute10")] String CustomAttribute10; + [Write, Description("The CustomAttribute11 parameter specifies the value of the CustomAttribute11")] String CustomAttribute11; + [Write, Description("The CustomAttribute12 parameter specifies the value of the CustomAttribute12")] String CustomAttribute12; + [Write, Description("The CustomAttribute13 parameter specifies the value of the CustomAttribute13")] String CustomAttribute13; + [Write, Description("The CustomAttribute14 parameter specifies the value of the CustomAttribute14")] String CustomAttribute14; + [Write, Description("The CustomAttribute15 parameter specifies the value of the CustomAttribute15")] String CustomAttribute15; + [Write, Description("The CustomAttribute15 parameter specifies the value of the CustomAttribute15")] String CustomAttribute15; + [Write, Description("The ExtensionCustomAttribute1 parameter specifies the value of the ExtensionCustomAttribute1")] String ExtensionCustomAttribute1[]; + [Write, Description("The ExtensionCustomAttribute2 parameter specifies the value of the ExtensionCustomAttribute2")] String ExtensionCustomAttribute2[]; + [Write, Description("The ExtensionCustomAttribute3 parameter specifies the value of the ExtensionCustomAttribute3")] String ExtensionCustomAttribute3[]; + [Write, Description("The ExtensionCustomAttribute4 parameter specifies the value of the ExtensionCustomAttribute4")] String ExtensionCustomAttribute4[]; + [Write, Description("The ExtensionCustomAttribute5 parameter specifies the value of the ExtensionCustomAttribute5")] String ExtensionCustomAttribute5[]; [Write, Description("Specifies if this Contact should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the Exchange Global Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 index 12aa54841b..1451a92692 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 @@ -8,7 +8,7 @@ Configuration Example param( [Parameter(Mandatory = $true)] [PSCredential] - $credsCredential + $Credential ) Import-DscResource -ModuleName Microsoft365DSC @@ -16,20 +16,22 @@ Configuration Example { EXOMailContact 'TestMailContact' { - Alias = "TestMailContact"; - Credential = $Credscredential; - DisplayName = "My Test Contact"; - Ensure = "Present"; - ExternalEmailAddress = "SMTP:test@tailspintoys.com"; - MacAttachmentFormat = "BinHex"; - MessageBodyFormat = "TextAndHtml"; - MessageFormat = "Mime"; - ModeratedBy = @(); - ModerationEnabled = $False; - Name = "My Test Contact"; - OrganizationalUnit = "nampr03a010.prod.outlook.com/Microsoft Exchange Hosted Organizations/$OrganizationName"; - SendModerationNotifications = "Always"; - UsePreferMessageFormat = $True; + Alias = 'TestMailContact' + Credential = $Credential + DisplayName = 'My Test Contact' + Ensure = 'Present' + ExternalEmailAddress = 'SMTP:test@tailspintoys.com' + MacAttachmentFormat = 'BinHex' + MessageBodyFormat = 'TextAndHtml' + MessageFormat = 'Mime' + ModeratedBy = @() + ModerationEnabled = $false + Name = 'My Test Contact' + OrganizationalUnit = "nampr03a010.prod.outlook.com/Microsoft Exchange Hosted Organizations/$OrganizationName" + SendModerationNotifications = 'Always' + UsePreferMessageFormat = $true + CustomAttribute1 = 'Custom Value 1' + ExtensionCustomAttribute5 = 'Extension Custom Value 1', 'Extension Custom Value 2' } } } From 03d8a00944c84320adf57ab1b7a9d0cb39ab037c Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Fri, 29 Dec 2023 23:16:19 +0100 Subject: [PATCH 09/70] Add Sync-Parameter function to M365DSCUtil module --- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 121 +++++++++++++++++- 1 file changed, 120 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 08eb7511fd..585c018320 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4331,6 +4331,124 @@ function Get-M365DSCConfigurationConflict return $results } +<# + .Description + This function returns a hashtable with aligned to the parameter pattern of the given cmdlet. + + .Example + $param = @{ + Path = 'C:\Test' + DoesNotExist = '123' + } + Sync-Parameter -Command (Get-Command -Name Get-ChildItem) -Parameters $param + + .Functionality + Private +#> +function Sync-Parameter +{ + [Cmdletbinding()] + param ( + [Parameter(Mandatory = $true)] + [ValidateScript( { + $_ -is [System.Management.Automation.FunctionInfo] -or $_ -is [System.Management.Automation.CmdletInfo] -or $_ -is [System.Management.Automation.ExternalScriptInfo] + })] + [object]$Command, + + [hashtable]$Parameters, + + [switch]$ConvertValue + ) + + if (-not $PSBoundParameters.ContainsKey('Parameters')) + { + $Parameters = ([hashtable]$ALBoundParameters).Clone() + } + else + { + $Parameters = ([hashtable]$Parameters).Clone() + } + + $commonParameters = [System.Management.Automation.Internal.CommonParameters].GetProperties().Name + $commandParameterKeys = $Command.Parameters.Keys.GetEnumerator() | ForEach-Object { $_ } + $parameterKeys = $Parameters.Keys.GetEnumerator() | ForEach-Object { $_ } + + $keysToRemove = Compare-Object -ReferenceObject $commandParameterKeys -DifferenceObject $parameterKeys | + Select-Object -ExpandProperty InputObject + + $keysToRemove = $keysToRemove + $commonParameters | Select-Object -Unique #remove the common parameters + + foreach ($key in $keysToRemove) + { + $Parameters.Remove($key) + } + + if ($ConvertValue.IsPresent) + { + $keysToUpdate = @{} + foreach ($kvp in $Parameters.GetEnumerator()) + { + if (-not $kvp.Value) # $null or empty string will not trip up conversion + { + continue + } + + $targetType = $Command.Parameters[$kvp.Key].ParameterType + $sourceType = $kvp.Value.GetType() + $targetValue = $kvp.Value -as $targetType + + if (-not $targetValue -and $targetType.ImplementedInterfaces -contains [Collections.IList]) + { + $targetValue = $targetType::new() + foreach ($v in $kvp.Value) + { + $targetValue.Add($v) + } + } + + if (-not $targetValue -and $targetType.ImplementedInterfaces -contains [Collections.IDictionary] ) + { + $targetValue = $targetType::new() + foreach ($k in $kvp.Value.GetEnumerator()) + { + $targetValue.Add($k.Key, $k.Value) + } + } + + if (-not $targetValue -and ($sourceType.ImplementedInterfaces -contains [Collections.IList] -and $targetType.ImplementedInterfaces -notcontains [Collections.IList])) + { + Write-Verbose -Message "Value of source parameter $($kvp.Key) is a collection, but target parameter is not. Selecting first object" + $targetValue = $kvp.Value | Select-Object -First 1 + } + + if (-not $targetValue) + { + Write-Error -Message "Conversion of source parameter $($kvp.Key) (Type: $($sourceType.FullName)) to type $($targetType.FullName) was impossible" + return + } + + $keysToUpdate[$kvp.Key] = $targetValue + } + } + + if ($keysToUpdate) + { + foreach ($kvp in $keysToUpdate.GetEnumerator()) + { + $Parameters[$kvp.Key] = $kvp.Value + } + } + + if ($PSBoundParameters.ContainsKey('Parameters')) + { + $Parameters + } + else + { + $global:ALBoundParameters = $Parameters + } +} + Export-ModuleMember -Function @( 'Assert-M365DSCBlueprint', 'Confirm-ImportedCmdletIsAvailable', @@ -4373,5 +4491,6 @@ Export-ModuleMember -Function @( 'Update-M365DSCDependencies', 'Update-M365DSCExportAuthenticationResults', 'Update-M365DSCModule', - 'Write-M365DSCLogEvent' + 'Write-M365DSCLogEvent', + 'Sync-Parameter' ) From 371a66e95c9f9aae0eab6c89e7cda734f3350ea9 Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Sat, 30 Dec 2023 13:56:01 +0100 Subject: [PATCH 10/70] Removed duplicate entry --- .../MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof index 79a6fd9656..f5eefa0f76 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.schema.mof @@ -31,7 +31,6 @@ class MSFT_EXOMailContact : OMI_BaseResource [Write, Description("The CustomAttribute13 parameter specifies the value of the CustomAttribute13")] String CustomAttribute13; [Write, Description("The CustomAttribute14 parameter specifies the value of the CustomAttribute14")] String CustomAttribute14; [Write, Description("The CustomAttribute15 parameter specifies the value of the CustomAttribute15")] String CustomAttribute15; - [Write, Description("The CustomAttribute15 parameter specifies the value of the CustomAttribute15")] String CustomAttribute15; [Write, Description("The ExtensionCustomAttribute1 parameter specifies the value of the ExtensionCustomAttribute1")] String ExtensionCustomAttribute1[]; [Write, Description("The ExtensionCustomAttribute2 parameter specifies the value of the ExtensionCustomAttribute2")] String ExtensionCustomAttribute2[]; [Write, Description("The ExtensionCustomAttribute3 parameter specifies the value of the ExtensionCustomAttribute3")] String ExtensionCustomAttribute3[]; From cba30b9932a373cf279bb615ad0adf6cfba4701b Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Sat, 30 Dec 2023 14:17:45 +0100 Subject: [PATCH 11/70] Trying to fix build error --- .../Examples/Resources/EXOMailContact/1-NewMailContact.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 index 1451a92692..74c7a2ac87 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailContact/1-NewMailContact.ps1 @@ -8,7 +8,7 @@ Configuration Example param( [Parameter(Mandatory = $true)] [PSCredential] - $Credential + $Credscredential ) Import-DscResource -ModuleName Microsoft365DSC @@ -17,7 +17,7 @@ Configuration Example EXOMailContact 'TestMailContact' { Alias = 'TestMailContact' - Credential = $Credential + Credential = $Credscredential DisplayName = 'My Test Contact' Ensure = 'Present' ExternalEmailAddress = 'SMTP:test@tailspintoys.com' From 7539b8e67210e2d8d6ac64be3ca044e284e01873 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 1 Jan 2024 22:04:23 +0000 Subject: [PATCH 12/70] Fix workaround added on PR#4099 --- CHANGELOG.md | 7 +++++++ .../MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6941317806..f19ba2c9f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceConfigurationPolicyMacOS + * Fix workaround added on PR #4099 in order to be able to use this resource + for deployments + FIXES [#4105](https://github.com/microsoft/Microsoft365DSC/issues/4105) + # 1.23.1227.1 * EXOAntiPhishPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 index fb518d0651..f4f03de1d7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 @@ -771,7 +771,7 @@ function Set-TargetResource if ($UpdateDelayPolicy.Count -gt 0) { - $UpdateDelayPolicy = $UpdateDelayPolicy -join ',' + $PSBoundParameters.UpdateDelayPolicy = $UpdateDelayPolicy -join ',' } if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') From ee7f63fc44568913871036a44435d33bd37790f2 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Tue, 2 Jan 2024 09:03:48 +0100 Subject: [PATCH 13/70] Initial commit --- .../MSFT_AADGroupOwnerConsentSettings.psm1 | 538 ++++++++++++++++++ ...FT_AADGroupOwnerConsentSettings.schema.mof | 16 + .../readme.md | 6 + .../settings.json | 45 ++ ...1-AADGroupOwnerConsentSettings-Example.ps1 | 28 + ...2-AADGroupOwnerConsentSettings-Example.ps1 | 26 + ...DSC.AADGroupOwnerConsentSettings.Tests.ps1 | 312 ++++++++++ 7 files changed, 971 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 new file mode 100644 index 0000000000..cf3f14bbbb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 @@ -0,0 +1,538 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [validateset('Yes')] + [System.String]$IsSingleInstance, + + [Parameter()] + [System.Boolean]$EnableGroupSpecificConsent, + + [Parameter()] + [System.Boolean]$BlockUserConsentForRiskyApps, + + [Parameter()] + [System.Boolean]$EnableAdminConsentRequests, + + [Parameter()] + [system.string]$ConstrainGroupSpecificConsentToMembersOfGroupName, + + [Parameter()] + [System.String] + [ValidateSet('Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId + write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" + $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId + + $getValue = Get-MgGroupSetting -GroupSettingId $consentPolicySettingsTemplateId -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Group Consent Settings with Id {$($settings.Id)}" + + if (-Not [string]::IsNullOrEmpty($templateSettings.DisplayName)) + { + $getValue = Get-MgGroupSetting -Filter "DisplayName eq '$($templateSettings.DisplayName)'" -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "UNEXPECTED: Could not find an Azure AD Group Consent Settings with DisplayName {$($templateSettings.DisplayName)}" + + # insert default values from template + $nullresult.EnableGroupSpecificConsent = $templateSettings.Values.Where({$_.Name -eq 'EnableGroupSpecificConsent' }).DefaultValue + $nullresult.BlockUserConsentForRiskyApps = $templateSettings.Values.Where({$_.Name -eq 'BlockUserConsentForRiskyApps'}).DefaultValue + $nullresult.EnableAdminConsentRequests = $templateSettings.Values.Where({$_.Name -eq 'EnableAdminConsentRequests' }).DefaultValue + $nullresult.ConstrainGroupSpecificConsentToMembersOfGroupName = $null + return $nullResult + } + $Id = $getValue.Id + + Write-Verbose -Message "An Azure AD Group Consent Settings with Id {$Id} and DisplayName {$($settings.DisplayName)} was found." + + # translate returned Values array to hashtable + $getValue.Values | ForEach-Object -Begin {$groupSettingsValues = @{}} -Process {$groupSettingsValues.($_.Name) = $_.Value} + + if ($groupSettingsValues.EnableGroupSpecificConsent -eq $true -and -not [string]::IsNullOrEmpty($groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId)) + { + write-verbose -message "Get-TargetResource: Get Group for ConstrainGroupSpecificConsentToMembersOfGroupId=$($groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId)" + $constrainConsentToGroupName = Get-MgGroup -GroupId $groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId | Select-Object -ExpandProperty DisplayName + write-verbose -message "Group DisplayName='$constrainConsentToGroupName'" + } + else + { + write-verbose -message 'Get-TargetResource: ConstrainGroupSpecificConsentToMembersOfGroupId=$null' + $constrainConsentToGroupName = $null + } + + $results = @{ + IsSingleInstance = 'Yes' + EnableGroupSpecificConsent = $groupSettingsValues.EnableGroupSpecificConsent + BlockUserConsentForRiskyApps = $groupSettingsValues.BlockUserConsentForRiskyApps + EnableAdminConsentRequests = $groupSettingsValues.EnableAdminConsentRequests + ConstrainGroupSpecificConsentToMembersOfGroupName = $constrainConsentToGroupName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [validateset('Yes')] + [system.string]$IsSingleInstance, + + [Parameter()] + [System.Boolean]$EnableGroupSpecificConsent, + + [Parameter()] + [System.Boolean]$BlockUserConsentForRiskyApps, + + [Parameter()] + [System.Boolean]$EnableAdminConsentRequests, + + [Parameter()] + [system.string]$ConstrainGroupSpecificConsentToMembersOfGroupName, + + [Parameter()] + [System.String] + [ValidateSet('Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + write-verbose "Retrieve Group Settings Template" + $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId + $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present') + { + Write-Verbose -Message "Creating an Azure AD Group Consent Setting - common code" + $valuesParam = @() + + # build array of values - if specified in Set-TargetResource, that value is included otherwise the existing value is used + + if ($PSBoundParameters.ContainsKey('EnableGroupSpecificConsent')) + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableGroupSpecificConsent'; Value=$EnableGroupSpecificConsent}) + } + else + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableGroupSpecificConsent'; Value=$currentInstance.EnableGroupSpecificConsent}) + } + + if ($PSBoundParameters.ContainsKey('BlockUserConsentForRiskyApps')) + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='BlockUserConsentForRiskyApps'; Value=$BlockUserConsentForRiskyApps}) + } + else + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='BlockUserConsentForRiskyApps'; Value=$currentInstance.BlockUserConsentForRiskyApps}) + } + + if ($PSBoundParameters.ContainsKey('EnableAdminConsentRequests')) + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableAdminConsentRequests'; Value=$EnableAdminConsentRequests}) + } + else + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableAdminConsentRequests'; Value=$currentInstance.EnableAdminConsentRequests}) + } + + if ($EnableGroupSpecificConsent -and -not [string]::IsNullOrEmpty($ConstrainGroupSpecificConsentToMembersOfGroupName)) + { + $constrainConsentGroupObj = Get-MgGroup -Filter "DisplayName eq '$ConstrainGroupSpecificConsentToMembersOfGroupName'" + if ($null -eq $constrainConsentGroupObj -or $constrainConsentGroupObj.securityEnabled -ne $true) + { + $message = "ConstrainGroupSpecificConsentToMembersOfGroupName '$ConstrainGroupSpecificConsentToMembersOfGroupName' does not exist or is not a security group" + Add-M365DscEvent -Message $message ` + -Source $($MyInvocation.MyCommand.Source) ` + -EntryType Error ` + -EventId 2 ` + -EventType Error ` + -TenantId $TenantId + + throw $message + } + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId'; Value=$constrainConsentGroupObj.Id}) + } + else + { + $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId'; Value=$null}) + } + + + $BodyParam = @{ + DisplayName = $templateSettings.DisplayName + Values = $valuesParam + } + + if ($currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "UNEXPECTED: *Creating* the Azure AD Group Consent Setting" + $BodyParam.Add('TemplateId', $templateSettings.Id) + $policy = New-MgGroupSetting @BodyParam + } + elseif ($currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Group Consent Settings" + $BodyParam.Add('GroupSettingId', $templateSettings.Id) + + Update-MgGroupSetting @BodyParam + } + } + else + { + if ($currentInstance.Ensure -eq 'Present') + { + Remove-MgGroupSetting -GroupSettingId $templateSettings.Id + } + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [validateset('Yes')] + [system.string]$IsSingleInstance, + + [Parameter()] + [System.Boolean]$EnableGroupSpecificConsent, + + [Parameter()] + [System.Boolean]$BlockUserConsentForRiskyApps, + + [Parameter()] + [System.Boolean]$EnableAdminConsentRequests, + + [Parameter()] + [system.string]$ConstrainGroupSpecificConsentToMembersOfGroupName, + + [Parameter()] + [System.String] + [ValidateSet('Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Group Consent Settings with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.remove('Id') | Out-Null + $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ApplicationId') | Out-Null + $ValuesToCheck.Remove('TenantId') | Out-Null + $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + + try + { + $currentDSCBlock = $null + + $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId + write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" + $groupConsentSettingsTemplate = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity + } + $results = Get-TargetResource @params + + if ($results -is [System.Collections.Hashtable] -and $results.Count -gt 1) + { + Write-Host "`r`n" -NoNewline + Write-Host " |---[1/1] $($groupConsentSettingsTemplate.DisplayName)" -NoNewline + $results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $results + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $results ` + -Credential $Credential + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host $Global:M365DSCEmojiRedX + } + + return $currentDSCBlock + + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-MSConsentPolicySettingsTemplateId +{ +param() + + # fixed GUID + return 'dffd5d46-495d-40a9-8e21-954ff55e198a' +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof new file mode 100644 index 0000000000..ff5899f641 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADGroupOwnerConsentSettings")] +class MSFT_AADGroupOwnerConsentSettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Flag indicating if groups owners are allowed to grant group specific permissions.")] Boolean EnableGroupSpecificConsent; + [Write, Description("Flag indicating if user consent will be blocked when a risky request is detected. Administrators will still be able to consent to apps considered risky.")] Boolean BlockUserConsentForRiskyApps; + [Write, Description("Flag indicating if users will be able to request admin consent when they are unable to grant consent to an app themselves.")] Boolean EnableAdminConsentRequests; + [Write, Description("If EnableGroupSpecificConsent is set to “True” and this is set to a security group name, members (both direct and transitive) of the group identified will be authorized to grant group-specific permissions to the groups they own.")] String ConstrainGroupSpecificConsentToMembersOfGroupName; + [Write, Description("Specify if the Azure AD Group Consent Settings should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md new file mode 100644 index 0000000000..c600e94280 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md @@ -0,0 +1,6 @@ + +# AADGroupConsentPolicySettings + +## Description + +Azure AD Group Consent Settings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json new file mode 100644 index 0000000000..a6181c60be --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json @@ -0,0 +1,45 @@ +{ + "resourceName": "AADGroupConsentSettings", + "description": "This resource configures an Azure AD Group Consent Settings.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Directory.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "Directory.ReadWrite.All" + }, + { + "name": "Policy.ReadWrite.Authorization" + } + ] + }, + "application": { + "read": [ + { + "name": "Directory.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "Directory.ReadWrite.All" + }, + { + "name": "Policy.ReadWrite.Authorization" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 new file mode 100644 index 0000000000..fc3348620f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 @@ -0,0 +1,28 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADGroupOwnerConsentSettings 'Example' + { + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $false + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $false + ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = 'Present' + Credential = $Credscredential + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 new file mode 100644 index 0000000000..867199f2d5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADGroupOwnerConsentSettings 'Example' + { + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $true # prerequisite for specifying a constraining group + ConstrainGroupSpecificConsentToMembersOfGroupName = 'Group-Vetted-GroupOwners' + Ensure = 'Present' + Credential = $Credscredential + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 new file mode 100644 index 0000000000..813b9d6922 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 @@ -0,0 +1,312 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADGroupOwnerConsentSettings" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString "f@kepassword1" -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Get-MgGroupSettingTemplateGroupSettingTemplate -MockWith { + } + + Mock -CommandName Get-MgGroupSettingTemplateGroupSettingTemplate -ParameterFilter {$GroupSettingTemplateId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { + return @{ + DisplayName = 'Consent Policy Settings' + Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' + Values = @( + [pscustomobject]@{Name='EnableGroupSpecificConsent';DefaultValue=$null}, + [pscustomobject]@{Name='BlockUserConsentForRiskyApps';DefaultValue=$true}, + [pscustomobject]@{Name='EnableAdminConsentRequests';DefaultValue=$false}, + [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';DefaultValue=$null} + ) + } + } + + Mock -CommandName Get-MgGroupSetting -MockWith { + } + + Mock -CommandName Get-MgGroup -MockWith { + } + + Mock -CommandName Update-MgGroupSetting -MockWith { + } + + Mock -CommandName New-MgGroupSetting -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + #Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + } + # Test contexts + Context -Name "The AADGroupOwnerConsentSettings should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $false + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $false + ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroupSetting -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgGroupSetting -Exactly 1 + } + } + + Context -Name "The AADGroupOwnerConsentSettings Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $false + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $false + ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { + return @{ + DisplayName = 'Consent Policy Settings' + Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' + Values = @( + [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$false}, + [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, + [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, + [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value=$null} + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADGroupOwnerConsentSettings Exists with a constrain-group and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $true + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $false + ConstrainGroupSpecificConsentToMembersOfGroupName = 'Fake Group' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = "Present" + Credential = $Credential; + } + Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { + return @{ + DisplayName = 'Consent Policy Settings' + Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' + Values = @( + [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, + [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, + [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, + [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} + ) + } + } + + Mock -CommandName Get-MgGroup -Mockwith { + return [pscustomobject]@{ + DisplayName = 'Fake Group' + Id = '111-111111-1111-1111-111111' + SecurityEnabled = $true + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADGroupOwnerConsentSettings Exists and Values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $false + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $true + ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { + return @{ + DisplayName = 'Consent Policy Settings' + Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' + Values = @( + [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$false}, + [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, + [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, + [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value=$null} + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Update the GroupSetting from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgGroupSetting -Exactly 1 + } + } + + Context -Name "The AADGroupOwnerConsentSettings Exists with a constrain-group and Values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $true + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $false + ConstrainGroupSpecificConsentToMembersOfGroupName = 'Another Fake Group' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { + return @{ + DisplayName = 'Consent Policy Settings' + Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' + Values = @( + [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, + [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, + [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, + [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} + ) + } + } + + Mock -CommandName Get-MgGroup -ParameterFilter {$GroupId -eq '111-111111-1111-1111-111111'} -Mockwith { + return [pscustomobject]@{ + DisplayName = 'Fake Group' + Id = '111-111111-1111-1111-111111' + SecurityEnabled = $true + } + } + <# + Mock -CommandName Get-MgGroup -ParameterFilter {$Filter -eq "DisplayName eq 'Fake Group'"} -Mockwith { + return [pscustomobject]@{ + DisplayName = 'Fake Group' + Id = '111-111111-1111-1111-111111' + SecurityEnabled = $true + } + } + #> + Mock -CommandName Get-MgGroup -ParameterFilter {$Filter -eq "DisplayName eq 'Another Fake Group'"} -Mockwith { + return [pscustomobject]@{ + DisplayName = 'Another Fake Group' + Id = '222-111111-2222-2222-111111' + SecurityEnabled = $true + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName Get-MgGroupSetting -Exactly 1 + Should -Invoke -CommandName Get-MgGroup -Exactly 1 + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Update the GroupSetting from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Get-MgGroup -Exactly 2 # 1st for Get-TargetResource (pre-existing value), 2nd for Set-TargetResource (new value) + Should -Invoke -CommandName Update-MgGroupSetting -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { + return @{ + DisplayName = 'Consent Policy Settings' + Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' + Values = @( + [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, + [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, + [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, + [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} + ) + } + } + Mock -CommandName Get-MgGroup -ParameterFilter {$GroupId -eq '111-111111-1111-1111-111111'} -MockWith { + return [pscustomobject]@{ + Id = '111-111111-1111-1111-111111' + DisplayName = 'Fake Export Group' + SecurityEnabled = $true + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + Should -Invoke -CommandName Get-MgGroupSetting -Exactly 1 + Should -Invoke -CommandName Get-MgGroup -Exactly 1 + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 1f9cbb30016bf951016cf8fdf13007534e7d597c Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Wed, 3 Jan 2024 08:31:14 +0100 Subject: [PATCH 14/70] fixed example --- .../1-AADGroupOwnerConsentSettings-Example.ps1 | 0 .../2-AADGroupOwnerConsentSettings-Example.ps1 | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename Modules/Microsoft365DSC/Examples/{ => Resources}/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 (100%) rename Modules/Microsoft365DSC/Examples/{ => Resources}/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 (100%) diff --git a/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 similarity index 100% rename from Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 rename to Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 diff --git a/Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 similarity index 100% rename from Modules/Microsoft365DSC/Examples/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 rename to Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 From e98e6c6d82c94de128f3dfa5e03390f20b0b29a8 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Wed, 3 Jan 2024 17:05:23 +0100 Subject: [PATCH 15/70] Move to unreleased ChangeLog --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0340e050c7..bef0360463 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Change log for Microsoft365DSC +# UNRELEASED +* AADConditionalAccessPolicy + * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] + # 1.24.103.1 * AADConditionalAccessPolicy @@ -70,8 +74,6 @@ FIXES [#4021](https://github.com/microsoft/Microsoft365DSC/issues/4021) # 1.23.1220.1 -* AADConditionalAccessPolicy - * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * AADEntitlementManagementAccessPackage * Retrieve catalog by name instead of id. * IntuneDeviceAndAppManagementAssignmentFilter From cd34ddfdf5d1cb3f6e87942f7c067499f05245b9 Mon Sep 17 00:00:00 2001 From: Yorick Kuijs Date: Wed, 3 Jan 2024 17:17:45 +0100 Subject: [PATCH 16/70] Setup Unreleased section --- CHANGELOG.md | 2 ++ Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9ed2a94b1..bed56fca1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Change log for Microsoft365DSC +# Unreleased + # 1.24.103.1 * AADConditionalAccessPolicy diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index d243a51528..ffe31fa83a 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -26,7 +26,7 @@ CompanyName = 'Microsoft Corporation' # Copyright statement for this module - Copyright = '(c) 2023 Microsoft Corporation. All rights reserved.' + Copyright = '(c) 2024 Microsoft Corporation. All rights reserved.' # Description of the functionality provided by this module Description = 'This DSC module is used to configure and monitor Microsoft tenants, including SharePoint Online, Exchange, Teams, etc.' From b03410f526b63a41cbb2dd5d03d15cc002788c16 Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Wed, 3 Jan 2024 18:11:38 +0100 Subject: [PATCH 17/70] Making 'Sync-Parameter' compatible with Pester Mocks --- Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 585c018320..6d59be27b4 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4351,7 +4351,10 @@ function Sync-Parameter param ( [Parameter(Mandatory = $true)] [ValidateScript( { - $_ -is [System.Management.Automation.FunctionInfo] -or $_ -is [System.Management.Automation.CmdletInfo] -or $_ -is [System.Management.Automation.ExternalScriptInfo] + $_ -is [System.Management.Automation.FunctionInfo] -or + $_ -is [System.Management.Automation.CmdletInfo] -or + $_ -is [System.Management.Automation.ExternalScriptInfo] -or + $_ -is [System.Management.Automation.AliasInfo] })] [object]$Command, @@ -4369,6 +4372,15 @@ function Sync-Parameter $Parameters = ([hashtable]$Parameters).Clone() } + if ($Command -is [System.Management.Automation.AliasInfo]) + { + $command = & (Get-Module -Name $Command.Source) { + param([string]$Name) + + Get-Command -Name $Name + } $Command.Definition + } + $commonParameters = [System.Management.Automation.Internal.CommonParameters].GetProperties().Name $commandParameterKeys = $Command.Parameters.Keys.GetEnumerator() | ForEach-Object { $_ } $parameterKeys = $Parameters.Keys.GetEnumerator() | ForEach-Object { $_ } From 4455ddd003b6033d1ccef25d6f9af35b923a76db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marius=20D=C3=A4pp?= Date: Thu, 4 Jan 2024 10:42:57 +0100 Subject: [PATCH 18/70] Fixes #3767: Remove Mandatory from param CurrentRules in Get-M365DSCVoiceNormalizationRulesDifference. To Load a empty Dial Plan. --- .../MSFT_TeamsTenantDialPlan/MSFT_TeamsTenantDialPlan.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantDialPlan/MSFT_TeamsTenantDialPlan.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantDialPlan/MSFT_TeamsTenantDialPlan.psm1 index d80da09a80..85f29ebd0b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantDialPlan/MSFT_TeamsTenantDialPlan.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantDialPlan/MSFT_TeamsTenantDialPlan.psm1 @@ -514,7 +514,7 @@ function Get-M365DSCVoiceNormalizationRulesDifference [OutputType([System.Collections.Hashtable])] param ( - [Parameter(Mandatory = $true)] + [Parameter()] [System.Object[]] $CurrentRules, From 31086a4685c43a2c5a75528f01eb808de471e2ad Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Thu, 4 Jan 2024 13:53:03 +0100 Subject: [PATCH 19/70] updated changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9ed2a94b1..e928937600 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# Unreleased + * AADGroupOwnerConsentSettings + * Initial release + Implements [#4112](https://github.com/microsoft/Microsoft365DSC/issues/4112) + # 1.24.103.1 * AADConditionalAccessPolicy From f04ce0dae4ff48c249e5b5c50e4cbd033000994f Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 4 Jan 2024 08:06:43 -0500 Subject: [PATCH 20/70] Fixes --- ...AADEntitlementManagementAccessPackage.psm1 | 11 +++--- ...nagementAccessPackageAssignmentPolicy.psm1 | 35 ++++++++++++++++--- ...tlementManagementAccessPackageCatalog.psm1 | 7 ++-- ...anagementAccessPackageCatalogResource.psm1 | 14 ++++++-- .../1-Create.ps1 | 15 ++------ .../2-Update.ps1 | 15 ++------ .../1-Create.ps1 | 4 +-- .../2-Update.ps1 | 4 +-- .../1-Create.ps1 | 11 +++--- .../2-Update.ps1 | 12 +++---- 10 files changed, 73 insertions(+), 55 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 index 844320d380..31088bcbd6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 @@ -104,10 +104,12 @@ function Get-TargetResource { $getValue = $null - #region resource generator code - $getValue = Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId $id ` - -ExpandProperty "accessPackageResourceRoleScopes(`$expand=accessPackageResourceRole,accessPackageResourceScope)" ` - -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($id)) + { + $getValue = Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId $id ` + -ExpandProperty "accessPackageResourceRoleScopes(`$expand=accessPackageResourceRole,accessPackageResourceScope)" ` + -ErrorAction SilentlyContinue + } if ($null -eq $getValue) { @@ -121,7 +123,6 @@ function Get-TargetResource -ErrorAction SilentlyContinue } } - #endregion if ($null -eq $getValue) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 index 030d514a65..1891bd8d98 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 @@ -103,10 +103,13 @@ function Get-TargetResource $nullResult.Ensure = 'Absent' $getValue = $null - $getValue = Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy ` - -AccessPackageAssignmentPolicyId $id ` - -ExpandProperty "customExtensionHandlers(`$expand=customExtension)" ` - -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($id)) + { + $getValue = Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy ` + -AccessPackageAssignmentPolicyId $id ` + -ExpandProperty "customExtensionHandlers(`$expand=customExtension)" ` + -ErrorAction SilentlyContinue + } if ($null -eq $getValue) { @@ -528,6 +531,30 @@ function Set-TargetResource } $CreateParameters.CustomExtensionHandlers = $formattedCustomExtensionHandlers } + + # Check to see if the AccessPackageId is in GUID form. If not, resolve it by name. + if (-not [System.String]::IsNullOrEmpty($AccessPackageId)) + { + $ObjectGuid = [System.Guid]::empty + $isGUID = [System.Guid]::TryParse($AccessPackageId, [System.Management.Automation.PSReference]$ObjectGuid) + if (-not $isGUID) + { + # Retrieve by name + Write-Verbose -Message "Retrieving Entitlement Management Access Package by Name {$AccessPackageId}" + $package = Get-MgBetaEntitlementManagementAccessPackage -Filter "displayName eq '$AccessPackageId'" + if ($null -ne $package) + { + $AccessPackageId = $package.Id + } + else + { + throw "Could not retrieve the Access Package using identifier {$AccessPackageId}" + } + } + $CreateParameters.AccessPackageId = $AccessPackageId + } + + Write-Verbose -Message "Creating with Values: $(Convert-M365DscHashtableToString -Hashtable $CreateParameters)" New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy ` -BodyParameter $CreateParameters } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalog/MSFT_AADEntitlementManagementAccessPackageCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalog/MSFT_AADEntitlementManagementAccessPackageCatalog.psm1 index fa526d7f61..0360b370d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalog/MSFT_AADEntitlementManagementAccessPackageCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalog/MSFT_AADEntitlementManagementAccessPackageCatalog.psm1 @@ -88,8 +88,10 @@ function Get-TargetResource { $getValue = $null - #region resource generator code - $getValue = Get-MgBetaEntitlementManagementAccessPackageCatalog -AccessPackageCatalogId $id -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($id)) + { + $getValue = Get-MgBetaEntitlementManagementAccessPackageCatalog -AccessPackageCatalogId $id -ErrorAction SilentlyContinue + } if ($null -eq $getValue) { @@ -104,7 +106,6 @@ function Get-TargetResource } } } - #endregion if ($null -eq $getValue) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 index 6f69b42435..babae51cfc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 @@ -310,9 +310,18 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Assigning resource {$DisplayName} to catalog {$CatalogId}" - $resource = ([Hashtable]$PSBoundParameters).clone() + $ObjectGuid = [System.Guid]::empty + if (-not [System.Guid]::TryParse($CatalogId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + Write-Verbose -Message "Retrieving Catalog by Display Name" + $catalogInstance = Get-MgBetaEntitlementManagementAccessPackageCatalog -Filter "DisplayName eq '$($CatalogId)'" + if ($catalogInstance) + { + $CatalogId = $catalogInstance.Id + } + } + Write-Verbose -Message "Assigning resource {$DisplayName} to catalog {$CatalogId}" $resource.Remove('Id') | Out-Null $resource.Remove('CatalogId') | Out-Null @@ -346,6 +355,7 @@ function Set-TargetResource AccessPackageresource = $resource } #region resource generator code + Write-Verbose -Message "Creating with Values: $(Convert-M365DscHashtableToString -Hashtable $resourceRequest)" New-MgBetaEntitlementManagementAccessPackageResourceRequest @resourceRequest #endregion diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/1-Create.ps1 index a5b31cb592..6df36bd26b 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/1-Create.ps1 @@ -14,9 +14,9 @@ Configuration Example node localhost { - AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignmentPolicyWithAccessReviewsSettings" + AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignments" { - AccessPackageId = "5d05114c-b4d9-4ae7-bda6-4bade48e60f2"; + AccessPackageId = "Integration Package"; AccessReviewSettings = MSFT_MicrosoftGraphassignmentreviewsettings{ IsEnabled = $True StartDateTime = '12/17/2022 23:59:59' @@ -38,17 +38,6 @@ Configuration Example IsApprovalRequired = $False IsApprovalRequiredForExtension = $False }; - RequestorSettings = MSFT_MicrosoftGraphrequestorsettings{ - AllowedRequestors = @( - MSFT_MicrosoftGraphuserset{ - IsBackup = $False - Id = 'e27eb9b9-27c3-462d-8d65-3bcd763b0ed0' - odataType = '#microsoft.graph.connectedOrganizationMembers' - } - ) - AcceptRequests = $True - ScopeType = 'SpecificConnectedOrganizationSubjects' - }; Ensure = "Present" Credential = $Credscredential } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/2-Update.ps1 index 223ba9497a..00c8f28c52 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageAssignmentPolicy/2-Update.ps1 @@ -14,9 +14,9 @@ Configuration Example node localhost { - AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignmentPolicyWithAccessReviewsSettings" + AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignments" { - AccessPackageId = "5d05114c-b4d9-4ae7-bda6-4bade48e60f2"; + AccessPackageId = "Integration Package"; AccessReviewSettings = MSFT_MicrosoftGraphassignmentreviewsettings{ IsEnabled = $True StartDateTime = '12/17/2022 23:59:59' @@ -38,17 +38,6 @@ Configuration Example IsApprovalRequired = $False IsApprovalRequiredForExtension = $False }; - RequestorSettings = MSFT_MicrosoftGraphrequestorsettings{ - AllowedRequestors = @( - MSFT_MicrosoftGraphuserset{ - IsBackup = $False - Id = 'e27eb9b9-27c3-462d-8d65-3bcd763b0ed0' - odataType = '#microsoft.graph.connectedOrganizationMembers' - } - ) - AcceptRequests = $True - ScopeType = 'SpecificConnectedOrganizationSubjects' - }; Ensure = "Present" Credential = $Credscredential } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/1-Create.ps1 index fae71422d5..1acbe3c12f 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/1-Create.ps1 @@ -16,9 +16,9 @@ Configuration Example { AADEntitlementManagementAccessPackageCatalog 'myAccessPackageCatalog' { - DisplayName = 'General' + DisplayName = 'My Catalog' CatalogStatus = 'Published' - CatalogType = 'ServiceDefault' + CatalogType = 'UserManaged' Description = 'Built-in catalog.' IsExternallyVisible = $True Managedidentity = $False diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/2-Update.ps1 index 38127ab97b..30621cfbe4 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalog/2-Update.ps1 @@ -16,9 +16,9 @@ Configuration Example { AADEntitlementManagementAccessPackageCatalog 'myAccessPackageCatalog' { - DisplayName = 'General' + DisplayName = 'My Catalog' CatalogStatus = 'Published' - CatalogType = 'ServiceDefault' + CatalogType = 'UserManaged' Description = 'Built-in catalog.' IsExternallyVisible = $False # Updated Property Managedidentity = $False diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 index bf302be3e6..e7a20f133d 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 @@ -12,20 +12,21 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Communication site' + DisplayName = 'Test Resource' AddedBy = 'admin@contoso.onmicrosoft.com' AddedOn = '05/11/2022 16:21:15' - CatalogId = 'f34c2d92-9e9d-4703-ba9b-955b6ac8dcb3' - Description = 'https://contoso.sharepoint.com/' + CatalogId = 'My Catalog' + Description = 'My Resource' IsPendingOnboarding = $False - OriginId = 'https://contoso.sharepoint.com/' + OriginId = "https://$Domain.sharepoint.com/" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = 'https://contoso.sharepoint.com/' + Url = "https://$Domain.sharepoint.com/" Ensure = 'Present' Credential = $Credscredential } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 index cce7f22a0e..185d0eeb00 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 @@ -16,16 +16,16 @@ Configuration Example { AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Communication site' + DisplayName = 'Test Resource' AddedBy = 'admin@contoso.onmicrosoft.com' AddedOn = '05/11/2022 16:21:15' - CatalogId = 'f34c2d92-9e9d-4703-ba9b-955b6ac8dcb3' - Description = 'https://contoso.sharepoint.com/' - IsPendingOnboarding = $False # Updated Property - OriginId = 'https://contoso.sharepoint.com/' + CatalogId = 'My Catalog' + Description = 'My Resource' + IsPendingOnboarding = $True # Updated Property + OriginId = "https://$Domain.sharepoint.com/" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = 'https://contoso.sharepoint.com/' + Url = "https://$Domain.sharepoint.com/" Ensure = 'Present' Credential = $Credscredential } From aebd79098f66a297c96225483fc2f28845a3e05a Mon Sep 17 00:00:00 2001 From: mario Date: Thu, 4 Jan 2024 15:40:34 +0100 Subject: [PATCH 21/70] Fix data type --- CHANGELOG.md | 6 ++++++ .../MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.psm1 | 6 +++--- .../MSFT_SCDLPComplianceRule.schema.mof | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9ed2a94b1..f8f73626d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* SCDLPComplianceRule + * Fix type of AccessScope + FIXES [#3463](https://github.com/microsoft/Microsoft365DSC/issues/3463) + # 1.24.103.1 * AADConditionalAccessPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.psm1 index 3b3325530c..981dd8ac89 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.psm1 @@ -14,7 +14,7 @@ function Get-TargetResource [Parameter()] [ValidateSet('InOrganization', 'NotInOrganization', 'None')] - [System.String[]] + [System.String] $AccessScope, [Parameter()] @@ -334,7 +334,7 @@ function Set-TargetResource [Parameter()] [ValidateSet('InOrganization', 'NotInOrganization', 'None')] - [System.String[]] + [System.String] $AccessScope, [Parameter()] @@ -644,7 +644,7 @@ function Test-TargetResource [Parameter()] [ValidateSet('InOrganization', 'NotInOrganization', 'None')] - [System.String[]] + [System.String] $AccessScope, [Parameter()] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof index 2202e3c6c5..851847008e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof @@ -36,7 +36,7 @@ class MSFT_SCDLPComplianceRule : OMI_BaseResource { [Key, Description("Name of the Rule.")] String Name; [Required, Description("Name of the associated DLP Compliance Policy.")] String Policy; - [Write, Description("The AccessScope parameter specifies a condition for the DLP rule that's based on the access scope of the content. The rule is applied to content that matches the specified access scope."), ValueMap{"InOrganization","NotInOrganization", "None"}, Values{"InOrganization","NotInOrganization", "None"}] String AccessScope[]; + [Write, Description("The AccessScope parameter specifies a condition for the DLP rule that's based on the access scope of the content. The rule is applied to content that matches the specified access scope."), ValueMap{"InOrganization","NotInOrganization", "None"}, Values{"InOrganization","NotInOrganization", "None"}] String AccessScope; [Write, Description("The BlockAccess parameter specifies an action for the DLP rule that blocks access to the source item when the conditions of the rule are met. $true: Blocks further access to the source item that matched the rule. The owner, author, and site owner can still access the item. $false: Allows access to the source item that matched the rule. This is the default value.")] Boolean BlockAccess; [Write, Description("The BlockAccessScope parameter specifies the scope of the block access action."), ValueMap{"All", "PerUser"}, Values{"All", "PerUser"}] String BlockAccessScope; [Write, Description("The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks.")] String Comment; From 2fbea84035364973762bfd6685ebae05d776b6c4 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 5 Jan 2024 12:08:45 +0100 Subject: [PATCH 22/70] updated example --- .../1-AADGroupOwnerConsentSettings-Example.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 index fc3348620f..7cd08b1b41 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 @@ -20,7 +20,7 @@ Configuration Example EnableGroupSpecificConsent = $false BlockUserConsentForRiskyApps = $true EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + #ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 Ensure = 'Present' Credential = $Credscredential } From 8b3137d9a1685290b1f1bb07ec4e179eb97c1725 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 5 Jan 2024 12:12:07 +0100 Subject: [PATCH 23/70] updated formatting --- .../MSFT_AADGroupOwnerConsentSettings.psm1 | 46 ++++++++++++------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 index cf3f14bbbb..507f857ec8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 @@ -6,19 +6,24 @@ function Get-TargetResource ( [Parameter(Mandatory = $true)] [validateset('Yes')] - [System.String]$IsSingleInstance, + [System.String] + $IsSingleInstance, [Parameter()] - [System.Boolean]$EnableGroupSpecificConsent, + [System.Boolean] + $EnableGroupSpecificConsent, [Parameter()] - [System.Boolean]$BlockUserConsentForRiskyApps, + [System.Boolean] + $BlockUserConsentForRiskyApps, [Parameter()] - [System.Boolean]$EnableAdminConsentRequests, + [System.Boolean] + $EnableAdminConsentRequests, [Parameter()] - [system.string]$ConstrainGroupSpecificConsentToMembersOfGroupName, + [system.string] + $ConstrainGroupSpecificConsentToMembersOfGroupName, [Parameter()] [System.String] @@ -153,19 +158,24 @@ function Set-TargetResource ( [Parameter(Mandatory = $true)] [validateset('Yes')] - [system.string]$IsSingleInstance, + [system.string] + $IsSingleInstance, [Parameter()] - [System.Boolean]$EnableGroupSpecificConsent, + [System.Boolean] + $EnableGroupSpecificConsent, [Parameter()] - [System.Boolean]$BlockUserConsentForRiskyApps, + [System.Boolean] + $BlockUserConsentForRiskyApps, [Parameter()] - [System.Boolean]$EnableAdminConsentRequests, + [System.Boolean] + $EnableAdminConsentRequests, [Parameter()] - [system.string]$ConstrainGroupSpecificConsentToMembersOfGroupName, + [system.string] + $ConstrainGroupSpecificConsentToMembersOfGroupName, [Parameter()] [System.String] @@ -281,7 +291,6 @@ function Set-TargetResource if ($currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "UNEXPECTED: *Creating* the Azure AD Group Consent Setting" $BodyParam.Add('TemplateId', $templateSettings.Id) $policy = New-MgGroupSetting @BodyParam } @@ -310,19 +319,24 @@ function Test-TargetResource ( [Parameter(Mandatory = $true)] [validateset('Yes')] - [system.string]$IsSingleInstance, + [system.string] + $IsSingleInstance, [Parameter()] - [System.Boolean]$EnableGroupSpecificConsent, + [System.Boolean] + $EnableGroupSpecificConsent, [Parameter()] - [System.Boolean]$BlockUserConsentForRiskyApps, + [System.Boolean] + $BlockUserConsentForRiskyApps, [Parameter()] - [System.Boolean]$EnableAdminConsentRequests, + [System.Boolean] + $EnableAdminConsentRequests, [Parameter()] - [system.string]$ConstrainGroupSpecificConsentToMembersOfGroupName, + [system.string] + $ConstrainGroupSpecificConsentToMembersOfGroupName, [Parameter()] [System.String] From b46905b2213ca4d1ef55992b3591341c76e4ba08 Mon Sep 17 00:00:00 2001 From: Michael Barmettler <99532854+mibarm@users.noreply.github.com> Date: Fri, 5 Jan 2024 15:11:33 +0100 Subject: [PATCH 24/70] handle empty values in get-targetresource --- .../MSFT_EXOHostedContentFilterPolicy.psm1 | 45 +++++++++---------- 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 index b8f446d38f..7c98904f0a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 @@ -312,16 +312,33 @@ function Get-TargetResource } else { - $AllowedSendersValues = $HostedContentFilterPolicy.AllowedSenders.Sender | Select-Object Address -ExpandProperty Address - $BlockedSendersValues = $HostedContentFilterPolicy.BlockedSenders.Sender | Select-Object Address -ExpandProperty Address + [System.String[]]$AllowedSendersValues = $HostedContentFilterPolicy.AllowedSenders.Sender | Select-Object Address -ExpandProperty Address + [System.String[]]$BlockedSendersValues = $HostedContentFilterPolicy.BlockedSenders.Sender | Select-Object Address -ExpandProperty Address + # Check if the values are null and assign them an empty string array if they are + if ($null -eq $AllowedSendersValues) { + $AllowedSendersValues = @() + } + if ($null -eq $BlockedSendersValues) { + $BlockedSendersValues = @() + } + + [System.String[]]$AllowedSenderDomains = $HostedContentFilterPolicy.AllowedSenderDomains.Domain + [System.String[]]$BlockedSenderDomains = $HostedContentFilterPolicy.BlockedSenderDomains.Domain + # Check if the values are null and assign them an empty string array if they are + if ($null -eq $AllowedSenderDomains) { + $AllowedSenderDomains = @() + } + if ($null -eq $BlockedSenderDomains) { + $BlockedSenderDomains = @() + } $result = @{ Ensure = 'Present' Identity = $Identity AddXHeaderValue = $HostedContentFilterPolicy.AddXHeaderValue AdminDisplayName = $HostedContentFilterPolicy.AdminDisplayName - AllowedSenderDomains = $HostedContentFilterPolicy.AllowedSenderDomains.Domain + AllowedSenderDomains = $AllowedSenderDomains AllowedSenders = $AllowedSendersValues - BlockedSenderDomains = $HostedContentFilterPolicy.BlockedSenderDomains.Domain + BlockedSenderDomains = $BlockedSenderDomains BlockedSenders = $BlockedSendersValues BulkQuarantineTag = $HostedContentFilterPolicy.BulkQuarantineTag BulkSpamAction = $HostedContentFilterPolicy.BulkSpamAction @@ -1039,26 +1056,6 @@ function Test-TargetResource $ValuesToCheck.Remove('CertificatePassword') | Out-Null $ValuesToCheck.Remove('ManagedIdentity') | Out-Null - if ($null -ne $ValuesToCheck.AllowedSenders -and $ValuesToCheck.AllowedSenders.Length -eq 0) - { - $ValuesToCheck.AllowedSenders = $null - } - - if ($null -ne $ValuesToCheck.AllowedSenderDomains -and $ValuesToCheck.AllowedSenderDomains.Length -eq 0) - { - $ValuesToCheck.AllowedSenderDomains = $null - } - - if ($null -ne $ValuesToCheck.BlockedSenders -and $ValuesToCheck.BlockedSenders.Length -eq 0) - { - $ValuesToCheck.BlockedSenders = $null - } - - if ($null -ne $ValuesToCheck.BlockedSenderDomains -and $ValuesToCheck.BlockedSenderDomains.Length -eq 0) - { - $ValuesToCheck.BlockedSenderDomains = $null - } - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $ValuesToCheck ` From a2508bb5c71bf194e69a144347be7ebb45ddd7f1 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 5 Jan 2024 11:47:09 -0500 Subject: [PATCH 25/70] Various Fixes for Integration Tests --- ...anagementAccessPackageCatalogResource.psm1 | 42 ++++-- ...lementManagementConnectedOrganization.psm1 | 123 +++++++++++++++++- .../MSFT_AADNamedLocationPolicy.psm1 | 2 +- .../MSFT_AADRoleSetting.psm1 | 72 ++++++---- .../MSFT_AADServicePrincipal.psm1 | 31 ++++- .../MSFT_EXOPlace/MSFT_EXOPlace.psm1 | 2 +- .../1-Create.ps1 | 10 +- .../2-Update.ps1 | 11 +- .../1-Create.ps1 | 7 +- .../2-Update.ps1 | 9 +- .../AADNamedLocationPolicy/1-Create.ps1 | 2 +- .../AADNamedLocationPolicy/2-Update.ps1 | 4 +- .../1-Create.ps1 | 3 +- .../2-Update.ps1 | 3 +- .../Resources/AADRoleSetting/1-Create.ps1 | 62 --------- .../AADServicePrincipal/1-Create.ps1 | 15 +-- .../AADServicePrincipal/2-Update.ps1 | 19 ++- .../Examples/Resources/AADUser/1-Create.ps1 | 5 +- .../Examples/Resources/AADUser/2-Update.ps1 | 5 +- .../Examples/Resources/AADUser/3-Remove.ps1 | 4 +- 20 files changed, 266 insertions(+), 165 deletions(-) delete mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADRoleSetting/1-Create.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 index babae51cfc..6bd79a482e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 @@ -112,17 +112,34 @@ function Get-TargetResource { $getValue = $null - #region resource generator code - $getValue = Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource ` - -AccessPackageCatalogId $CatalogId ` - -Filter "Id eq '$Id'" -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($CatalogId)) + { + $resource = ([Hashtable]$PSBoundParameters).clone() + $ObjectGuid = [System.Guid]::empty + if (-not [System.Guid]::TryParse($CatalogId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $catalogInstance = Get-MgBetaEntitlementManagementAccessPackageCatalog -Filter "DisplayName eq '$catalogId'" + $CatalogId = $catalogInstance.Id + } + + $getValue = Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource ` + -AccessPackageCatalogId $CatalogId ` + -Filter "Id eq '$Id'" -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Retrieving Resource by Display Name {$DisplayName}" + $getValue = Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource ` + -AccessPackageCatalogId $CatalogId ` + -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue + } + } if ($null -eq $getValue) { Write-Verbose -Message "The access package resource with id {$id} was NOT found in catalog {$CatalogId}." return $nullResult } - #endregion Write-Verbose -Message "The access package resource {$DisplayName} was found in catalog {$CatalogId}." $hashAttributes = @() @@ -338,7 +355,6 @@ function Set-TargetResource $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $resource.$key $resource.$key = $keyValue } - } $mapping = @{ @@ -365,7 +381,16 @@ function Set-TargetResource Write-Verbose -Message "Updating resource {$DisplayName} in catalog {$CatalogId}" $resource = ([Hashtable]$PSBoundParameters).clone() - + $ObjectGuid = [System.Guid]::empty + if (-not [System.Guid]::TryParse($CatalogId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + Write-Verbose -Message "Retrieving Catalog by Display Name" + $catalogInstance = Get-MgBetaEntitlementManagementAccessPackageCatalog -Filter "DisplayName eq '$($CatalogId)'" + if ($catalogInstance) + { + $CatalogId = $catalogInstance.Id + } + } #$resource.Remove('Id') | Out-Null $resource.Remove('CatalogId') | Out-Null $resource.Remove('Verbose') | Out-Null @@ -432,16 +457,13 @@ function Set-TargetResource $resource = Rename-M365DSCCimInstanceParameter -Properties $resource ` -KeyMapping $mapping - #region resource generator code $resourceRequest = @{ CatalogId = $CatalogId RequestType = 'AdminRemove' AccessPackageresource = $resource } - #region resource generator code New-MgBetaEntitlementManagementAccessPackageResourceRequest @resourceRequest - #endregion } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 index 637425e5d9..e504f42eb7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 @@ -85,7 +85,11 @@ function Get-TargetResource $getValue = $null - $getValue = Get-MgBetaEntitlementManagementConnectedOrganization -ConnectedOrganizationId $id -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($id)) + { + $getValue = Get-MgBetaEntitlementManagementConnectedOrganization -ConnectedOrganizationId $id ` + -ErrorAction SilentlyContinue + } if ($null -eq $getValue) { @@ -169,13 +173,56 @@ function Get-TargetResource $getIdentitySources = $sources } + $ObjectGuid = [System.Guid]::empty + $ExternalSponsorsValues = @() + foreach ($sponsor in $getExternalSponsors) + { + if ([System.Guid]::TryParse($sponsor, [System.Management.Automation.PSReference]$ObjectGuid)) + { + try + { + $user = Get-MgUser -UserId $sponsor + $ExternalSponsorsValues += $user.UserPrincipalName + } + catch + { + Write-Verbose -Message "Couldn't find external sponsor with id {$sponsor}" + } + } + else + { + $ExternalSponsorsValues += $sponsor + } + } + + $InternalSponsorsValues = @() + foreach ($sponsor in $getInternalSponsors) + { + if ([System.Guid]::TryParse($sponsor, [System.Management.Automation.PSReference]$ObjectGuid)) + { + try + { + $user = Get-MgUser -UserId $sponsor + $InternalSponsorsValues += $user.UserPrincipalName + } + catch + { + Write-Verbose -Message "Couldn't find inter sponsor with id {$sponsor}" + } + } + else + { + $InternalSponsorsValues += $sponsor + } + } + $results = @{ Id = $getValue.id Description = $getValue.description DisplayName = $getValue.displayName - ExternalSponsors = $getExternalSponsors + ExternalSponsors = $ExternalSponsorsValues IdentitySources = $getIdentitySources - InternalSponsors = $getInternalSponsors + InternalSponsors = $InternalSponsorsValues State = $getValue.state Ensure = 'Present' Credential = $Credential @@ -293,6 +340,68 @@ function Set-TargetResource 'ExternalTenantId' = 'tenantId' } + if ($Ensure -eq 'Present') + { + $ObjectGuid = [System.Guid]::empty + $ExternalSponsorsValues = @() + foreach ($sponsor in $ExternalSponsors) + { + if (-not [System.Guid]::TryParse($sponsor, [System.Management.Automation.PSReference]$ObjectGuid)) + { + try + { + $user = Get-MgUser -UserId $sponsor -ErrorAction SilentlyContinue + if ($null -ne $user) + { + $ExternalSponsorsValues += $user.Id + } + else + { + Write-Verbose -Message "Could not find External Sponsor {$sponsor}" + } + } + catch + { + Write-Verbose -Message "Could not find External Sponsor {$sponsor}" + } + } + else + { + $ExternalSponsorsValues += $sponsor + } + } + $ExternalSponsors = $ExternalSponsorsValues + + $InternalSponsorsValues = @() + foreach ($sponsor in $InternalSponsors) + { + if (-not [System.Guid]::TryParse($sponsor, [System.Management.Automation.PSReference]$ObjectGuid)) + { + try + { + $user = Get-MgUser -UserId $sponsor -ErrorAction SilentlyContinue + if ($null -ne $user) + { + $InternalSponsorsValues += $user.Id + } + else + { + Write-Verbose -Message "Could not find External Sponsor {$sponsor}" + } + } + catch + { + Write-Verbose -Message "Could not find External Sponsor {$sponsor}" + } + } + else + { + $InternalSponsorsValues += $sponsor + } + } + $InternalSponsors = $InternalSponsorsValues + } + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating a new Entitlement Management Connected Organization {$DisplayName}" @@ -304,7 +413,6 @@ function Set-TargetResource $CreateParameters.Remove('ExternalSponsors') | Out-Null $CreateParameters.Remove('InternalSponsors') | Out-Null - $keys = (([Hashtable]$CreateParameters).clone()).Keys foreach ($key in $keys) { @@ -313,8 +421,9 @@ function Set-TargetResource $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key } } - $TenantId = $CreateParameters.IdentitySources.ExternalTenantId - $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/tenantRelationships/microsoft.graph.findTenantInformationByTenantId(tenantId='$tenantid')" + Write-Verbose -Message "Create Parameters: $(Convert-M365DscHashtableToString -Hashtable $CreateParameters)" + $TenantIdValue = $CreateParameters.IdentitySources.TenantId + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/tenantRelationships/microsoft.graph.findTenantInformationByTenantId(tenantId='$TenantIdValue')" $DomainName = (Invoke-MgGraphRequest -Method 'GET' -Uri $url).defaultDomainName $newConnectedOrganization = New-MgBetaEntitlementManagementConnectedOrganization -Description $CreateParameters.Description -DisplayName $CreateParameters.DisplayName -State $CreateParameters.State -DomainName $DomainName @@ -504,7 +613,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of {$id}" + Write-Verbose -Message "Testing configuration of {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 index a1615e9666..cb125080aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 @@ -307,7 +307,7 @@ function Set-TargetResource # Named Location exist but should not elseif ($Ensure -eq 'Absent' -and $CurrentAADNamedLocation.Ensure -eq 'Present') { - Write-Verbose -Message "Removing AAD Named Location {$Displayname)}" + Write-Verbose -Message "Removing AAD Named Location {$Displayname} with id {$($currentAADNamedLocation.ID)}" Remove-MgBetaIdentityConditionalAccessNamedLocation -NamedLocationId $currentAADNamedLocation.ID } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 index 117d2e66d8..e978aab640 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 @@ -10,7 +10,7 @@ function Get-TargetResource [Parameter(Mandatory = $true)] [System.String] - $Displayname, + $DisplayName, [Parameter()] [System.String] @@ -215,6 +215,29 @@ function Get-TargetResource $nullReturn = $PSBoundParameters $nullReturn.Ensure = 'Absent' + $RoleDefintion = $null + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + elseif (-not [System.String]::IsNullOrEmpty($Id)) + { + $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $Id ` + -ErrorAction SilentlyContinue + } + + if ($null -eq $RoleDefinition -and -not [System.String]::IsNullOrEmpty($Displayname)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + else + { + $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$DisplayName'" + } + } + try { if ($null -eq $Script:PolicyAssignments) @@ -222,7 +245,8 @@ function Get-TargetResource $allFilter = "scopeId eq '/' and scopeType eq 'DirectoryRole'" $Script:PolicyAssignments = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter $allFilter -All } - $Policy = $Script:PolicyAssignments | Where-Object -FilterScript {$_.RoleDefinitionId -eq $Id} + + $Policy = $Script:PolicyAssignments | Where-Object -FilterScript {$_.RoleDefinitionId -eq $RoleDefinition.Id} } catch { @@ -237,26 +261,6 @@ function Get-TargetResource { return $nullReturn } - if ($null -ne $Script:exportedInstances -and $Script:ExportMode) - { - $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} - } - else - { - $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $Id - } - - if ($null -eq $RoleDefinition -and -not [System.String]::IsNullOrEmpty($Displayname)) - { - if ($null -ne $Script:exportedInstances -and $Script:ExportMode) - { - $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $Displayname} - } - else - { - $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$DisplayName'" - } - } #get Policyrule $role = Get-MgBetaPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Policyid @@ -400,7 +404,7 @@ function Set-TargetResource [Parameter(Mandatory = $true)] [System.String] - $Displayname, + $DisplayName, [Parameter()] [System.String] @@ -599,11 +603,23 @@ function Set-TargetResource #endregion #get role - [string]$Filter = $null - $Filter = "scopeId eq '/' and scopeType eq 'DirectoryRole' and RoleDefinitionId eq '" + $Id + "'" - $Policy = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter $Filter + $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$DisplayName'" + + $Policy = $null + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $Filter = "scopeId eq '/' and scopeType eq 'DirectoryRole' and RoleDefinitionId eq '" + $Id + "'" + $Policy = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter $Filter + } + else + { + Write-Verbose -Message "Finding Policy Assignment by Role Definition Id {$($RoleDefinition.Id)}" + $Filter = "scopeId eq '/' and scopeType eq 'DirectoryRole' and RoleDefinitionId eq '$($RoleDefinition.Id)'" + $Policy = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter $Filter + } #get Policyrule - $roles = Get-MgBetaPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Policyid + $roles = Get-MgBetaPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.PolicyId ` + -ErrorAction SilentlyContinue foreach ($role in $roles) { @@ -1100,7 +1116,7 @@ function Test-TargetResource [Parameter(Mandatory = $true)] [System.String] - $Displayname, + $DisplayName, [Parameter()] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index 988bad0ce2..5a56e3da0e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -147,8 +147,18 @@ function Get-TargetResource } else { - $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($AppId)'" ` - -Expand 'AppRoleAssignedTo' + $ObjectGuid = [System.Guid]::empty + if (-not [System.Guid]::TryParse($AppId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $appInstance = Get-MgApplication -Filter "DisplayName eq '$AppId'" + $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($appInstance.AppId)'" ` + -Expand 'AppRoleAssignedTo' + } + else + { + $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($AppId)'" ` + -Expand 'AppRoleAssignedTo' + } } } if ($null -eq $AADServicePrincipal) @@ -347,7 +357,6 @@ function Set-TargetResource $currentParameters.Remove('Ensure') | Out-Null $currentParameters.Remove('ObjectID') | Out-Null $currentParameters.Remove('ApplicationSecret') | Out-Null - $currentParameters.Remove('AppId') | Out-Null # ServicePrincipal should exist but it doesn't if ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Absent') @@ -356,13 +365,27 @@ function Set-TargetResource { $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue } + $ObjectGuid = [System.Guid]::empty + if (-not [System.Guid]::TryParse($AppId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $appInstance = Get-MgApplication -Filter "DisplayName eq '$AppId'" + $currentParameters.AppId = $appInstance.AppId + } + Write-Verbose -Message 'Creating new Service Principal' + Write-Verbose -Message "With Values: $(Convert-M365DscHashtableToString -Hashtable $currentParameters)" New-MgServicePrincipal @currentParameters } # ServicePrincipal should exist and will be configured to desired state - if ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Present') + elseif ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Present') { Write-Verbose -Message 'Updating existing Service Principal' + $ObjectGuid = [System.Guid]::empty + if (-not [System.Guid]::TryParse($AppId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $appInstance = Get-MgApplication -Filter "DisplayName eq '$AppId'" + $currentParameters.AppId = $appInstance.AppId + } Write-Verbose -Message "CurrentParameters: $($currentParameters | Out-String)" Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)" $currentParameters.Remove('AppRoleAssignedTo') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOPlace/MSFT_EXOPlace.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOPlace/MSFT_EXOPlace.psm1 index e6524aa7b6..2829411355 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOPlace/MSFT_EXOPlace.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOPlace/MSFT_EXOPlace.psm1 @@ -157,7 +157,7 @@ function Get-TargetResource try { - $place = Get-Place -Identity $Identity -ErrorAction Stop + $place = Get-Place -Identity $Identity -ErrorAction SilentlyContinue if ($null -eq $place) { diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 index e7a20f133d..5ce75f3a5e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 @@ -17,16 +17,14 @@ Configuration Example { AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Test Resource' - AddedBy = 'admin@contoso.onmicrosoft.com' - AddedOn = '05/11/2022 16:21:15' + DisplayName = 'Human Resources' CatalogId = 'My Catalog' Description = 'My Resource' - IsPendingOnboarding = $False - OriginId = "https://$Domain.sharepoint.com/" + IsPendingOnboarding = $true + OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = "https://$Domain.sharepoint.com/" + Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 index 185d0eeb00..8294d98999 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 @@ -12,20 +12,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Test Resource' - AddedBy = 'admin@contoso.onmicrosoft.com' - AddedOn = '05/11/2022 16:21:15' + DisplayName = 'Human Resources' CatalogId = 'My Catalog' Description = 'My Resource' - IsPendingOnboarding = $True # Updated Property - OriginId = "https://$Domain.sharepoint.com/" + IsPendingOnboarding = $false # Updated Property + OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = "https://$Domain.sharepoint.com/" + Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 index f4772ccf44..fb46388a1a 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 @@ -12,21 +12,22 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementConnectedOrganization 'MyConnectedOrganization' { Description = "this is the tenant partner"; DisplayName = "Test Tenant - DSC"; - ExternalSponsors = @("12345678-1234-1234-1234-123456789012"); + ExternalSponsors = @("AdeleV@$Domain"); IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ - ExternalTenantId = "12345678-1234-1234-1234-123456789012" + ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" DisplayName = 'Contoso' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); - InternalSponsors = @("12345678-1234-1234-1234-123456789012"); + InternalSponsors = @("AdeleV@$Domain"); State = "configured"; Ensure = "Present" Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 index 59e893bec8..227bda391c 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 @@ -12,21 +12,22 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementConnectedOrganization 'MyConnectedOrganization' { - Description = "this is the tenant partner - Updated"; # Updated Property + Description = "This is the tenant partner - Updated"; # Updated Property DisplayName = "Test Tenant - DSC"; - ExternalSponsors = @("12345678-1234-1234-1234-123456789012"); + ExternalSponsors = @("AdeleV@$Domain"); IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ - ExternalTenantId = "12345678-1234-1234-1234-123456789012" + ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" DisplayName = 'Contoso' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); - InternalSponsors = @("12345678-1234-1234-1234-123456789012"); + InternalSponsors = @("AdeleV@$Domain"); State = "configured"; Ensure = "Present" Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/1-Create.ps1 index ee96d8b039..2cfe4b2336 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/1-Create.ps1 @@ -18,7 +18,7 @@ Configuration Example { DisplayName = "Company Network" IpRanges = @("2.1.1.1/32", "1.2.2.2/32") - IsTrusted = $True + IsTrusted = $False OdataType = "#microsoft.graph.ipNamedLocation" Ensure = "Present" Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/2-Update.ps1 index 24c3405382..9f1b9edb57 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNamedLocationPolicy/2-Update.ps1 @@ -17,8 +17,8 @@ Configuration Example AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" - IpRanges = @("2.1.1.1/32", "1.2.2.2/32") - IsTrusted = $False # Updated Property + IpRanges = @("2.1.1.1/32") # Updated Property + IsTrusted = $False OdataType = "#microsoft.graph.ipNamedLocation" Ensure = "Present" Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/1-Create.ps1 index f338de89dc..439d0b39b9 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/1-Create.ps1 @@ -14,6 +14,7 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADRoleEligibilityScheduleRequest "MyRequest" @@ -23,7 +24,7 @@ Configuration Example DirectoryScopeId = "/"; Ensure = "Present"; IsValidationOnly = $False; - Principal = "John.Smith@$OrganizationName"; + Principal = "AdeleV@$Domain"; RoleDefinition = "Teams Communications Administrator"; ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule { startDateTime = '2023-09-01T02:40:44Z' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/2-Update.ps1 index 3532161553..9131d0a4e7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADRoleEligibilityScheduleRequest/2-Update.ps1 @@ -14,6 +14,7 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADRoleEligibilityScheduleRequest "MyRequest" @@ -23,7 +24,7 @@ Configuration Example DirectoryScopeId = "/"; Ensure = "Present"; IsValidationOnly = $True; # Updated Property - Principal = "John.Smith@$OrganizationName"; + Principal = "AdeleV@$Domain"; RoleDefinition = "Teams Communications Administrator"; ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule { startDateTime = '2023-09-01T02:40:44Z' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRoleSetting/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRoleSetting/1-Create.ps1 deleted file mode 100644 index e603f34d31..0000000000 --- a/Modules/Microsoft365DSC/Examples/Resources/AADRoleSetting/1-Create.ps1 +++ /dev/null @@ -1,62 +0,0 @@ -<# -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. -#> - -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - Node localhost - { - AADRoleSetting 28b253d8-cde5-471f-a331-fe7320023cdd - { - ActivateApprover = @(); - ActivationMaxDuration = "PT8H"; - ActivationReqJustification = $True; - ActivationReqMFA = $False; - ActivationReqTicket = $False; - ActiveAlertNotificationAdditionalRecipient = @(); - ActiveAlertNotificationDefaultRecipient = $True; - ActiveAlertNotificationOnlyCritical = $False; - ActiveApproveNotificationAdditionalRecipient = @(); - ActiveApproveNotificationDefaultRecipient = $True; - ActiveApproveNotificationOnlyCritical = $False; - ActiveAssigneeNotificationAdditionalRecipient = @(); - ActiveAssigneeNotificationDefaultRecipient = $True; - ActiveAssigneeNotificationOnlyCritical = $False; - ApprovaltoActivate = $False; - AssignmentReqJustification = $True; - AssignmentReqMFA = $False; - Displayname = "Application Administrator"; - ElegibilityAssignmentReqJustification = $False; - ElegibilityAssignmentReqMFA = $False; - EligibleAlertNotificationAdditionalRecipient = @(); - EligibleAlertNotificationDefaultRecipient = $True; - EligibleAlertNotificationOnlyCritical = $False; - EligibleApproveNotificationAdditionalRecipient = @(); - EligibleApproveNotificationDefaultRecipient = $True; - EligibleApproveNotificationOnlyCritical = $False; - EligibleAssigneeNotificationAdditionalRecipient = @(); - EligibleAssigneeNotificationDefaultRecipient = $True; - EligibleAssigneeNotificationOnlyCritical = $False; - EligibleAssignmentAlertNotificationAdditionalRecipient = @(); - EligibleAssignmentAlertNotificationDefaultRecipient = $True; - EligibleAssignmentAlertNotificationOnlyCritical = $False; - EligibleAssignmentAssigneeNotificationAdditionalRecipient = @(); - EligibleAssignmentAssigneeNotificationDefaultRecipient = $True; - EligibleAssignmentAssigneeNotificationOnlyCritical = $False; - ExpireActiveAssignment = "P180D"; - ExpireEligibleAssignment = "P365D"; - PermanentActiveAssignmentisExpirationRequired = $False; - PermanentEligibleAssignmentisExpirationRequired = $False; - Credential = $Credscredential - Ensure = 'Present' - } - } -} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 index c406e7a9ed..8583af1bd5 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 @@ -12,22 +12,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADServicePrincipal 'AADServicePrincipal' { - AppId = "" - DisplayName = "AADAppName" + AppId = 'AppDisplayName' + DisplayName = "AppDisplayName" AlternativeNames = "AlternativeName1","AlternativeName2" AccountEnabled = $true AppRoleAssignmentRequired = $false - ErrorUrl = "" - Homepage = "https://AADAppName.contoso.com" - LogoutUrl = "https://AADAppName.contoso.com/logout" - PublisherName = "Contoso" - ReplyURLs = "https://AADAppName.contoso.com" - SamlMetadataURL = "" - ServicePrincipalNames = "", "https://AADAppName.contoso.com" + Homepage = "https://$Domain/site/Home" + LogoutUrl = "https://$Domain/logout" + ReplyURLs = "https://$Domain/Reply" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 index b513d7b703..43fc5cf3a6 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 @@ -12,22 +12,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADServicePrincipal 'AADServicePrincipal' { - AppId = "" - DisplayName = "AADAppName" - AlternativeNames = "AlternativeName1","AlternativeName2" + AppId = 'AppDisplayName' + DisplayName = "AppDisplayName" + AlternativeNames = "AlternativeName1","AlternativeName3" # Updated Property AccountEnabled = $true - AppRoleAssignmentRequired = $true # Updated Property - ErrorUrl = "" - Homepage = "https://AADAppName.contoso.com" - LogoutUrl = "https://AADAppName.contoso.com/logout" - PublisherName = "Contoso" - ReplyURLs = "https://AADAppName.contoso.com" - SamlMetadataURL = "" - ServicePrincipalNames = "", "https://AADAppName.contoso.com" + AppRoleAssignmentRequired = $false + Homepage = "https://$Domain/site/Home" + LogoutUrl = "https://$Domain/logout" + ReplyURLs = "https://$Domain/Reply" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUser/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUser/1-Create.ps1 index 77f36b174e..73cdcbb24b 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADUser/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUser/1-Create.ps1 @@ -12,19 +12,18 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { - $Organization = $Credscredential.Username.Split('@')[1] AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" FirstName = "John" LastName = "Smith" DisplayName = "John J. Smith" City = "Gatineau" Country = "Canada" Office = "Ottawa - Queen" - LicenseAssignment = @("O365dsc1:ENTERPRISEPREMIUM") UsageLocation = "US" Ensure = "Present" Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-Update.ps1 index d80e65086f..238b7e0925 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-Update.ps1 @@ -12,19 +12,18 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { - $Organization = $Credscredential.Username.Split('@')[1] AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" FirstName = "John" LastName = "Smith" DisplayName = "John J. Smith" City = "Ottawa" # Updated Country = "Canada" Office = "Ottawa - Queen" - LicenseAssignment = @("O365dsc1:ENTERPRISEPREMIUM") UsageLocation = "US" Ensure = "Present" Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUser/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUser/3-Remove.ps1 index 1da4cd0523..30f6a7acb5 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADUser/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUser/3-Remove.ps1 @@ -12,12 +12,12 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { - $Organization = $Credscredential.Username.Split('@')[1] AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" Ensure = "Absent" Credential = $Credscredential } From 08a70e70a26c8c4e333631fabfff13a66a2e4d43 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 5 Jan 2024 13:13:17 -0500 Subject: [PATCH 26/70] Fix Unit Tests --- ...lementManagementConnectedOrganization.psm1 | 26 ++++++++++++++++ ...entAccessPackageAssignmentPolicy.Tests.ps1 | 6 +++- ...tManagementConnectedOrganization.Tests.ps1 | 31 +++++++++++-------- .../Microsoft365DSC.AADRoleSetting.Tests.ps1 | 1 + 4 files changed, 50 insertions(+), 14 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 index e504f42eb7..9f7c6f4e0e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 @@ -480,6 +480,19 @@ function Set-TargetResource -ConnectedOrganizationId $currentInstance.Id #region External Sponsors + if ($currentInstance.ExternalSponsors) + { + $currentExternalSponsors = @() + foreach ($sponsor in $CurrentInstance.ExternalSponsors) + { + $user = Get-MgUser -UserId $sponsor -ErrorAction SilentlyContinue + if ($user) + { + $currentExternalSponsors += $user.Id + } + } + $currentInstance.ExternalSponsors = $currentExternalSponsors + } $sponsorsDifferences = compare-object -ReferenceObject @($ExternalSponsors|select-object) -DifferenceObject @($currentInstance.ExternalSponsors|select-object) $sponsorsToAdd=($sponsorsDifferences | where-object -filterScript {$_.SideIndicator -eq '<='}).InputObject $sponsorsToRemove=($sponsorsDifferences | where-object -filterScript {$_.SideIndicator -eq '=>'}).InputObject @@ -505,6 +518,19 @@ function Set-TargetResource #endregion #region Internal Sponsors + if ($currentInstance.InternalSponsors) + { + $currentInternalSponsors = @() + foreach ($sponsor in $CurrentInstance.InternalSponsors) + { + $user = Get-MgUser -UserId $sponsor -ErrorAction SilentlyContinue + if ($user) + { + $currentInternalSponsors += $user.Id + } + } + $currentInstance.InternalSponsors = $currentInternalSponsors + } $sponsorsDifferences = compare-object -ReferenceObject @($InternalSponsors|select-object) -DifferenceObject @($currentInstance.InternalSponsors|select-object) $sponsorsToAdd=($sponsorsDifferences | where-object -filterScript {$_.SideIndicator -eq '<='}).InputObject $sponsorsToRemove=($sponsorsDifferences | where-object -filterScript {$_.SideIndicator -eq '=>'}).InputObject diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 index 494e432b67..b912a70e6b 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 @@ -95,7 +95,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' Credential = $Credential } - + Mock -CommandName Get-MgBetaEntitlementManagementAccessPackage -MockWith { + return @{ + Id = 'FakeStringValue' + } + } Mock -CommandName Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -MockWith { return $null } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementConnectedOrganization.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementConnectedOrganization.Tests.ps1 index 7ead2f0a36..e8ea032e40 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementConnectedOrganization.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementConnectedOrganization.Tests.ps1 @@ -59,7 +59,20 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Write-Host -MockWith { } - Mock -CommandName Write-Host -MockWith { + Mock -CommandName Get-MgUser -MockWith { + return @{ + Id = '12345678-1234-1234-1234-123456789012' + UserPrincipalName = 'John.smith@contoso.com' + } + } + + Mock -CommandName Get-MgBetaDirectoryObject -MockWith { + return @{ + Id = '12345678-1234-1234-1234-123456789012' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.user' + } + } } } # Test contexts @@ -93,14 +106,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaEntitlementManagementConnectedOrganizationInternalSponsor -MockWith { return @() } - Mock -CommandName Get-MgBetaDirectoryObject -MockWith { - return @{ - Id = '12345678-1234-1234-1234-123456789012' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.user' - } - } - } Mock -CommandName New-MgBetaEntitlementManagementConnectedOrganization -MockWith { return @{ Id = '12345678-1234-1234-1234-123456789012' @@ -193,7 +198,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Description = 'ConnectedOrganization_Description' DisplayName = 'ConnectedOrganization_DisplayName' - ExternalSponsors = @('12345678-1234-1234-1234-123456789012') + ExternalSponsors = @('John.Smith@contoso.com') Id = '12345678-1234-1234-1234-123456789012' IdentitySources = @( (New-CimInstance -ClassName MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource -Property @{ @@ -202,7 +207,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { displayName = 'IdentitySource_DisplayName' } -ClientOnly) ) - InternalSponsors = @('12345678-1234-1234-1234-123456789012') + InternalSponsors = @('John.Smith@contoso.com') State = 'configured' Ensure = 'Present' Credential = $Credential @@ -250,7 +255,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Description = 'ConnectedOrganization_Description' DisplayName = 'ConnectedOrganization_DisplayName' - ExternalSponsors = @('12345678-1234-1234-1234-123456789012') + ExternalSponsors = @('John.Smith@contoso.com') Id = '12345678-1234-1234-1234-123456789012' IdentitySources = @( (New-CimInstance -ClassName MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource -Property @{ @@ -259,7 +264,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { displayName = 'IdentitySource_DisplayName' } -ClientOnly) ) - InternalSponsors = @('12345678-1234-1234-1234-123456789012') + InternalSponsors = @('John.Smith@contoso.com') State = 'configured' Ensure = 'Present' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 index 5b68626cd5..fa5c9afa77 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 @@ -44,6 +44,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleDefinition -MockWith { return @{ DisplayName = 'User administrator' + Id = 'fe930be7-5e62-47db-91af-98c3a49a38b1' } } From 5d33c01fe7ef288bd60d3dc58d073180caedac2e Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Fri, 5 Jan 2024 18:25:00 +0000 Subject: [PATCH 27/70] Updated Resources and Cmdlet documentation pages --- ...ManagementAccessPackageAssignmentPolicy.md | 30 ++------- ...titlementManagementAccessPackageCatalog.md | 8 +-- ...tManagementAccessPackageCatalogResource.md | 30 ++++----- ...itlementManagementConnectedOrganization.md | 16 +++-- .../azure-ad/AADNamedLocationPolicy.md | 6 +- .../AADRoleEligibilityScheduleRequest.md | 6 +- .../docs/resources/azure-ad/AADRoleSetting.md | 67 +------------------ .../resources/azure-ad/AADServicePrincipal.md | 34 ++++------ docs/docs/resources/azure-ad/AADUser.md | 14 ++-- 9 files changed, 59 insertions(+), 152 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageAssignmentPolicy.md b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageAssignmentPolicy.md index 493a73dd6e..7920e3ad3e 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageAssignmentPolicy.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageAssignmentPolicy.md @@ -190,9 +190,9 @@ Configuration Example node localhost { - AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignmentPolicyWithAccessReviewsSettings" + AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignments" { - AccessPackageId = "5d05114c-b4d9-4ae7-bda6-4bade48e60f2"; + AccessPackageId = "Integration Package"; AccessReviewSettings = MSFT_MicrosoftGraphassignmentreviewsettings{ IsEnabled = $True StartDateTime = '12/17/2022 23:59:59' @@ -214,17 +214,6 @@ Configuration Example IsApprovalRequired = $False IsApprovalRequiredForExtension = $False }; - RequestorSettings = MSFT_MicrosoftGraphrequestorsettings{ - AllowedRequestors = @( - MSFT_MicrosoftGraphuserset{ - IsBackup = $False - Id = 'e27eb9b9-27c3-462d-8d65-3bcd763b0ed0' - odataType = '#microsoft.graph.connectedOrganizationMembers' - } - ) - AcceptRequests = $True - ScopeType = 'SpecificConnectedOrganizationSubjects' - }; Ensure = "Present" Credential = $Credscredential } @@ -249,9 +238,9 @@ Configuration Example node localhost { - AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignmentPolicyWithAccessReviewsSettings" + AADEntitlementManagementAccessPackageAssignmentPolicy "myAssignments" { - AccessPackageId = "5d05114c-b4d9-4ae7-bda6-4bade48e60f2"; + AccessPackageId = "Integration Package"; AccessReviewSettings = MSFT_MicrosoftGraphassignmentreviewsettings{ IsEnabled = $True StartDateTime = '12/17/2022 23:59:59' @@ -273,17 +262,6 @@ Configuration Example IsApprovalRequired = $False IsApprovalRequiredForExtension = $False }; - RequestorSettings = MSFT_MicrosoftGraphrequestorsettings{ - AllowedRequestors = @( - MSFT_MicrosoftGraphuserset{ - IsBackup = $False - Id = 'e27eb9b9-27c3-462d-8d65-3bcd763b0ed0' - odataType = '#microsoft.graph.connectedOrganizationMembers' - } - ) - AcceptRequests = $True - ScopeType = 'SpecificConnectedOrganizationSubjects' - }; Ensure = "Present" Credential = $Credscredential } diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalog.md b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalog.md index 6a299016ac..9953d70bc2 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalog.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalog.md @@ -70,9 +70,9 @@ Configuration Example { AADEntitlementManagementAccessPackageCatalog 'myAccessPackageCatalog' { - DisplayName = 'General' + DisplayName = 'My Catalog' CatalogStatus = 'Published' - CatalogType = 'ServiceDefault' + CatalogType = 'UserManaged' Description = 'Built-in catalog.' IsExternallyVisible = $True Managedidentity = $False @@ -102,9 +102,9 @@ Configuration Example { AADEntitlementManagementAccessPackageCatalog 'myAccessPackageCatalog' { - DisplayName = 'General' + DisplayName = 'My Catalog' CatalogStatus = 'Published' - CatalogType = 'ServiceDefault' + CatalogType = 'UserManaged' Description = 'Built-in catalog.' IsExternallyVisible = $False # Updated Property Managedidentity = $False diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md index ab7401ab7a..7f32d90e47 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md @@ -145,20 +145,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Communication site' - AddedBy = 'admin@contoso.onmicrosoft.com' - AddedOn = '05/11/2022 16:21:15' - CatalogId = 'f34c2d92-9e9d-4703-ba9b-955b6ac8dcb3' - Description = 'https://contoso.sharepoint.com/' - IsPendingOnboarding = $False - OriginId = 'https://contoso.sharepoint.com/' + DisplayName = 'Human Resources' + CatalogId = 'My Catalog' + Description = 'My Resource' + IsPendingOnboarding = $true + OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = 'https://contoso.sharepoint.com/' + Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } @@ -181,20 +180,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Communication site' - AddedBy = 'admin@contoso.onmicrosoft.com' - AddedOn = '05/11/2022 16:21:15' - CatalogId = 'f34c2d92-9e9d-4703-ba9b-955b6ac8dcb3' - Description = 'https://contoso.sharepoint.com/' - IsPendingOnboarding = $False # Updated Property - OriginId = 'https://contoso.sharepoint.com/' + DisplayName = 'Human Resources' + CatalogId = 'My Catalog' + Description = 'My Resource' + IsPendingOnboarding = $false # Updated Property + OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = 'https://contoso.sharepoint.com/' + Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md b/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md index c64c9d84a9..54f34e3b2e 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md @@ -80,21 +80,22 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementConnectedOrganization 'MyConnectedOrganization' { Description = "this is the tenant partner"; DisplayName = "Test Tenant - DSC"; - ExternalSponsors = @("12345678-1234-1234-1234-123456789012"); + ExternalSponsors = @("AdeleV@$Domain"); IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ - ExternalTenantId = "12345678-1234-1234-1234-123456789012" + ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" DisplayName = 'Contoso' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); - InternalSponsors = @("12345678-1234-1234-1234-123456789012"); + InternalSponsors = @("AdeleV@$Domain"); State = "configured"; Ensure = "Present" Credential = $Credscredential @@ -118,21 +119,22 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADEntitlementManagementConnectedOrganization 'MyConnectedOrganization' { - Description = "this is the tenant partner - Updated"; # Updated Property + Description = "This is the tenant partner - Updated"; # Updated Property DisplayName = "Test Tenant - DSC"; - ExternalSponsors = @("12345678-1234-1234-1234-123456789012"); + ExternalSponsors = @("AdeleV@$Domain"); IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ - ExternalTenantId = "12345678-1234-1234-1234-123456789012" + ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" DisplayName = 'Contoso' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); - InternalSponsors = @("12345678-1234-1234-1234-123456789012"); + InternalSponsors = @("AdeleV@$Domain"); State = "configured"; Ensure = "Present" Credential = $Credscredential diff --git a/docs/docs/resources/azure-ad/AADNamedLocationPolicy.md b/docs/docs/resources/azure-ad/AADNamedLocationPolicy.md index f43ace7898..376795d4d9 100644 --- a/docs/docs/resources/azure-ad/AADNamedLocationPolicy.md +++ b/docs/docs/resources/azure-ad/AADNamedLocationPolicy.md @@ -73,7 +73,7 @@ Configuration Example { DisplayName = "Company Network" IpRanges = @("2.1.1.1/32", "1.2.2.2/32") - IsTrusted = $True + IsTrusted = $False OdataType = "#microsoft.graph.ipNamedLocation" Ensure = "Present" Credential = $Credscredential @@ -102,8 +102,8 @@ Configuration Example AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" - IpRanges = @("2.1.1.1/32", "1.2.2.2/32") - IsTrusted = $False # Updated Property + IpRanges = @("2.1.1.1/32") # Updated Property + IsTrusted = $False OdataType = "#microsoft.graph.ipNamedLocation" Ensure = "Present" Credential = $Credscredential diff --git a/docs/docs/resources/azure-ad/AADRoleEligibilityScheduleRequest.md b/docs/docs/resources/azure-ad/AADRoleEligibilityScheduleRequest.md index ef5191b080..31ca7a5d40 100644 --- a/docs/docs/resources/azure-ad/AADRoleEligibilityScheduleRequest.md +++ b/docs/docs/resources/azure-ad/AADRoleEligibilityScheduleRequest.md @@ -137,6 +137,7 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADRoleEligibilityScheduleRequest "MyRequest" @@ -146,7 +147,7 @@ Configuration Example DirectoryScopeId = "/"; Ensure = "Present"; IsValidationOnly = $False; - Principal = "John.Smith@$OrganizationName"; + Principal = "AdeleV@$Domain"; RoleDefinition = "Teams Communications Administrator"; ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule { startDateTime = '2023-09-01T02:40:44Z' @@ -178,6 +179,7 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADRoleEligibilityScheduleRequest "MyRequest" @@ -187,7 +189,7 @@ Configuration Example DirectoryScopeId = "/"; Ensure = "Present"; IsValidationOnly = $True; # Updated Property - Principal = "John.Smith@$OrganizationName"; + Principal = "AdeleV@$Domain"; RoleDefinition = "Teams Communications Administrator"; ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule { startDateTime = '2023-09-01T02:40:44Z' diff --git a/docs/docs/resources/azure-ad/AADRoleSetting.md b/docs/docs/resources/azure-ad/AADRoleSetting.md index 4ce54475f7..c666d97328 100644 --- a/docs/docs/resources/azure-ad/AADRoleSetting.md +++ b/docs/docs/resources/azure-ad/AADRoleSetting.md @@ -91,71 +91,6 @@ To authenticate with the Microsoft Graph API, this resource required the followi This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline. -```powershell -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - Node localhost - { - AADRoleSetting 28b253d8-cde5-471f-a331-fe7320023cdd - { - ActivateApprover = @(); - ActivationMaxDuration = "PT8H"; - ActivationReqJustification = $True; - ActivationReqMFA = $False; - ActivationReqTicket = $False; - ActiveAlertNotificationAdditionalRecipient = @(); - ActiveAlertNotificationDefaultRecipient = $True; - ActiveAlertNotificationOnlyCritical = $False; - ActiveApproveNotificationAdditionalRecipient = @(); - ActiveApproveNotificationDefaultRecipient = $True; - ActiveApproveNotificationOnlyCritical = $False; - ActiveAssigneeNotificationAdditionalRecipient = @(); - ActiveAssigneeNotificationDefaultRecipient = $True; - ActiveAssigneeNotificationOnlyCritical = $False; - ApprovaltoActivate = $False; - AssignmentReqJustification = $True; - AssignmentReqMFA = $False; - Displayname = "Application Administrator"; - ElegibilityAssignmentReqJustification = $False; - ElegibilityAssignmentReqMFA = $False; - EligibleAlertNotificationAdditionalRecipient = @(); - EligibleAlertNotificationDefaultRecipient = $True; - EligibleAlertNotificationOnlyCritical = $False; - EligibleApproveNotificationAdditionalRecipient = @(); - EligibleApproveNotificationDefaultRecipient = $True; - EligibleApproveNotificationOnlyCritical = $False; - EligibleAssigneeNotificationAdditionalRecipient = @(); - EligibleAssigneeNotificationDefaultRecipient = $True; - EligibleAssigneeNotificationOnlyCritical = $False; - EligibleAssignmentAlertNotificationAdditionalRecipient = @(); - EligibleAssignmentAlertNotificationDefaultRecipient = $True; - EligibleAssignmentAlertNotificationOnlyCritical = $False; - EligibleAssignmentAssigneeNotificationAdditionalRecipient = @(); - EligibleAssignmentAssigneeNotificationDefaultRecipient = $True; - EligibleAssignmentAssigneeNotificationOnlyCritical = $False; - ExpireActiveAssignment = "P180D"; - ExpireEligibleAssignment = "P365D"; - PermanentActiveAssignmentisExpirationRequired = $False; - PermanentEligibleAssignmentisExpirationRequired = $False; - Credential = $Credscredential - Ensure = 'Present' - } - } -} -``` - -### Example 2 - -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. - ```powershell Configuration Example { @@ -216,7 +151,7 @@ Configuration Example } ``` -### Example 3 +### Example 2 This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline. diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index f5c4d6c8ae..661d2c5db1 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -84,22 +84,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADServicePrincipal 'AADServicePrincipal' { - AppId = "" - DisplayName = "AADAppName" + AppId = 'AppDisplayName' + DisplayName = "AppDisplayName" AlternativeNames = "AlternativeName1","AlternativeName2" AccountEnabled = $true AppRoleAssignmentRequired = $false - ErrorUrl = "" - Homepage = "https://AADAppName.contoso.com" - LogoutUrl = "https://AADAppName.contoso.com/logout" - PublisherName = "Contoso" - ReplyURLs = "https://AADAppName.contoso.com" - SamlMetadataURL = "" - ServicePrincipalNames = "", "https://AADAppName.contoso.com" + Homepage = "https://$Domain/site/Home" + LogoutUrl = "https://$Domain/logout" + ReplyURLs = "https://$Domain/Reply" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" @@ -124,22 +121,19 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADServicePrincipal 'AADServicePrincipal' { - AppId = "" - DisplayName = "AADAppName" - AlternativeNames = "AlternativeName1","AlternativeName2" + AppId = 'AppDisplayName' + DisplayName = "AppDisplayName" + AlternativeNames = "AlternativeName1","AlternativeName3" # Updated Property AccountEnabled = $true - AppRoleAssignmentRequired = $true # Updated Property - ErrorUrl = "" - Homepage = "https://AADAppName.contoso.com" - LogoutUrl = "https://AADAppName.contoso.com/logout" - PublisherName = "Contoso" - ReplyURLs = "https://AADAppName.contoso.com" - SamlMetadataURL = "" - ServicePrincipalNames = "", "https://AADAppName.contoso.com" + AppRoleAssignmentRequired = $false + Homepage = "https://$Domain/site/Home" + LogoutUrl = "https://$Domain/logout" + ReplyURLs = "https://$Domain/Reply" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" diff --git a/docs/docs/resources/azure-ad/AADUser.md b/docs/docs/resources/azure-ad/AADUser.md index 4d5ef9b418..0153626464 100644 --- a/docs/docs/resources/azure-ad/AADUser.md +++ b/docs/docs/resources/azure-ad/AADUser.md @@ -85,19 +85,18 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { - $Organization = $Credscredential.Username.Split('@')[1] AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" FirstName = "John" LastName = "Smith" DisplayName = "John J. Smith" City = "Gatineau" Country = "Canada" Office = "Ottawa - Queen" - LicenseAssignment = @("O365dsc1:ENTERPRISEPREMIUM") UsageLocation = "US" Ensure = "Present" Credential = $Credscredential @@ -121,19 +120,18 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { - $Organization = $Credscredential.Username.Split('@')[1] AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" FirstName = "John" LastName = "Smith" DisplayName = "John J. Smith" City = "Ottawa" # Updated Country = "Canada" Office = "Ottawa - Queen" - LicenseAssignment = @("O365dsc1:ENTERPRISEPREMIUM") UsageLocation = "US" Ensure = "Present" Credential = $Credscredential @@ -157,12 +155,12 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { - $Organization = $Credscredential.Username.Split('@')[1] AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" Ensure = "Absent" Credential = $Credscredential } From 9a1d2688b71d2bf74e15d15ff9e2b3c3b6804ff2 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Fri, 5 Jan 2024 18:26:32 +0000 Subject: [PATCH 28/70] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 104 ++++-------------- 1 file changed, 21 insertions(+), 83 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 7cb309eaf4..a6d733205f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -417,9 +417,9 @@ IsHidden = $False; IsRoleScopesVisible = $True; } - AADEntitlementManagementAccessPackageAssignmentPolicy 'myAssignmentPolicyWithAccessReviewsSettings' + AADEntitlementManagementAccessPackageAssignmentPolicy 'myAssignments' { - AccessPackageId = "5d05114c-b4d9-4ae7-bda6-4bade48e60f2"; + AccessPackageId = "Integration Package"; AccessReviewSettings = MSFT_MicrosoftGraphassignmentreviewsettings{ IsEnabled = $True StartDateTime = '12/17/2022 23:59:59' @@ -441,25 +441,14 @@ IsApprovalRequired = $False IsApprovalRequiredForExtension = $False }; - RequestorSettings = MSFT_MicrosoftGraphrequestorsettings{ - AllowedRequestors = @( - MSFT_MicrosoftGraphuserset{ - IsBackup = $False - Id = 'e27eb9b9-27c3-462d-8d65-3bcd763b0ed0' - odataType = '#microsoft.graph.connectedOrganizationMembers' - } - ) - AcceptRequests = $True - ScopeType = 'SpecificConnectedOrganizationSubjects' - }; Ensure = "Present" Credential = $Credscredential } AADEntitlementManagementAccessPackageCatalog 'myAccessPackageCatalog' { - DisplayName = 'General' + DisplayName = 'My Catalog' CatalogStatus = 'Published' - CatalogType = 'ServiceDefault' + CatalogType = 'UserManaged' Description = 'Built-in catalog.' IsExternallyVisible = $True Managedidentity = $False @@ -468,16 +457,14 @@ } AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' { - DisplayName = 'Communication site' - AddedBy = 'admin@contoso.onmicrosoft.com' - AddedOn = '05/11/2022 16:21:15' - CatalogId = 'f34c2d92-9e9d-4703-ba9b-955b6ac8dcb3' - Description = 'https://contoso.sharepoint.com/' - IsPendingOnboarding = $False - OriginId = 'https://contoso.sharepoint.com/' + DisplayName = 'Human Resources' + CatalogId = 'My Catalog' + Description = 'My Resource' + IsPendingOnboarding = $true + OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = 'https://contoso.sharepoint.com/' + Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } @@ -485,15 +472,15 @@ { Description = "this is the tenant partner"; DisplayName = "Test Tenant - DSC"; - ExternalSponsors = @("12345678-1234-1234-1234-123456789012"); + ExternalSponsors = @("AdeleV@$Domain"); IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ - ExternalTenantId = "12345678-1234-1234-1234-123456789012" + ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" DisplayName = 'Contoso' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); - InternalSponsors = @("12345678-1234-1234-1234-123456789012"); + InternalSponsors = @("AdeleV@$Domain"); State = "configured"; Ensure = "Present" Credential = $Credscredential @@ -514,7 +501,7 @@ { DisplayName = "Company Network" IpRanges = @("2.1.1.1/32", "1.2.2.2/32") - IsTrusted = $True + IsTrusted = $False OdataType = "#microsoft.graph.ipNamedLocation" Ensure = "Present" Credential = $Credscredential @@ -537,7 +524,7 @@ DirectoryScopeId = "/"; Ensure = "Present"; IsValidationOnly = $False; - Principal = "John.Smith@$OrganizationName"; + Principal = "AdeleV@$Domain"; RoleDefinition = "Teams Communications Administrator"; ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule { startDateTime = '2023-09-01T02:40:44Z' @@ -548,64 +535,16 @@ } }; } - AADRoleSetting '28b253d8-cde5-471f-a331-fe7320023cdd' - { - ActivateApprover = @(); - ActivationMaxDuration = "PT8H"; - ActivationReqJustification = $True; - ActivationReqMFA = $False; - ActivationReqTicket = $False; - ActiveAlertNotificationAdditionalRecipient = @(); - ActiveAlertNotificationDefaultRecipient = $True; - ActiveAlertNotificationOnlyCritical = $False; - ActiveApproveNotificationAdditionalRecipient = @(); - ActiveApproveNotificationDefaultRecipient = $True; - ActiveApproveNotificationOnlyCritical = $False; - ActiveAssigneeNotificationAdditionalRecipient = @(); - ActiveAssigneeNotificationDefaultRecipient = $True; - ActiveAssigneeNotificationOnlyCritical = $False; - ApprovaltoActivate = $False; - AssignmentReqJustification = $True; - AssignmentReqMFA = $False; - Displayname = "Application Administrator"; - ElegibilityAssignmentReqJustification = $False; - ElegibilityAssignmentReqMFA = $False; - EligibleAlertNotificationAdditionalRecipient = @(); - EligibleAlertNotificationDefaultRecipient = $True; - EligibleAlertNotificationOnlyCritical = $False; - EligibleApproveNotificationAdditionalRecipient = @(); - EligibleApproveNotificationDefaultRecipient = $True; - EligibleApproveNotificationOnlyCritical = $False; - EligibleAssigneeNotificationAdditionalRecipient = @(); - EligibleAssigneeNotificationDefaultRecipient = $True; - EligibleAssigneeNotificationOnlyCritical = $False; - EligibleAssignmentAlertNotificationAdditionalRecipient = @(); - EligibleAssignmentAlertNotificationDefaultRecipient = $True; - EligibleAssignmentAlertNotificationOnlyCritical = $False; - EligibleAssignmentAssigneeNotificationAdditionalRecipient = @(); - EligibleAssignmentAssigneeNotificationDefaultRecipient = $True; - EligibleAssignmentAssigneeNotificationOnlyCritical = $False; - ExpireActiveAssignment = "P180D"; - ExpireEligibleAssignment = "P365D"; - PermanentActiveAssignmentisExpirationRequired = $False; - PermanentEligibleAssignmentisExpirationRequired = $False; - Credential = $Credscredential - Ensure = 'Present' - } AADServicePrincipal 'AADServicePrincipal' { - AppId = "" - DisplayName = "AADAppName" + AppId = 'AppDisplayName' + DisplayName = "AppDisplayName" AlternativeNames = "AlternativeName1","AlternativeName2" AccountEnabled = $true AppRoleAssignmentRequired = $false - ErrorUrl = "" - Homepage = "https://AADAppName.contoso.com" - LogoutUrl = "https://AADAppName.contoso.com/logout" - PublisherName = "Contoso" - ReplyURLs = "https://AADAppName.contoso.com" - SamlMetadataURL = "" - ServicePrincipalNames = "", "https://AADAppName.contoso.com" + Homepage = "https://$Domain/site/Home" + LogoutUrl = "https://$Domain/logout" + ReplyURLs = "https://$Domain/Reply" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" @@ -622,14 +561,13 @@ } AADUser 'ConfigureJohnSMith' { - UserPrincipalName = "John.Smith@$Organization" + UserPrincipalName = "John.Smith@$Domain" FirstName = "John" LastName = "Smith" DisplayName = "John J. Smith" City = "Gatineau" Country = "Canada" Office = "Ottawa - Queen" - LicenseAssignment = @("O365dsc1:ENTERPRISEPREMIUM") UsageLocation = "US" Ensure = "Present" Credential = $Credscredential From 071f561ffa50daed1c1ef12c4300608aa842c833 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 5 Jan 2024 15:12:13 -0500 Subject: [PATCH 29/70] Integration Fixes --- CHANGELOG.md | 5 ++++- .../MSFT_AADAdministrativeUnit.psm1 | 10 +++++---- ...ADAuthenticationMethodPolicyTemporary.psm1 | 8 +++++-- ...nagementAccessPackageAssignmentPolicy.psm1 | 21 +++++++++++++++++++ .../Resources/AADApplication/1-Create.ps1 | 9 ++++---- .../Resources/AADApplication/2-Update.ps1 | 9 ++++---- .../1-Create.ps1 | 2 +- .../2-Update.ps1 | 2 +- 8 files changed, 49 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bed56fca1a..74edc2c7a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Change log for Microsoft365DSC -# Unreleased +# UNRELEASED + +* AADAdministrativeUnit + * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. # 1.24.103.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 index 075738fae6..7d837c6524 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 @@ -543,7 +543,6 @@ function Set-TargetResource # ScopedRoleMember-info is added after the AU is created } $CreateParameters.Remove('ScopedRoleMembers') | Out-Null - } if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') @@ -604,8 +603,11 @@ function Set-TargetResource $UpdateParameters.Remove('ScopedRoleMembers') | Out-Null #region resource generator code - Update-MgBetaDirectoryAdministrativeUnit @UpdateParameters ` - -AdministrativeUnitId $currentInstance.Id + $jsonParams = ConvertTo-Json $UpdateParameters + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/administrativeUnits/$($currentInstance.Id)" + Invoke-MgGraphRequest -Method PATCH -Uri $url -Body $jsonParams + <#Update-MgBetaDirectoryAdministrativeUnit @UpdateParameters ` + -AdministrativeUnitId $currentInstance.Id #> #endregion @@ -689,7 +691,7 @@ function Set-TargetResource $desiredScopedRoleMembersValue = @() } - # flatten hashtabls for compare + # flatten hashtables for compare $compareCurrentScopedRoleMembersValue = @() foreach ($roleMember in $currentScopedRoleMembersValue) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyTemporary/MSFT_AADAuthenticationMethodPolicyTemporary.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyTemporary/MSFT_AADAuthenticationMethodPolicyTemporary.psm1 index e699ceb56f..982b5e380c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyTemporary/MSFT_AADAuthenticationMethodPolicyTemporary.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyTemporary/MSFT_AADAuthenticationMethodPolicyTemporary.psm1 @@ -101,16 +101,17 @@ function Get-TargetResource #endregion if ($null -eq $getValue) { - Write-Verbose -Message "Could not find an Azure AD Authentication Method Policy Temporary with DisplayName {$DisplayName}" + Write-Verbose -Message "Could not find an Azure AD Authentication Method Policy Temporary" return $nullResult } $Id = $getValue.Id - Write-Verbose -Message "An Azure AD Authentication Method Policy Temporary with Id {$Id} and DisplayName {$DisplayName} was found." + Write-Verbose -Message "An Azure AD Authentication Method Policy Temporary with Id {$($currentExcludeTargets.id))} was found." #region resource generator code $complexExcludeTargets = @() foreach ($currentExcludeTargets in $getValue.excludeTargets) { + Write-Verbose -Message "Retrieving ExcludeTarget {$currentExcludeTargets}" $myExcludeTargets = @{} if ($currentExcludeTargets.id -ne 'all_users'){ $myExcludeTargetsDisplayName = get-MgGroup -GroupId $currentExcludeTargets.id @@ -133,6 +134,7 @@ function Get-TargetResource $complexincludeTargets = @() foreach ($currentincludeTargets in $getValue.AdditionalProperties.includeTargets) { + Write-Verbose -Message "Retrieving IncludeTarget {$($currentincludeTargets.id)}" $myincludeTargets = @{} if ($currentIncludeTargets.id -ne 'all_users'){ $myIncludeTargetsDisplayName = get-MgGroup -GroupId $currentIncludeTargets.id @@ -158,6 +160,7 @@ function Get-TargetResource } #endregion + Write-Verbose -Message "Get-TargetResource returned values" $results = @{ #region resource generator code DefaultLength = $getValue.AdditionalProperties.defaultLength @@ -486,6 +489,7 @@ function Test-TargetResource $testResult = $true #Compare Cim instances + Write-Verbose -Message "Evaluating keys" foreach ($key in $PSBoundParameters.Keys) { $source = $PSBoundParameters.$key diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 index 1891bd8d98..5adea9080f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 @@ -653,6 +653,27 @@ function Set-TargetResource $UpdateParameters.CustomExtensionHandlers = $formattedCustomExtensionHandlers } + if (-not [System.String]::IsNullOrEmpty($AccessPackageId)) + { + $ObjectGuid = [System.Guid]::empty + $isGUID = [System.Guid]::TryParse($AccessPackageId, [System.Management.Automation.PSReference]$ObjectGuid) + if (-not $isGUID) + { + # Retrieve by name + Write-Verbose -Message "Retrieving Entitlement Management Access Package by Name {$AccessPackageId}" + $package = Get-MgBetaEntitlementManagementAccessPackage -Filter "displayName eq '$AccessPackageId'" + if ($null -ne $package) + { + $AccessPackageId = $package.Id + } + else + { + throw "Could not retrieve the Access Package using identifier {$AccessPackageId}" + } + } + $UpdateParameters.AccessPackageId = $AccessPackageId + } + #write-verbose ($UpdateParameters|convertto-json -Depth 100) Set-MgBetaEntitlementManagementAccessPackageAssignmentPolicy ` -BodyParameter $UpdateParameters ` diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 index dd1149b760..ea5eef43e4 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 @@ -12,6 +12,7 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADApplication 'AADApp1' @@ -19,12 +20,12 @@ Configuration Example DisplayName = "AppDisplayName" AvailableToOtherTenants = $false GroupMembershipClaims = "0" - Homepage = "https://app.contoso.com" - IdentifierUris = "https://app.contoso.com" + Homepage = "https://$Domain" + IdentifierUris = "https://$Domain" KnownClientApplications = "" - LogoutURL = "https://app.contoso.com/logout" + LogoutURL = "https://$Domain/logout" PublicClient = $false - ReplyURLs = "https://app.contoso.com" + ReplyURLs = "https://$Domain" Permissions = @( MSFT_AADApplicationPermission { diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 index 950f7c2813..7d11185628 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 @@ -12,6 +12,7 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADApplication 'AADApp1' @@ -19,12 +20,12 @@ Configuration Example DisplayName = "AppDisplayName" AvailableToOtherTenants = $true # Updated Property GroupMembershipClaims = "0" - Homepage = "https://app.contoso.com" - IdentifierUris = "https://app.contoso.com" + Homepage = "https://$Domain" + IdentifierUris = "https://$Domain" KnownClientApplications = "" - LogoutURL = "https://app.contoso.com/logout" + LogoutURL = "https://$Domain/logout" PublicClient = $false - ReplyURLs = "https://app.contoso.com" + ReplyURLs = "https://$Domain" Permissions = @( MSFT_AADApplicationPermission { diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/1-Create.ps1 index 7be4ff9417..383f603274 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/1-Create.ps1 @@ -30,7 +30,7 @@ Configuration Example Id = "TemporaryAccessPass"; IncludeTargets = @( MSFT_AADAuthenticationMethodPolicyTemporaryIncludeTarget{ - Id = 'DSCGroup' + Id = 'Executives' TargetType = 'group' } ); diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/2-Update.ps1 index a23cf77d9d..da062cb512 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyTemporary/2-Update.ps1 @@ -30,7 +30,7 @@ Configuration Example Id = "TemporaryAccessPass"; IncludeTargets = @( MSFT_AADAuthenticationMethodPolicyTemporaryIncludeTarget{ - Id = 'DSCGroup' + Id = 'Executives' TargetType = 'group' } ); From 528bf1ecd6648dbaa4f5838b0434cac28b455ec0 Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Sat, 6 Jan 2024 10:44:02 +0100 Subject: [PATCH 30/70] Renamed 'Sync-Parameter' to 'Sync-M365DSCParameter' --- Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 6d59be27b4..b03dda25b8 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4345,7 +4345,7 @@ function Get-M365DSCConfigurationConflict .Functionality Private #> -function Sync-Parameter +function Sync-M365DSCParameter { [Cmdletbinding()] param ( @@ -4504,5 +4504,5 @@ Export-ModuleMember -Function @( 'Update-M365DSCExportAuthenticationResults', 'Update-M365DSCModule', 'Write-M365DSCLogEvent', - 'Sync-Parameter' + 'Sync-M365DSCParameter' ) From 273c1d228b5bb1dccad3c1e0ee7b3c4bd40519e7 Mon Sep 17 00:00:00 2001 From: Raimund Andree Date: Sat, 6 Jan 2024 10:50:15 +0100 Subject: [PATCH 31/70] Renamed 'Sync-Parameter' to 'Sync-M365DSCParameter' --- .../MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 | 6 +++--- Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 index b02976181f..59c2ddf127 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailContact/MSFT_EXOMailContact.psm1 @@ -498,14 +498,14 @@ function Set-TargetResource # Mail Contact doesn't exist but it should if ($Ensure -eq 'Present' -and $currentContact.Ensure -eq 'Absent') { - $parameters = Sync-Parameter -Command (Get-Command -Name New-MailContact) -Parameters $PSBoundParameters + $parameters = Sync-M365DSCParameter -Command (Get-Command -Name New-MailContact) -Parameters $PSBoundParameters Write-Verbose -Message "The Mail Contact '$($Name)' does not exist but it should. Creating Mail Contact." try { New-MailContact @parameters -ErrorAction Stop - $parameters = Sync-Parameter -Command (Get-Command -Name Set-MailContact) -Parameters $PSBoundParameters + $parameters = Sync-M365DSCParameter -Command (Get-Command -Name Set-MailContact) -Parameters $PSBoundParameters $parameters.Identity = $Name Set-MailContact @parameters -ErrorAction Stop } @@ -523,7 +523,7 @@ function Set-TargetResource elseif ($Ensure -eq 'Present' -and $currentContact.Ensure -eq 'Present') { Write-Verbose -Message "Mail Contact '$($Name)' already exists. Updating settings" - $parameters = Sync-Parameter -Command (Get-Command -Name Set-MailContact) -Parameters $PSBoundParameters + $parameters = Sync-M365DSCParameter -Command (Get-Command -Name Set-MailContact) -Parameters $PSBoundParameters Write-Verbose -Message "Updating Mail Contact '$($Name)' with values: $(Convert-M365DscHashtableToString -Hashtable $parameters)" $parameters.Identity = $Name Set-MailContact @parameters diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index b03dda25b8..9f10e145ac 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4340,7 +4340,7 @@ function Get-M365DSCConfigurationConflict Path = 'C:\Test' DoesNotExist = '123' } - Sync-Parameter -Command (Get-Command -Name Get-ChildItem) -Parameters $param + Sync-M365DSCParameter -Command (Get-Command -Name Get-ChildItem) -Parameters $param .Functionality Private From 3b76b2084dfe99cd87f17cfb2d66bc698c377058 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Sun, 7 Jan 2024 10:34:27 -0500 Subject: [PATCH 32/70] Update MSFT_AADRoleEligibilityScheduleRequest.psm1 --- .../MSFT_AADRoleEligibilityScheduleRequest.psm1 | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index 6e1e50dcaa..f1e371a6d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -125,13 +125,16 @@ if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { Write-Verbose -Message "Getting Role Eligibility by PrincipalId and RoleDefinitionId" + $PrincipalTypeValue = $null if ($PrincipalType -eq 'User') { + Write-Verbose -Message "Retrieving Principal by UserPrincipalName {$Principal}" $PrincipalIdValue = Get-MgUser -Filter "UserPrincipalName eq '$Principal'" -ErrorAction SilentlyContinue $PrincipalTypeValue = 'User' } if ($null -eq $PrincipalIdValue -or $PrincipalType -eq 'Group') { + Write-Verbose -Message "Retrieving Principal by DisplayName {$Principal}" $PrincipalIdValue = Get-MgGroup -Filter "DisplayName eq '$Principal'" -ErrorAction SilentlyContinue $PrincipalTypeValue = 'Group' } @@ -146,7 +149,7 @@ } Write-Verbose -Message "Found Principal {$PrincipalId}" $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id - $request = $Script:exportedInstances | Where-Object -FilterScript {$_.PrincipalId -eq $PrincipalId -and $_.RoleDefinitionId -eq $RoleDefinition} + $request = $Script:exportedInstances | Where-Object -FilterScript {$_.PrincipalId -eq $PrincipalId -and $_.RoleDefinitionId -eq $RoleDefinition} | Sort-Object -Property CompletedDateTime -Descending } else { @@ -178,7 +181,8 @@ Write-Verbose -Message "Found Role {$RoleDefinitionId}" $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" - $request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" + [Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" | Sort-Object -Property CompletedDateTime -Descending +` $request = $request[0] } } else @@ -202,11 +206,13 @@ Write-Verbose -Message "Found existing AADRolelLigibilityScheduleRequest" if ($PrincipalType -eq 'User') { + Write-Verbose -Message "Retrieving Principal by UserId {$($request.PrincipalId)}" $PrincipalInstance = Get-MgUser -UserId $request.PrincipalId -ErrorAction SilentlyContinue $PrincipalTypeValue = 'User' } if ($null -eq $PrincipalInstance -or $PrincipalType -eq 'Group') { + Write-Verbose -Message "Retrieving Principal by GroupId {$($request.PrincipalId)}" $requestArray = [Array]$request if ($requestArray.Count -gt 1) { @@ -307,7 +313,7 @@ } catch { - Write-Verbose "Error: $($_.ErrorDetails.Message)" + Write-Verbose "Error: $_" New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` From 6882c8e5bfa26e442191a5e5f4a8c58d0c7d333b Mon Sep 17 00:00:00 2001 From: Michael Barmettler <99532854+mibarm@users.noreply.github.com> Date: Mon, 8 Jan 2024 07:57:04 +0100 Subject: [PATCH 33/70] Add Changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bed56fca1a..9755d8bce3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ # Unreleased +* EXOHostedContentFilterPolicy + * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders, BlockSenderDomains if desired state is empty but current state is not empty + FIXES[#4124](https://github.com/microsoft/Microsoft365DSC/issues/4124) + # 1.24.103.1 * AADConditionalAccessPolicy From d9a64e1493be94f7a72993b25ec5161b080d9d72 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Mon, 8 Jan 2024 08:46:16 +0100 Subject: [PATCH 34/70] wip --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bef0360463..bed56fca1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,6 @@ # Change log for Microsoft365DSC -# UNRELEASED -* AADConditionalAccessPolicy - * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] +# Unreleased # 1.24.103.1 @@ -74,6 +72,7 @@ FIXES [#4021](https://github.com/microsoft/Microsoft365DSC/issues/4021) # 1.23.1220.1 + * AADEntitlementManagementAccessPackage * Retrieve catalog by name instead of id. * IntuneDeviceAndAppManagementAssignmentFilter From ca4464887cad94a5227d18348cde45e78e144fea Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Mon, 8 Jan 2024 08:49:40 +0100 Subject: [PATCH 35/70] Add to unreased --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bed56fca1a..5f8f1d77b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # Change log for Microsoft365DSC -# Unreleased +# UNRELEASED +* AADConditionalAccessPolicy + * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] # 1.24.103.1 From 6f07e840000cb14d5994ae232ea286e318b2b2c6 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 08:34:19 -0500 Subject: [PATCH 36/70] AADConditionalAccessPolicy - Added Support for Application Filters --- CHANGELOG.md | 5 ++- .../MSFT_AADConditionalAccessPolicy.psm1 | 40 ++++++++++++++++++- ...MSFT_AADConditionalAccessPolicy.schema.mof | 2 + 3 files changed, 44 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bed56fca1a..689d93d972 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Change log for Microsoft365DSC -# Unreleased +# UNRELEASED + +* AADConditionalAccessPolicy + * Added support for application filters in the conditions. # 1.24.103.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 06ce5f794e..02171c139e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -26,6 +26,15 @@ function Get-TargetResource [System.String[]] $ExcludeApplications, + [Parameter()] + [System.String] + $ApplicationsFilter, + + [Parameter()] + [ValidateSet("include", "exclude")] + [System.String] + $ApplicationsFilterMode, + [Parameter()] [System.String[]] $IncludeUserActions, @@ -397,7 +406,6 @@ function Get-TargetResource } } - $IncludeRoles = @() $ExcludeRoles = @() #translate role template guids to role name @@ -450,7 +458,6 @@ function Get-TargetResource } } } - } $IncludeLocations = @() @@ -600,6 +607,8 @@ function Get-TargetResource IncludeApplications = [System.String[]](@() + $Policy.Conditions.Applications.IncludeApplications) #no translation of Application GUIDs, return empty string array if undefined ExcludeApplications = [System.String[]](@() + $Policy.Conditions.Applications.ExcludeApplications) + ApplicationsFilter = $Policy.Conditions.Applications.ApplicationFilter.Rule + ApplicationsFilterMode = $Policy.Conditions.Applications.ApplicationFilter.Mode #no translation of GUIDs, return empty string array if undefined IncludeUserActions = [System.String[]](@() + $Policy.Conditions.Applications.IncludeUserActions) #no translation needed, return empty string array if undefined @@ -701,6 +710,15 @@ function Set-TargetResource [System.String[]] $ExcludeApplications, + [Parameter()] + [System.String] + $ApplicationsFilter, + + [Parameter()] + [ValidateSet("include", "exclude")] + [System.String] + $ApplicationsFilterMode, + [Parameter()] [System.String[]] $IncludeUserActions, @@ -944,6 +962,15 @@ function Set-TargetResource { $conditions.Applications.Add('ExcludeApplications', $ExcludeApplications) } + if ($ApplicationsFilter -and $ApplicationsFilterMode) + { + $appFilterValue = @{ + rule = $ApplicationsFilter + mode = $ApplicationsFilterMode + } + $conditions.Applications.Add("ApplicationFilter", $appFilterValue) + } + if ($IncludeUserActions) { $conditions.Applications.Add('IncludeUserActions', $IncludeUserActions) @@ -1604,6 +1631,15 @@ function Test-TargetResource [System.String[]] $ExcludeApplications, + [Parameter()] + [System.String] + $ApplicationsFilter, + + [Parameter()] + [ValidateSet("include", "exclude")] + [System.String] + $ApplicationsFilterMode, + [Parameter()] [System.String[]] $IncludeUserActions, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index d209e98f00..9d1203c2af 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -5,6 +5,8 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Specifies the GUID for the Policy.")] String Id; [Write, Description("Specifies the State of the Policy."), ValueMap{"disabled","enabled","enabledForReportingButNotEnforced"}, Values{"disabled","enabled","enabledForReportingButNotEnforced"}] String State; [Write, Description("Cloud Apps in scope of the Policy.")] String IncludeApplications[]; + [Write, Description("Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID.")] String ApplicationsFilter; + [Write, Description("Mode to use for the filter. Possible values are include or exclude."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String ApplicationsFilterMode; [Write, Description("Cloud Apps out of scope of the Policy.")] String ExcludeApplications[]; [Write, Description("User Actions in scope of the Policy.")] String IncludeUserActions[]; [Write, Description("Users in scope of the Policy.")] String IncludeUsers[]; From b86799e078fc145bda76bb5aebe72fcd1bcc9d7c Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 13:46:41 +0000 Subject: [PATCH 37/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 50256488d8..e7a2deec08 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -8,6 +8,8 @@ | **Id** | Write | String | Specifies the GUID for the Policy. | | | **State** | Write | String | Specifies the State of the Policy. | `disabled`, `enabled`, `enabledForReportingButNotEnforced` | | **IncludeApplications** | Write | StringArray[] | Cloud Apps in scope of the Policy. | | +| **ApplicationsFilter** | Write | String | Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID. | | +| **ApplicationsFilterMode** | Write | String | Mode to use for the filter. Possible values are include or exclude. | `include`, `exclude` | | **ExcludeApplications** | Write | StringArray[] | Cloud Apps out of scope of the Policy. | | | **IncludeUserActions** | Write | StringArray[] | User Actions in scope of the Policy. | | | **IncludeUsers** | Write | StringArray[] | Users in scope of the Policy. | | From dd6170aeeb2b3eb6f3cc6726a78942c0564ed905 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 8 Jan 2024 13:49:51 +0000 Subject: [PATCH 38/70] Update CHANGELOG.md --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fea7e30fd..d05d99f9a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ * AADConditionalAccessPolicy * Added support for application filters in the conditions. +* IntuneDeviceConfigurationPolicyMacOS + * Fix workaround added on PR #4099 in order to be able to use this resource + for deployments + FIXES [#4105](https://github.com/microsoft/Microsoft365DSC/issues/4105) # 1.24.103.1 @@ -27,15 +31,11 @@ FIXES [#3929](https://github.com/microsoft/Microsoft365DSC/issues/3929) * IntuneDeviceConfigurationPolicyMacOS * Added parameter descriptions for better documentation - * Fix workaround added on PR #4099 in order to be able to use this resource - for deployments - FIXES [#4105](https://github.com/microsoft/Microsoft365DSC/issues/4105) * IntuneSettingCatalogCustomPolicyWindows10 * Fix Get-TargetResource when the parameter Id is not present FIXES [#4029](https://github.com/microsoft/Microsoft365DSC/issues/4003) * SPOTenantSettings * Added parameter descriptions for better documentation - * TeamsChannel * Add error handling if GroupId of a team is null FIXES [#3943](https://github.com/microsoft/Microsoft365DSC/issues/3943) From 7fabe0f791a59d4e1ec2dd0cab364308c7e05cae Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 8 Jan 2024 14:04:09 +0000 Subject: [PATCH 39/70] Update CHANGELOG.md --- CHANGELOG.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8272e9b4e8..a28d612a92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,15 +4,12 @@ * AADConditionalAccessPolicy * Added support for application filters in the conditions. + * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * IntuneDeviceConfigurationPolicyMacOS * Fix workaround added on PR #4099 in order to be able to use this resource for deployments FIXES [#4105](https://github.com/microsoft/Microsoft365DSC/issues/4105) -# UNRELEASED -* AADConditionalAccessPolicy - * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] - # 1.24.103.1 * AADConditionalAccessPolicy From 6d332a918218b0220345bfd05cb409c12e83df59 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 8 Jan 2024 14:06:45 +0000 Subject: [PATCH 40/70] Fix CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a28d612a92..5a15932cc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,8 @@ * AADConditionalAccessPolicy * Added support for application filters in the conditions. - * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] + * Implement Fix #3885. Manage Exclude Application. + FIXES [#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885) * IntuneDeviceConfigurationPolicyMacOS * Fix workaround added on PR #4099 in order to be able to use this resource for deployments From c5395107930d00ae4b0d9f750ea0b72b39359112 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 09:30:49 -0500 Subject: [PATCH 41/70] Fixes --- .../Examples/Resources/AADServicePrincipal/1-Create.ps1 | 4 ++-- .../Examples/Resources/AADServicePrincipal/2-Update.ps1 | 4 ++-- ...tlementManagementAccessPackageAssignmentPolicy.Tests.ps1 | 6 ++++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 index 8583af1bd5..5d148bc5bb 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/1-Create.ps1 @@ -22,9 +22,9 @@ Configuration Example AlternativeNames = "AlternativeName1","AlternativeName2" AccountEnabled = $true AppRoleAssignmentRequired = $false - Homepage = "https://$Domain/site/Home" + Homepage = "https://$Domain" LogoutUrl = "https://$Domain/logout" - ReplyURLs = "https://$Domain/Reply" + ReplyURLs = "https://$Domain" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 index 43fc5cf3a6..d50d7f231c 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADServicePrincipal/2-Update.ps1 @@ -22,9 +22,9 @@ Configuration Example AlternativeNames = "AlternativeName1","AlternativeName3" # Updated Property AccountEnabled = $true AppRoleAssignmentRequired = $false - Homepage = "https://$Domain/site/Home" + Homepage = "https://$Domain" LogoutUrl = "https://$Domain/logout" - ReplyURLs = "https://$Domain/Reply" + ReplyURLs = "https://$Domain" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 index b912a70e6b..713ae018fb 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEntitlementManagementAccessPackageAssignmentPolicy.Tests.ps1 @@ -386,6 +386,12 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' Credential = $Credential } + + Mock -CommandName Get-MgBetaEntitlementManagementAccessPackage -MockWith { + return @{ + Id = 'FakeStringValue' + } + } Mock -CommandName Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -MockWith { return @{ From 5bffb0930527448d95f4d8c000c614ef213eb8e9 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 15:25:29 +0000 Subject: [PATCH 42/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADApplication.md | 18 ++++++++++-------- .../AADAuthenticationMethodPolicyTemporary.md | 4 ++-- .../resources/azure-ad/AADServicePrincipal.md | 8 ++++---- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADApplication.md b/docs/docs/resources/azure-ad/AADApplication.md index 7224433224..2488190e43 100644 --- a/docs/docs/resources/azure-ad/AADApplication.md +++ b/docs/docs/resources/azure-ad/AADApplication.md @@ -84,6 +84,7 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADApplication 'AADApp1' @@ -91,12 +92,12 @@ Configuration Example DisplayName = "AppDisplayName" AvailableToOtherTenants = $false GroupMembershipClaims = "0" - Homepage = "https://app.contoso.com" - IdentifierUris = "https://app.contoso.com" + Homepage = "https://$Domain" + IdentifierUris = "https://$Domain" KnownClientApplications = "" - LogoutURL = "https://app.contoso.com/logout" + LogoutURL = "https://$Domain/logout" PublicClient = $false - ReplyURLs = "https://app.contoso.com" + ReplyURLs = "https://$Domain" Permissions = @( MSFT_AADApplicationPermission { @@ -142,6 +143,7 @@ Configuration Example ) Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] node localhost { AADApplication 'AADApp1' @@ -149,12 +151,12 @@ Configuration Example DisplayName = "AppDisplayName" AvailableToOtherTenants = $true # Updated Property GroupMembershipClaims = "0" - Homepage = "https://app.contoso.com" - IdentifierUris = "https://app.contoso.com" + Homepage = "https://$Domain" + IdentifierUris = "https://$Domain" KnownClientApplications = "" - LogoutURL = "https://app.contoso.com/logout" + LogoutURL = "https://$Domain/logout" PublicClient = $false - ReplyURLs = "https://app.contoso.com" + ReplyURLs = "https://$Domain" Permissions = @( MSFT_AADApplicationPermission { diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyTemporary.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyTemporary.md index 6ccb4a78f0..23c2499d7c 100644 --- a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyTemporary.md +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyTemporary.md @@ -105,7 +105,7 @@ Configuration Example Id = "TemporaryAccessPass"; IncludeTargets = @( MSFT_AADAuthenticationMethodPolicyTemporaryIncludeTarget{ - Id = 'DSCGroup' + Id = 'Executives' TargetType = 'group' } ); @@ -151,7 +151,7 @@ Configuration Example Id = "TemporaryAccessPass"; IncludeTargets = @( MSFT_AADAuthenticationMethodPolicyTemporaryIncludeTarget{ - Id = 'DSCGroup' + Id = 'Executives' TargetType = 'group' } ); diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index 661d2c5db1..6b31571f6c 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -94,9 +94,9 @@ Configuration Example AlternativeNames = "AlternativeName1","AlternativeName2" AccountEnabled = $true AppRoleAssignmentRequired = $false - Homepage = "https://$Domain/site/Home" + Homepage = "https://$Domain" LogoutUrl = "https://$Domain/logout" - ReplyURLs = "https://$Domain/Reply" + ReplyURLs = "https://$Domain" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" @@ -131,9 +131,9 @@ Configuration Example AlternativeNames = "AlternativeName1","AlternativeName3" # Updated Property AccountEnabled = $true AppRoleAssignmentRequired = $false - Homepage = "https://$Domain/site/Home" + Homepage = "https://$Domain" LogoutUrl = "https://$Domain/logout" - ReplyURLs = "https://$Domain/Reply" + ReplyURLs = "https://$Domain" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" From 47e6e45b31153d64cffd16aaa89d6e7996d4311b Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 15:27:22 +0000 Subject: [PATCH 43/70] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index a6d733205f..ea6f99f3a4 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -33,12 +33,12 @@ DisplayName = "AppDisplayName" AvailableToOtherTenants = $false GroupMembershipClaims = "0" - Homepage = "https://app.contoso.com" - IdentifierUris = "https://app.contoso.com" + Homepage = "https://$Domain" + IdentifierUris = "https://$Domain" KnownClientApplications = "" - LogoutURL = "https://app.contoso.com/logout" + LogoutURL = "https://$Domain/logout" PublicClient = $false - ReplyURLs = "https://app.contoso.com" + ReplyURLs = "https://$Domain" Permissions = @( MSFT_AADApplicationPermission { @@ -279,7 +279,7 @@ Id = "TemporaryAccessPass"; IncludeTargets = @( MSFT_AADAuthenticationMethodPolicyTemporaryIncludeTarget{ - Id = 'DSCGroup' + Id = 'Executives' TargetType = 'group' } ); @@ -542,9 +542,9 @@ AlternativeNames = "AlternativeName1","AlternativeName2" AccountEnabled = $true AppRoleAssignmentRequired = $false - Homepage = "https://$Domain/site/Home" + Homepage = "https://$Domain" LogoutUrl = "https://$Domain/logout" - ReplyURLs = "https://$Domain/Reply" + ReplyURLs = "https://$Domain" ServicePrincipalType = "Application" Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" Ensure = "Present" From ccbc737c934fff39a87219690e2502086de27c5d Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 10:34:07 -0500 Subject: [PATCH 44/70] Integration Tests and Examples Fixes --- .../1-Create.ps1 | 4 +--- .../2-Update.ps1 | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/1-Create.ps1 index e555e01397..20018ebc40 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/1-Create.ps1 @@ -41,9 +41,7 @@ Configuration Example ) } }; - ApplicationId = 'c6957111-b1a6-479c-a15c-73e01ceb3b99' - CertificateThumbprint = 'ACD01315A4EBA42CD2E18EEE443AA280CC0BAB8B' - TenantId = 'M365x35070558.onmicrosoft.com' + Credential = $credsCredential Ensure = "Present"; } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/2-Update.ps1 index fa20869958..d3064c63ae 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCrossTenantAccessPolicyConfigurationPartner/2-Update.ps1 @@ -41,9 +41,7 @@ Configuration Example ) } }; - ApplicationId = 'c6957111-b1a6-479c-a15c-73e01ceb3b99' - CertificateThumbprint = 'ACD01315A4EBA42CD2E18EEE443AA280CC0BAB8B' - TenantId = 'M365x35070558.onmicrosoft.com' + Credential = $credsCredential Ensure = "Present"; } } From 558761b3c73e81e5cd1923cdb4e0384e248c59fc Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 15:35:30 +0000 Subject: [PATCH 45/70] Updated Resources and Cmdlet documentation pages --- .../AADCrossTenantAccessPolicyConfigurationPartner.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md b/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md index f14b0feb1b..d751a62886 100644 --- a/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md +++ b/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md @@ -142,9 +142,7 @@ Configuration Example ) } }; - ApplicationId = 'c6957111-b1a6-479c-a15c-73e01ceb3b99' - CertificateThumbprint = 'ACD01315A4EBA42CD2E18EEE443AA280CC0BAB8B' - TenantId = 'M365x35070558.onmicrosoft.com' + Credential = $credsCredential Ensure = "Present"; } } @@ -195,9 +193,7 @@ Configuration Example ) } }; - ApplicationId = 'c6957111-b1a6-479c-a15c-73e01ceb3b99' - CertificateThumbprint = 'ACD01315A4EBA42CD2E18EEE443AA280CC0BAB8B' - TenantId = 'M365x35070558.onmicrosoft.com' + Credential = $credsCredential Ensure = "Present"; } } From bae38ce999b84cbd3cb26cb40de843bb81258766 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 15:37:18 +0000 Subject: [PATCH 46/70] Updated {Create} AAD Integration Tests --- .../Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index ea6f99f3a4..5985ee8e64 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -401,9 +401,7 @@ ) } }; - ApplicationId = 'c6957111-b1a6-479c-a15c-73e01ceb3b99' - CertificateThumbprint = 'ACD01315A4EBA42CD2E18EEE443AA280CC0BAB8B' - TenantId = 'M365x35070558.onmicrosoft.com' + Credential = $credsCredential Ensure = "Present"; } AADEntitlementManagementAccessPackage 'myAccessPackage' From 2dfa919f739755210cdc0bc84076e2ccfdff5faa Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 11:17:23 -0500 Subject: [PATCH 47/70] Integration Tests Fixes --- .../MSFT_AADAdministrativeUnit.psm1 | 12 ++++++------ .../MSFT_AADApplication.schema.mof | 2 +- ...ementManagementAccessPackageAssignmentPolicy.psm1 | 11 ++++++++++- ...lementManagementAccessPackageCatalogResource.psm1 | 5 +++-- .../MSFT_AADSocialIdentityProvider.psm1 | 1 + .../Examples/Resources/AADApplication/1-Create.ps1 | 2 +- .../Examples/Resources/AADApplication/2-Update.ps1 | 2 +- .../1-Create.ps1 | 4 ++-- .../2-Update.ps1 | 3 ++- 9 files changed, 27 insertions(+), 15 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 index 7d837c6524..09092a8b7b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 @@ -170,17 +170,17 @@ function Get-TargetResource #endregion } - if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.MembershipType)) + if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.membershipType)) { - $results.Add('MembershipType', $getValue.AdditionalProperties.MembershipType) + $results.Add('MembershipType', $getValue.AdditionalProperties.membershipType) } - if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.MembershipRule)) + if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.membershipRule)) { - $results.Add('MembershipRule', $getValue.AdditionalProperties.MembershipRule) + $results.Add('MembershipRule', $getValue.AdditionalProperties.membershipRule) } - if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.MembershipRuleProcessingState)) + if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.membershipRuleProcessingState)) { - $results.Add('MembershipRuleProcessingState', $getValue.AdditionalProperties.MembershipRuleProcessingState) + $results.Add('MembershipRuleProcessingState', $getValue.AdditionalProperties.membershipRuleProcessingState) } Write-Verbose -Message "AU {$DisplayName} MembershipType {$($results.MembershipType)}" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof index 5d1c6b778a..d0cd6efbcf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof @@ -14,7 +14,7 @@ class MSFT_AADApplication : OMI_BaseResource [Write, Description("ObjectID of the app.")] String ObjectId; [Write, Description("AppId for the app.")] String AppId; [Write, Description("Indicates whether this application is available in other tenants.")] Boolean AvailableToOtherTenants; - [Write, Description("A bitmask that configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. The bitmask values are: 0: None, 1: Security groups and Azure AD roles, 2: Reserved, and 4: Reserved. Setting the bitmask to 7 will get all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of.")] String GroupMembershipClaims; + [Write, Description("A bitmask that configures the groups claim issued in a user or OAuth 2.0 access token that the application expects.")] String GroupMembershipClaims; [Write, Description("The URL to the application's homepage.")] String Homepage; [Write, Description("User-defined URI(s) that uniquely identify a Web application within its Azure AD tenant, or within a verified custom domain.")] string IdentifierUris[]; [Write, Description("Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false, which means the fallback application type is confidential client such as web app. There are certain scenarios where Microsoft Entra ID cannot determine the client application type (for example, ROPC flow where it is configured without specifying a redirect URI). In those cases, Microsoft Entra ID will interpret the application type based on the value of this property.")] Boolean IsFallbackPublicClient; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 index 5adea9080f..62fb18a109 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy/MSFT_AADEntitlementManagementAccessPackageAssignmentPolicy.psm1 @@ -291,9 +291,18 @@ function Get-TargetResource } #endregion + $AccessPackageIdValue = $getValue.AccessPackageId + $ObjectGuid = [System.Guid]::empty + $isGUID = [System.Guid]::TryParse($AccessPackageIdValue, [System.Management.Automation.PSReference]$ObjectGuid) + if ($isGUID) + { + $accesspackage = Get-MgBetaEntitlementManagementAccessPackage -AccessPackageId $AccessPackageIdValue + $AccessPackageIdValue = $accesspackage.DisplayName + } + $results = @{ Id = $getValue.Id - AccessPackageId = $getValue.AccessPackageId + AccessPackageId = $AccessPackageIdValue AccessReviewSettings = $formattedAccessReviewSettings CanExtend = $getValue.CanExtend CustomExtensionHandlers = $formattedCustomExtensionHandlers diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 index 6bd79a482e..98a4ef18ea 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackageCatalogResource/MSFT_AADEntitlementManagementAccessPackageCatalogResource.psm1 @@ -111,7 +111,7 @@ function Get-TargetResource try { $getValue = $null - + $CatalogIdValue = $catalogId if (-not [System.String]::IsNullOrEmpty($CatalogId)) { $resource = ([Hashtable]$PSBoundParameters).clone() @@ -120,6 +120,7 @@ function Get-TargetResource { $catalogInstance = Get-MgBetaEntitlementManagementAccessPackageCatalog -Filter "DisplayName eq '$catalogId'" $CatalogId = $catalogInstance.Id + $CatalogIdValue = $catalogInstance.DisplayName } $getValue = Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource ` @@ -171,7 +172,7 @@ function Get-TargetResource $results = [ordered]@{ Id = $Id - CatalogId = $CatalogId + CatalogId = $CatalogIdValue Attributes = $hashAttributes AddedBy = $getValue.addedBy #Read-Only AddedOn = $getValue.addedOn #Read-Only diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/MSFT_AADSocialIdentityProvider.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/MSFT_AADSocialIdentityProvider.psm1 index d1aaa21d53..3031d6742f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/MSFT_AADSocialIdentityProvider.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/MSFT_AADSocialIdentityProvider.psm1 @@ -285,6 +285,7 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck.Remove('ClientSecret') | Out-Null Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 index ea5eef43e4..c57e9ba949 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/1-Create.ps1 @@ -19,7 +19,7 @@ Configuration Example { DisplayName = "AppDisplayName" AvailableToOtherTenants = $false - GroupMembershipClaims = "0" + GroupMembershipClaims = "None" Homepage = "https://$Domain" IdentifierUris = "https://$Domain" KnownClientApplications = "" diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 index 7d11185628..fc9c39407e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADApplication/2-Update.ps1 @@ -19,7 +19,7 @@ Configuration Example { DisplayName = "AppDisplayName" AvailableToOtherTenants = $true # Updated Property - GroupMembershipClaims = "0" + GroupMembershipClaims = "None" Homepage = "https://$Domain" IdentifierUris = "https://$Domain" KnownClientApplications = "" diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 index 5ce75f3a5e..a7b6eec1f3 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 @@ -21,10 +21,10 @@ Configuration Example CatalogId = 'My Catalog' Description = 'My Resource' IsPendingOnboarding = $true - OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" + OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = "https://$Domain.sharepoint.com/sites/HumanResources" + Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 index 8294d98999..d957d72ab9 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 @@ -21,9 +21,10 @@ Configuration Example CatalogId = 'My Catalog' Description = 'My Resource' IsPendingOnboarding = $false # Updated Property - OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" + OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' + Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential From 3051dc4fe36cc28b3788cc6500f9dea54266aa36 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 16:19:30 +0000 Subject: [PATCH 48/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADApplication.md | 6 +++--- ...AADEntitlementManagementAccessPackageCatalogResource.md | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADApplication.md b/docs/docs/resources/azure-ad/AADApplication.md index 2488190e43..905304b5cc 100644 --- a/docs/docs/resources/azure-ad/AADApplication.md +++ b/docs/docs/resources/azure-ad/AADApplication.md @@ -8,7 +8,7 @@ | **ObjectId** | Write | String | ObjectID of the app. | | | **AppId** | Write | String | AppId for the app. | | | **AvailableToOtherTenants** | Write | Boolean | Indicates whether this application is available in other tenants. | | -| **GroupMembershipClaims** | Write | String | A bitmask that configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. The bitmask values are: 0: None, 1: Security groups and Azure AD roles, 2: Reserved, and 4: Reserved. Setting the bitmask to 7 will get all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of. | | +| **GroupMembershipClaims** | Write | String | A bitmask that configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. | | | **Homepage** | Write | String | The URL to the application's homepage. | | | **IdentifierUris** | Write | StringArray[] | User-defined URI(s) that uniquely identify a Web application within its Azure AD tenant, or within a verified custom domain. | | | **IsFallbackPublicClient** | Write | Boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false, which means the fallback application type is confidential client such as web app. There are certain scenarios where Microsoft Entra ID cannot determine the client application type (for example, ROPC flow where it is configured without specifying a redirect URI). In those cases, Microsoft Entra ID will interpret the application type based on the value of this property. | | @@ -91,7 +91,7 @@ Configuration Example { DisplayName = "AppDisplayName" AvailableToOtherTenants = $false - GroupMembershipClaims = "0" + GroupMembershipClaims = "None" Homepage = "https://$Domain" IdentifierUris = "https://$Domain" KnownClientApplications = "" @@ -150,7 +150,7 @@ Configuration Example { DisplayName = "AppDisplayName" AvailableToOtherTenants = $true # Updated Property - GroupMembershipClaims = "0" + GroupMembershipClaims = "None" Homepage = "https://$Domain" IdentifierUris = "https://$Domain" KnownClientApplications = "" diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md index 7f32d90e47..78da4e623f 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md @@ -154,10 +154,10 @@ Configuration Example CatalogId = 'My Catalog' Description = 'My Resource' IsPendingOnboarding = $true - OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" + OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = "https://$Domain.sharepoint.com/sites/HumanResources" + Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } @@ -189,9 +189,10 @@ Configuration Example CatalogId = 'My Catalog' Description = 'My Resource' IsPendingOnboarding = $false # Updated Property - OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" + OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' + Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential From c5bf4e5a021a4106720feeabda417a2e55a0bac2 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 16:21:12 +0000 Subject: [PATCH 49/70] Updated {Create} AAD Integration Tests --- .../Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 5985ee8e64..8f41c02f45 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -32,7 +32,7 @@ { DisplayName = "AppDisplayName" AvailableToOtherTenants = $false - GroupMembershipClaims = "0" + GroupMembershipClaims = "None" Homepage = "https://$Domain" IdentifierUris = "https://$Domain" KnownClientApplications = "" @@ -459,10 +459,10 @@ CatalogId = 'My Catalog' Description = 'My Resource' IsPendingOnboarding = $true - OriginId = "https://$Domain.sharepoint.com/sites/HumanResources" + OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' - Url = "https://$Domain.sharepoint.com/sites/HumanResources" + Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } From 785627fdd67d92fac3621dd77cd396d6bf6404ec Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 11:47:49 -0500 Subject: [PATCH 50/70] Fixes Integration --- .../1-Create.ps1 | 2 +- .../2-Update.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 index a7b6eec1f3..acfae36718 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/1-Create.ps1 @@ -19,7 +19,7 @@ Configuration Example { DisplayName = 'Human Resources' CatalogId = 'My Catalog' - Description = 'My Resource' + Description = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" IsPendingOnboarding = $true OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 index d957d72ab9..00f1203afd 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 @@ -19,7 +19,7 @@ Configuration Example { DisplayName = 'Human Resources' CatalogId = 'My Catalog' - Description = 'My Resource' + Description = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" IsPendingOnboarding = $false # Updated Property OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' From 33902c5d86b00c5008b2116f91595ddb459b8ea5 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 16:49:24 +0000 Subject: [PATCH 51/70] Updated Resources and Cmdlet documentation pages --- .../AADEntitlementManagementAccessPackageCatalogResource.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md index 78da4e623f..358cb9dbf2 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md @@ -152,7 +152,7 @@ Configuration Example { DisplayName = 'Human Resources' CatalogId = 'My Catalog' - Description = 'My Resource' + Description = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" IsPendingOnboarding = $true OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' @@ -187,7 +187,7 @@ Configuration Example { DisplayName = 'Human Resources' CatalogId = 'My Catalog' - Description = 'My Resource' + Description = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" IsPendingOnboarding = $false # Updated Property OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' From 20c3a6dde7adad36d3894b0d7b3a1be414df5c3f Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 16:50:48 +0000 Subject: [PATCH 52/70] Updated {Create} AAD Integration Tests --- .../Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 8f41c02f45..244bada8f5 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -457,7 +457,7 @@ { DisplayName = 'Human Resources' CatalogId = 'My Catalog' - Description = 'My Resource' + Description = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" IsPendingOnboarding = $true OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" OriginSystem = 'SharePointOnline' From efe8533fc3c93e03d2fcd383e3f42c0cf53c1544 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 12:17:17 -0500 Subject: [PATCH 53/70] Additional Fixes --- .../Resources/AADAuthenticationMethodPolicyX509/1-Create.ps1 | 3 --- .../Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 | 3 --- .../AADEntitlementManagementConnectedOrganization/1-Create.ps1 | 2 +- .../AADEntitlementManagementConnectedOrganization/2-Update.ps1 | 2 +- 4 files changed, 2 insertions(+), 8 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/1-Create.ps1 index dabae65428..8ebd005c43 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/1-Create.ps1 @@ -18,9 +18,6 @@ Configuration Example AADAuthenticationMethodPolicyX509 "AADAuthenticationMethodPolicyX509-X509Certificate" { AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{ - - Rules = @(@() - ) X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor' }; CertificateUserBindings = @( diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 index 0edadb587c..71aa99fb55 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 @@ -18,9 +18,6 @@ Configuration Example AADAuthenticationMethodPolicyX509 "AADAuthenticationMethodPolicyX509-X509Certificate" { AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{ - - Rules = @(@() - ) X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor' }; CertificateUserBindings = @( diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 index fb46388a1a..1d4fcd1896 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/1-Create.ps1 @@ -23,7 +23,7 @@ Configuration Example IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" - DisplayName = 'Contoso' + DisplayName = 'o365dsc' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 index 227bda391c..5044b39b3a 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementConnectedOrganization/2-Update.ps1 @@ -23,7 +23,7 @@ Configuration Example IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" - DisplayName = 'Contoso' + DisplayName = 'o365dsc' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); From 6cc313dc8334bd0ba16a46297fb4b5ff8928a800 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 17:18:49 +0000 Subject: [PATCH 54/70] Updated Resources and Cmdlet documentation pages --- .../resources/azure-ad/AADAuthenticationMethodPolicyX509.md | 6 ------ .../AADEntitlementManagementConnectedOrganization.md | 4 ++-- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md index 76071d519e..6dc986c758 100644 --- a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md @@ -119,9 +119,6 @@ Configuration Example AADAuthenticationMethodPolicyX509 "AADAuthenticationMethodPolicyX509-X509Certificate" { AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{ - - Rules = @(@() - ) X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor' }; CertificateUserBindings = @( @@ -183,9 +180,6 @@ Configuration Example AADAuthenticationMethodPolicyX509 "AADAuthenticationMethodPolicyX509-X509Certificate" { AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{ - - Rules = @(@() - ) X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor' }; CertificateUserBindings = @( diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md b/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md index 54f34e3b2e..6c2914836d 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementConnectedOrganization.md @@ -91,7 +91,7 @@ Configuration Example IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" - DisplayName = 'Contoso' + DisplayName = 'o365dsc' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); @@ -130,7 +130,7 @@ Configuration Example IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" - DisplayName = 'Contoso' + DisplayName = 'o365dsc' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); From f442ec736eaafc5302b88a77b33bcc7af398c91a Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 17:21:08 +0000 Subject: [PATCH 55/70] Updated {Create} AAD Integration Tests --- .../Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 244bada8f5..ec021a850f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -305,9 +305,6 @@ AADAuthenticationMethodPolicyX509 'AADAuthenticationMethodPolicyX509-X509Certificate' { AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{ - - Rules = @(@() - ) X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor' }; CertificateUserBindings = @( @@ -474,7 +471,7 @@ IdentitySources = @( MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" - DisplayName = 'Contoso' + DisplayName = 'o365dsc' odataType = '#microsoft.graph.azureActiveDirectoryTenant' } ); From 46f3a74bf4f23e441aed8374cfa2517c9a829782 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 8 Jan 2024 12:45:46 -0500 Subject: [PATCH 56/70] Added AAD Update and Remove Tests --- .../workflows/Global - Integration - AAD.yml | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/.github/workflows/Global - Integration - AAD.yml b/.github/workflows/Global - Integration - AAD.yml index 22cbe9fb0d..7f681f74d9 100644 --- a/.github/workflows/Global - Integration - AAD.yml +++ b/.github/workflows/Global - Integration - AAD.yml @@ -86,3 +86,120 @@ jobs: { Write-Host "All resources in the Tenant are in the Desired State" } + - name: Generate {Update} Integration Tests from Examples + shell: powershell + run: | + Import-Module './Tests/Integration/M365DSCTestEngine.psm1' + New-M365DSCIntegrationTest -Workload AAD -Step '2-Update' + - name: Commit {Update} Integration Tests + shell: powershell + run: | + git config --local user.email "nicharl@microsoft.com" + git config --local user.name "NikCharlebois" + git add D:/a/Microsoft365DSC/Microsoft365DSC/Tests/Integration/* + git pull + git commit -m "Updated {Update} AAD Integration Tests" + git push + $SHA = git rev-parse HEAD + echo "commitid=$SHA" >> $env:GITHUB_OUTPUT + - name: Run {Update} Integration Tests + shell: powershell + env: + INTEGRATION_USERNAME: ${{ secrets.INTEGRATION_USERNAME }} + INTEGRATION_PASSWORD: ${{ secrets.INTEGRATION_PASSWORD }} + run: | + $CredPassword = ConvertTo-SecureString $env:INTEGRATION_PASSWORD -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ($env:INTEGRATION_USERNAME, $CredPassword) + try + { + & .\Tests\Integration\Microsoft365DSC\M365DSCIntegration.AAD.Update.Tests.ps1 -Credential $Credential + } + catch + { + throw $_ + } + + try + { + $Result = Test-DSCConfiguration -Detailed -Verbose -ErrorAction Stop + } + catch + { + throw $_ + } + + Write-Host "" + + if ($Result.InDesiredState -eq $false) + { + Write-Host -Message "Resources below are not in the Desired State:" + foreach ($Resource in $Result.ResourcesNotInDesiredState) + { + Write-Host $Resource.InstanceName + } + + throw "Could not validate that the Tenant is in the Desired State" + } + else + { + Write-Host "All resources in the Tenant are in the Desired State" + } + - name: Generate {Remove} Integration Tests from Examples + shell: powershell + run: | + Import-Module './Tests/Integration/M365DSCTestEngine.psm1' + New-M365DSCIntegrationTest -Workload AAD -Step '3-Remove' + - name: Commit {Remove} Integration Tests + shell: powershell + run: | + git config --local user.email "nicharl@microsoft.com" + git config --local user.name "NikCharlebois" + git add D:/a/Microsoft365DSC/Microsoft365DSC/Tests/Integration/* + git pull + git commit -m "Updated {Update} AAD Integration Tests" + git push + $SHA = git rev-parse HEAD + echo "commitid=$SHA" >> $env:GITHUB_OUTPUT + - name: Run {Remove} Integration Tests + shell: powershell + env: + INTEGRATION_USERNAME: ${{ secrets.INTEGRATION_USERNAME }} + INTEGRATION_PASSWORD: ${{ secrets.INTEGRATION_PASSWORD }} + run: | + $CredPassword = ConvertTo-SecureString $env:INTEGRATION_PASSWORD -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ($env:INTEGRATION_USERNAME, $CredPassword) + try + { + & .\Tests\Integration\Microsoft365DSC\M365DSCIntegration.AAD.Remove.Tests.ps1 -Credential $Credential + } + catch + { + throw $_ + } + + try + { + $Result = Test-DSCConfiguration -Detailed -Verbose -ErrorAction Stop + } + catch + { + throw $_ + } + + Write-Host "" + + if ($Result.InDesiredState -eq $false) + { + Write-Host -Message "Resources below are not in the Desired State:" + foreach ($Resource in $Result.ResourcesNotInDesiredState) + { + Write-Host $Resource.InstanceName + } + + throw "Could not validate that the Tenant is in the Desired State" + } + else + { + Write-Host "All resources in the Tenant are in the Desired State" + } + From e4f6c3eb6c5b41f54a8fdcbac5bdbba6158a281f Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 8 Jan 2024 17:52:10 +0000 Subject: [PATCH 57/70] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Update.Tests.ps1 | 806 ++++++++++++++++++ 1 file changed, 806 insertions(+) create mode 100644 Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 new file mode 100644 index 0000000000..dd39063f6d --- /dev/null +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -0,0 +1,806 @@ + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential + ) + + Configuration Master + { + param + ( + [Parameter(Mandatory = $true)] + [System.Management.Automation.PSCredential] + $Credscredential + ) + + Import-DscResource -ModuleName Microsoft365DSC + $Domain = $Credscredential.Username.Split('@')[1] + Node Localhost + { + AADAdministrativeUnit 'TestUnit' + { + DisplayName = 'Test-Unit' + MembershipRule = "(user.country -eq `"US`")" # Updated Property + MembershipRuleProcessingState = 'On' + MembershipType = 'Dynamic' + Ensure = 'Present' + Credential = $Credscredential + } + AADApplication 'AADApp1' + { + DisplayName = "AppDisplayName" + AvailableToOtherTenants = $true # Updated Property + GroupMembershipClaims = "None" + Homepage = "https://$Domain" + IdentifierUris = "https://$Domain" + KnownClientApplications = "" + LogoutURL = "https://$Domain/logout" + PublicClient = $false + ReplyURLs = "https://$Domain" + Permissions = @( + MSFT_AADApplicationPermission + { + Name = 'User.Read' + Type = 'Delegated' + SourceAPI = 'Microsoft Graph' + AdminConsentGranted = $false + } + MSFT_AADApplicationPermission + { + Name = 'User.ReadWrite.All' + Type = 'Delegated' + SourceAPI = 'Microsoft Graph' + AdminConsentGranted = $True + } + MSFT_AADApplicationPermission + { + Name = 'User.Read.All' + Type = 'AppOnly' + SourceAPI = 'Microsoft Graph' + AdminConsentGranted = $True + } + ) + Ensure = "Present" + Credential = $Credscredential + } + AADAttributeSet 'AADAttributeSetTest' + { + Credential = $credsCredential; + Description = "Attribute set with 420 attributes"; + Ensure = "Present"; + Id = "TestAttributeSet"; + MaxAttributesPerSet = 300; # Updated Property + } + AADAuthenticationContextClassReference 'AADAuthenticationContextClassReference-Test' + { + Credential = $credsCredential; + Description = "Context test Updated"; # Updated Property + DisplayName = "My Context"; + Ensure = "Present"; + Id = "c3"; + IsAvailable = $True; + } + AADAuthenticationMethodPolicy 'AADAuthenticationMethodPolicy-Authentication Methods Policy' + { + Description = "Updated"; # Updated Property + DisplayName = "Authentication Methods Policy"; + Ensure = "Present"; + Id = "authenticationMethodsPolicy"; + PolicyMigrationState = "migrationInProgress"; + PolicyVersion = "1.5"; + RegistrationEnforcement = MSFT_MicrosoftGraphregistrationEnforcement{ + AuthenticationMethodsRegistrationCampaign = MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaign{ + SnoozeDurationInDays = 1 + IncludeTargets = @( + MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaignIncludeTarget{ + TargetedAuthenticationMethod = 'microsoftAuthenticator' + TargetType = 'group' + Id = 'all_users' + } + ) + State = 'default' + } + }; + Credential = $credsCredential; + } + AADAuthenticationMethodPolicyAuthenticator 'AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator' + { + Credential = $Credscredential; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ + Id = 'Legal Team' + TargetType = 'group' + } + MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ + Id = 'Paralegals' + TargetType = 'group' + } + ); + FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ + DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ + ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ + Id = 'all_users' + TargetType = 'group' + } + IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ + Id = 'all_users' + TargetType = 'group' + } + State = 'default' + } + CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ + ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ + Id = 'all_users' + TargetType = 'group' + } + IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ + Id = 'all_users' + TargetType = 'group' + } + State = 'default' + } + DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ + ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ + Id = 'all_users' + TargetType = 'group' + } + IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ + Id = 'all_users' + TargetType = 'group' + } + State = 'default' + } + }; + Id = "MicrosoftAuthenticator"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{ + Id = 'Finance Team' + TargetType = 'group' + } + MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{ + Id = 'Northwind Traders' + TargetType = 'group' + } + ); + IsSoftwareOathEnabled = $True; # Updated Property + State = "enabled"; + } + AADAuthenticationMethodPolicyEmail 'AADAuthenticationMethodPolicyEmail-Email' + { + AllowExternalIdToUseEmailOtp = "enabled"; + Credential = $Credscredential; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyEmailExcludeTarget{ + Id = 'Paralegals' + TargetType = 'group' + } + ); + Id = "Email"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyEmailIncludeTarget{ + Id = 'Finance Team' + TargetType = 'group' + } + MSFT_AADAuthenticationMethodPolicyEmailIncludeTarget{ + Id = 'Legal Team' + TargetType = 'group' + } + ); + State = "disabled"; # Updated Property + } + AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' + { + Credential = $Credscredential; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget{ + Id = 'Paralegals' + TargetType = 'group' + } + MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget{ + Id = 'Executives' + TargetType = 'group' + } + ); + Id = "Fido2"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget{ + Id = 'all_users' + TargetType = 'group' + } + ); + IsAttestationEnforced = $False; + IsSelfServiceRegistrationAllowed = $True; + KeyRestrictions = MSFT_MicrosoftGraphfido2KeyRestrictions{ + IsEnforced = $False + EnforcementType = 'block' + AaGuids = @() + }; + State = "disabled"; # Updated Property + } + AADAuthenticationMethodPolicySms 'AADAuthenticationMethodPolicySms-Sms' + { + Credential = $Credscredential; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicySmsExcludeTarget{ + Id = 'All Employees' + TargetType = 'group' + } + ); + Id = "Sms"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicySmsIncludeTarget{ + Id = 'all_users' + TargetType = 'group' + } + ); + State = "disabled"; # Updated Property + } + AADAuthenticationMethodPolicySoftware 'AADAuthenticationMethodPolicySoftware-SoftwareOath' + { + Credential = $Credscredential; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicySoftwareExcludeTarget{ + Id = 'Executives' + TargetType = 'group' + } + MSFT_AADAuthenticationMethodPolicySoftwareExcludeTarget{ + Id = 'Paralegals' + TargetType = 'group' + } + ); + Id = "SoftwareOath"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicySoftwareIncludeTarget{ + Id = 'Legal Team' + TargetType = 'group' + } + ); + State = "disabled"; # Updated Property + } + AADAuthenticationMethodPolicyTemporary 'AADAuthenticationMethodPolicyTemporary-TemporaryAccessPass' + { + Credential = $Credscredential; + DefaultLength = 9; # Updated Property + DefaultLifetimeInMinutes = 60; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyTemporaryExcludeTarget{ + Id = 'All Company' + TargetType = 'group' + } + ); + Id = "TemporaryAccessPass"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyTemporaryIncludeTarget{ + Id = 'Executives' + TargetType = 'group' + } + ); + IsUsableOnce = $False; + MaximumLifetimeInMinutes = 480; + MinimumLifetimeInMinutes = 60; + State = "enabled"; + } + AADAuthenticationMethodPolicyVoice 'AADAuthenticationMethodPolicyVoice-Voice' + { + Credential = $Credscredential; + Ensure = "Present"; + Id = "Voice"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyVoiceIncludeTarget{ + Id = 'all_users' + TargetType = 'group' + } + ); + IsOfficePhoneAllowed = $True; # Updated Property + State = "disabled"; + } + AADAuthenticationMethodPolicyX509 'AADAuthenticationMethodPolicyX509-X509Certificate' + { + AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{ + X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor' + }; + CertificateUserBindings = @( + MSFT_MicrosoftGraphx509CertificateUserBinding{ + Priority = 1 + UserProperty = 'userPrincipalName' + X509CertificateField = 'PrincipalName' + } + MSFT_MicrosoftGraphx509CertificateUserBinding{ + Priority = 2 + UserProperty = 'userPrincipalName' + X509CertificateField = 'RFC822Name' + } + MSFT_MicrosoftGraphx509CertificateUserBinding{ + Priority = 3 + UserProperty = 'certificateUserIds' + X509CertificateField = 'SubjectKeyIdentifier' + } + ); + Credential = $Credscredential; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyX509ExcludeTarget{ + Id = 'DSCGroup' + TargetType = 'group' + } + ); + Id = "X509Certificate"; + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyX509IncludeTarget{ + Id = 'Finance Team' + TargetType = 'group' + } + ); + State = "disabled"; # Updated Property + } + AADAuthenticationStrengthPolicy 'AADAuthenticationStrengthPolicy-Example' + { + AllowedCombinations = @("windowsHelloForBusiness","fido2","deviceBasedPush"); # Updated Property + Description = "This is an example"; + DisplayName = "Example"; + Ensure = "Present"; + Credential = $Credscredential; + } + AADAuthorizationPolicy 'AADAuthPol' + { + IsSingleInstance = 'Yes' + DisplayName = 'Authorization Policy' + Description = 'Used to manage authorization related settings across the company.' + AllowEmailVerifiedUsersToJoinOrganization = $true + AllowInvitesFrom = 'everyone' + AllowedToSignUpEmailBasedSubscriptions = $true + AllowedToUseSspr = $true + BlockMsolPowerShell = $false + DefaultUserRoleAllowedToCreateApps = $true + DefaultUserRoleAllowedToCreateSecurityGroups = $true + DefaultUserRoleAllowedToReadOtherUsers = $true + GuestUserRole = 'Guest' + PermissionGrantPolicyIdsAssignedToDefaultUserRole = @() + Ensure = 'Present' + Credential = $Credscredential + } + AADConditionalAccessPolicy 'Allin-example' + { + ApplicationEnforcedRestrictionsIsEnabled = $False; + BuiltInControls = @("mfa"); + ClientAppTypes = @("all"); + CloudAppSecurityIsEnabled = $True; # Updated Porperty + Credential = $Credscredential; + DeviceFilterMode = "exclude"; + DeviceFilterRule = "device.trustType -eq `"AzureAD`" -or device.trustType -eq `"ServerAD`" -or device.trustType -eq `"Workplace`""; + DisplayName = "Example CAP"; + Ensure = "Present"; + ExcludeUsers = @("admin@$Domain"); + GrantControlOperator = "OR"; + IncludeApplications = @("All"); + IncludeRoles = @("Attack Payload Author"); + PersistentBrowserIsEnabled = $False; + SignInFrequencyInterval = "timeBased"; + SignInFrequencyIsEnabled = $True; + SignInFrequencyType = "hours"; + SignInFrequencyValue = 1; + State = "disabled"; + } + AADCrossTenantAccessPolicy 'AADCrossTenantAccessPolicy' + { + AllowedCloudEndpoints = @("microsoftonline.us"); + Credential = $Credscredential; + DisplayName = "MyXTAPPolicy"; + Ensure = "Present"; + IsSingleInstance = "Yes"; + } + AADCrossTenantAccessPolicyConfigurationDefault 'AADCrossTenantAccessPolicyConfigurationDefault' + { + B2BCollaborationInbound = MSFT_AADCrossTenantAccessPolicyB2BSetting { + Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'allowed' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllApplications' + TargetType = 'application' + } + ) + } + UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'allowed' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllUsers' + TargetType = 'user' + } + ) + } + } + B2BCollaborationOutbound = MSFT_AADCrossTenantAccessPolicyB2BSetting { + Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'allowed' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllApplications' + TargetType = 'application' + } + ) + } + UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'allowed' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllUsers' + TargetType = 'user' + } + ) + } + } + B2BDirectConnectInbound = MSFT_AADCrossTenantAccessPolicyB2BSetting { + Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'blocked' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllApplications' + TargetType = 'application' + } + ) + } + UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'blocked' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllUsers' + TargetType = 'user' + } + ) + } + } + B2BDirectConnectOutbound = MSFT_AADCrossTenantAccessPolicyB2BSetting { + Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'blocked' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllApplications' + TargetType = 'application' + } + ) + } + UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'blocked' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllUsers' + TargetType = 'user' + } + ) + } + } + Credential = $Credscredential; + Ensure = "Present"; + InboundTrust = MSFT_AADCrossTenantAccessPolicyInboundTrust { + IsCompliantDeviceAccepted = $False + IsHybridAzureADJoinedDeviceAccepted = $False + IsMfaAccepted = $False + } + IsSingleInstance = "Yes"; + } + AADCrossTenantAccessPolicyConfigurationPartner 'AADCrossTenantAccessPolicyConfigurationPartner' + { + PartnerTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc"; # O365DSC.onmicrosoft.com + AutomaticUserConsentSettings = MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings { + InboundAllowed = $False # Updated Property + OutboundAllowed = $True + }; + B2BCollaborationOutbound = MSFT_AADCrossTenantAccessPolicyB2BSetting { + Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'allowed' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = 'AllApplications' + TargetType = 'application' + } + ) + } + UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{ + AccessType = 'allowed' + Targets = @( + MSFT_AADCrossTenantAccessPolicyTarget{ + Target = '68bafe64-f86b-4c4e-b33b-9d3eaa11544b' # Office 365 + TargetType = 'user' + } + ) + } + }; + Credential = $credsCredential + Ensure = "Present"; + } + AADEntitlementManagementAccessPackage 'myAccessPackage' + { + AccessPackagesIncompatibleWith = @(); + CatalogId = "General"; + Credential = $Credscredential; + Description = "Integration Tests"; + DisplayName = "Integration Package"; + Ensure = "Present"; + IsHidden = $True; # Updated Property + IsRoleScopesVisible = $True; + } + AADEntitlementManagementAccessPackageAssignmentPolicy 'myAssignments' + { + AccessPackageId = "Integration Package"; + AccessReviewSettings = MSFT_MicrosoftGraphassignmentreviewsettings{ + IsEnabled = $True + StartDateTime = '12/17/2022 23:59:59' + IsAccessRecommendationEnabled = $True + AccessReviewTimeoutBehavior = 'keepAccess' + IsApprovalJustificationRequired = $True + ReviewerType = 'Self' + RecurrenceType = 'quarterly' + Reviewers = @() + DurationInDays = 25 + }; + CanExtend = $False; + Description = ""; + DisplayName = "External tenant"; + DurationInDays = 180; # Updated Property + RequestApprovalSettings = MSFT_MicrosoftGraphapprovalsettings{ + ApprovalMode = 'NoApproval' + IsRequestorJustificationRequired = $False + IsApprovalRequired = $False + IsApprovalRequiredForExtension = $False + }; + Ensure = "Present" + Credential = $Credscredential + } + AADEntitlementManagementAccessPackageCatalog 'myAccessPackageCatalog' + { + DisplayName = 'My Catalog' + CatalogStatus = 'Published' + CatalogType = 'UserManaged' + Description = 'Built-in catalog.' + IsExternallyVisible = $False # Updated Property + Managedidentity = $False + Ensure = 'Present' + Credential = $Credscredential + } + AADEntitlementManagementAccessPackageCatalogResource 'myAccessPackageCatalogResource' + { + DisplayName = 'Human Resources' + CatalogId = 'My Catalog' + Description = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" + IsPendingOnboarding = $false # Updated Property + OriginId = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" + OriginSystem = 'SharePointOnline' + ResourceType = 'SharePoint Online Site' + Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" + Url = "https://$Domain.sharepoint.com/sites/HumanResources" + Ensure = 'Present' + Credential = $Credscredential + } + AADEntitlementManagementConnectedOrganization 'MyConnectedOrganization' + { + Description = "This is the tenant partner - Updated"; # Updated Property + DisplayName = "Test Tenant - DSC"; + ExternalSponsors = @("AdeleV@$Domain"); + IdentitySources = @( + MSFT_AADEntitlementManagementConnectedOrganizationIdentitySource{ + ExternalTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc" + DisplayName = 'o365dsc' + odataType = '#microsoft.graph.azureActiveDirectoryTenant' + } + ); + InternalSponsors = @("AdeleV@$Domain"); + State = "configured"; + Ensure = "Present" + Credential = $Credscredential + } + AADExternalIdentityPolicy 'AADExternalIdentityPolicy' + { + AllowDeletedIdentitiesDataRemoval = $False; + AllowExternalIdentitiesToLeave = $True; + Credential = $credsCredential; + IsSingleInstance = "Yes"; + } + AADGroup 'MyGroups' + { + DisplayName = "DSCGroup" + Description = "Microsoft DSC Group Updated" # Updated Property + SecurityEnabled = $True + MailEnabled = $True + GroupTypes = @("Unified") + MailNickname = "M365DSC" + Visibility = "Private" + Ensure = "Present" + Credential = $Credscredential + } + AADGroupLifecyclePolicy 'GroupLifecyclePolicy' + { + IsSingleInstance = "Yes" + AlternateNotificationEmails = @("john.smith@contoso.com") + GroupLifetimeInDays = 99 + ManagedGroupTypes = "Selected" + Ensure = "Present" + Credential = $Credscredential + } + AADGroupsNamingPolicy 'GroupsNamingPolicy' + { + IsSingleInstance = "Yes" + CustomBlockedWordsList = @("CEO", "President") + PrefixSuffixNamingRequirement = "[Title]Test[Company][GroupName][Office]Redmond" + Ensure = "Present" + Credential = $Credscredential + } + AADGroupsSettings 'GeneralGroupsSettings' + { + IsSingleInstance = "Yes" + AllowGuestsToAccessGroups = $True + AllowGuestsToBeGroupOwner = $True + AllowToAddGuests = $True + EnableGroupCreation = $True + GroupCreationAllowedGroupName = "All Company" + GuestUsageGuidelinesUrl = "https://contoso.com/guestusage" + UsageGuidelinesUrl = "https://contoso.com/usage" + Ensure = "Present" + Credential = $Credscredential + } + AADNamedLocationPolicy 'CompanyNetwork' + { + DisplayName = "Company Network" + IpRanges = @("2.1.1.1/32") # Updated Property + IsTrusted = $False + OdataType = "#microsoft.graph.ipNamedLocation" + Ensure = "Present" + Credential = $Credscredential + } + AADRoleDefinition 'AADRoleDefinition1' + { + DisplayName = "DSCRole1" + Description = "DSC created role definition" + ResourceScopes = "/" + IsEnabled = $false # Updated Property + RolePermissions = "microsoft.directory/applicationPolicies/allProperties/read","microsoft.directory/applicationPolicies/allProperties/update","microsoft.directory/applicationPolicies/basic/update" + Version = "1.0" + Ensure = "Present" + Credential = $Credscredential + } + AADRoleEligibilityScheduleRequest 'MyRequest' + { + Action = "AdminAssign"; + Credential = $Credscredential; + DirectoryScopeId = "/"; + Ensure = "Present"; + IsValidationOnly = $True; # Updated Property + Principal = "AdeleV@$Domain"; + RoleDefinition = "Teams Communications Administrator"; + ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule { + startDateTime = '2023-09-01T02:40:44Z' + expiration = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration + { + endDateTime = '2025-10-31T02:40:09Z' + type = 'afterDateTime' + } + }; + } + AADRoleSetting '28b253d8-cde5-471f-a331-fe7320023cdd' + { + ActivateApprover = @(); + ActivationMaxDuration = "PT8H"; + ActivationReqJustification = $False; # Updated Property + ActivationReqMFA = $False; + ActivationReqTicket = $False; + ActiveAlertNotificationAdditionalRecipient = @(); + ActiveAlertNotificationDefaultRecipient = $True; + ActiveAlertNotificationOnlyCritical = $False; + ActiveApproveNotificationAdditionalRecipient = @(); + ActiveApproveNotificationDefaultRecipient = $True; + ActiveApproveNotificationOnlyCritical = $False; + ActiveAssigneeNotificationAdditionalRecipient = @(); + ActiveAssigneeNotificationDefaultRecipient = $True; + ActiveAssigneeNotificationOnlyCritical = $False; + ApprovaltoActivate = $False; + AssignmentReqJustification = $True; + AssignmentReqMFA = $False; + Displayname = "Application Administrator"; + ElegibilityAssignmentReqJustification = $False; + ElegibilityAssignmentReqMFA = $False; + EligibleAlertNotificationAdditionalRecipient = @(); + EligibleAlertNotificationDefaultRecipient = $True; + EligibleAlertNotificationOnlyCritical = $False; + EligibleApproveNotificationAdditionalRecipient = @(); + EligibleApproveNotificationDefaultRecipient = $True; + EligibleApproveNotificationOnlyCritical = $False; + EligibleAssigneeNotificationAdditionalRecipient = @(); + EligibleAssigneeNotificationDefaultRecipient = $True; + EligibleAssigneeNotificationOnlyCritical = $False; + EligibleAssignmentAlertNotificationAdditionalRecipient = @(); + EligibleAssignmentAlertNotificationDefaultRecipient = $True; + EligibleAssignmentAlertNotificationOnlyCritical = $False; + EligibleAssignmentAssigneeNotificationAdditionalRecipient = @(); + EligibleAssignmentAssigneeNotificationDefaultRecipient = $True; + EligibleAssignmentAssigneeNotificationOnlyCritical = $False; + ExpireActiveAssignment = "P180D"; + ExpireEligibleAssignment = "P365D"; + PermanentActiveAssignmentisExpirationRequired = $False; + PermanentEligibleAssignmentisExpirationRequired = $False; + Credential = $Credscredential + Ensure = 'Present' + } + AADServicePrincipal 'AADServicePrincipal' + { + AppId = 'AppDisplayName' + DisplayName = "AppDisplayName" + AlternativeNames = "AlternativeName1","AlternativeName3" # Updated Property + AccountEnabled = $true + AppRoleAssignmentRequired = $false + Homepage = "https://$Domain" + LogoutUrl = "https://$Domain/logout" + ReplyURLs = "https://$Domain" + ServicePrincipalType = "Application" + Tags = "{WindowsAzureActiveDirectoryIntegratedApp}" + Ensure = "Present" + Credential = $Credscredential + } + AADSocialIdentityProvider 'AADSocialIdentityProvider-Google' + { + ClientId = "Google-OAUTH"; + ClientSecret = "FakeSecret-Updated"; # Updated Property + Credential = $credsCredential; + DisplayName = "My Google Provider"; + Ensure = "Present"; + IdentityProviderType = "Google"; + } + AADTenantDetails 'ÇonfigureTenantDetails' + { + IsSingleInstance = 'Yes' + TechnicalNotificationMails = "example@contoso.com" + SecurityComplianceNotificationPhones = "+1123456789" + SecurityComplianceNotificationMails = "example@contoso.com" + MarketingNotificationEmails = "example@contoso.com" + Credential = $credsCredential + } + AADTokenLifetimePolicy 'CreateTokenLifetimePolicy' + { + DisplayName = "PolicyDisplayName" + Definition = @('{"TokenIssuancePolicy":{"Version": 1,"SigningAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1","TokenResponseSigningPolicy": "TokenOnly","SamlTokenVersion": "2.0"}}') + IsOrganizationDefault = $false + Ensure = "Present" + Credential = $Credscredential + } + AADUser 'ConfigureJohnSMith' + { + UserPrincipalName = "John.Smith@$Domain" + FirstName = "John" + LastName = "Smith" + DisplayName = "John J. Smith" + City = "Ottawa" # Updated + Country = "Canada" + Office = "Ottawa - Queen" + UsageLocation = "US" + Ensure = "Present" + Credential = $Credscredential + } + } + } + + $ConfigurationData = @{ + AllNodes = @( + @{ + NodeName = "Localhost" + PSDSCAllowPlaintextPassword = $true + } + ) + } + + # Compile and deploy configuration + try + { + Master -ConfigurationData $ConfigurationData -Credscredential $Credential + Start-DscConfiguration Master -Wait -Force -Verbose -ErrorAction Stop + } + catch + { + throw $_ + } From 1d83a87db2d4bdb974a1c968e02e53c902875d8d Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Tue, 9 Jan 2024 08:21:18 +0100 Subject: [PATCH 58/70] corrected resource-names --- CHANGELOG.md | 5 ----- .../DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md | 4 ++-- .../MSFT_AADGroupOwnerConsentSettings/settings.json | 4 ++-- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e928937600..e9ed2a94b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,5 @@ # Change log for Microsoft365DSC -# Unreleased - * AADGroupOwnerConsentSettings - * Initial release - Implements [#4112](https://github.com/microsoft/Microsoft365DSC/issues/4112) - # 1.24.103.1 * AADConditionalAccessPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md index c600e94280..42c5aafab6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md @@ -1,6 +1,6 @@ -# AADGroupConsentPolicySettings +# AADGroupOwnerConsentPolicySettings ## Description -Azure AD Group Consent Settings +Azure AD Group Owner Consent Settings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json index a6181c60be..b2f664fc10 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json @@ -1,6 +1,6 @@ { - "resourceName": "AADGroupConsentSettings", - "description": "This resource configures an Azure AD Group Consent Settings.", + "resourceName": "AADGroupOwnerConsentSettings", + "description": "This resource configures an Azure AD Group Owner Consent Settings.", "permissions": { "graph": { "delegated": { From 9706bd569fdfb4676c3668452695e267e161c5bb Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Tue, 9 Jan 2024 08:23:09 +0100 Subject: [PATCH 59/70] updated changelog --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e918e3a4ca..4e34b105f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,13 @@ # UNRELEASED +* AADGroupOwnerConsentSettings + * Initial release + Implements [#4112](https://github.com/microsoft/Microsoft365DSC/issues/4112) * AADAdministrativeUnit * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. * AADConditionalAccessPolicy * Added support for application filters in the conditions. - -# UNRELEASED * AADConditionalAccessPolicy * FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] From 41d9bdafb5049f4b9b5605719d8bacd68cc52935 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 10 Jan 2024 08:06:54 -0500 Subject: [PATCH 60/70] Various Int Tests Fixes --- CHANGELOG.md | 2 ++ ...thenticationMethodPolicyAuthenticator.psm1 | 26 +++++++++++---- ...SFT_AADAuthenticationMethodPolicyX509.psm1 | 32 +++++++++---------- ...DAuthenticationMethodPolicyX509.schema.mof | 1 + .../2-Update.ps1 | 20 ++---------- .../2-Update.ps1 | 2 +- .../2-Update.ps1 | 1 - 7 files changed, 41 insertions(+), 43 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e918e3a4ca..aced702bc8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ * AADAdministrativeUnit * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. +* AADAuthenticationMethodPolicyX509 + * Added support for the property for include targets * AADConditionalAccessPolicy * Added support for application filters in the conditions. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 index 123f728e20..1af1575dc7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 @@ -509,44 +509,56 @@ function Set-TargetResource $UpdateParameters.Remove('Id') | Out-Null # replace group Displayname with group id - if ($UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and + if ($UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.id -and ` + $UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and $UpdateParameters.featureSettings.ContainsKey('companionAppAllowedState')) { + Write-Verbose -Message 'Retrieving companionAppAllowedState include target' $Filter = "Displayname eq '$($UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.id)'" | Out-String $groupid = (Get-MgGroup -Filter $Filter).id.ToString() $UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.foreach('id',$groupid) } - if ($UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and + if ($UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.id -and ` + $UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and $UpdateParameters.featureSettings.ContainsKey('companionAppAllowedState')) { + Write-Verbose -Message 'Retrieving companionAppAllowedState include target' $Filter = "Displayname eq '$($UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.id)'" | Out-String $groupid = (Get-MgGroup -Filter $Filter).id.ToString() $UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.foreach('id',$groupid) } - if ($UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and + if ($UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.id -and ` + $UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and $UpdateParameters.featureSettings.ContainsKey('displayAppInformationRequiredState')) { + Write-Verbose -Message 'Retrieving displayAppInformationRequiredState include target' $Filter = "Displayname eq '$($UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.id)'" | Out-String $groupid = (Get-MgGroup -Filter $Filter).id.ToString() $UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.foreach('id',$groupid) } - if ($UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and + if ($UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.id -and ` + $UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and $UpdateParameters.featureSettings.ContainsKey('displayAppInformationRequiredState')) { + Write-Verbose -Message 'Retrieving displayAppInformationRequiredState exclude target' $Filter = "Displayname eq '$($UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.id)'" | Out-String $groupid = (Get-MgGroup -Filter $Filter).id.ToString() $UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.foreach('id',$groupid) } - if ($UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and - $UpdateParameters.featureSettings.ContainsKey('displayLocationInformationRequiredState')) + if ($UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.id -and ` + $UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and + $UpdateParameters.featureSettings.ContainsKey('displayLocationInformationRequiredState')) { + Write-Verbose -Message 'Retrieving displayLocationInformationRequiredState include target' $Filter = "Displayname eq '$($UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.id)'" | Out-String $groupid = (Get-MgGroup -Filter $Filter).id.ToString() $UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.foreach('id',$groupid) } - if ($UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and + if ($UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.id -and ` + $UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and $UpdateParameters.featureSettings.ContainsKey('displayLocationInformationRequiredState')) { + Write-Verbose -Message 'Retrieving displayLocationInformationRequiredState exclude target' $Filter = "Displayname eq '$($UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.id)'" | Out-String $groupid = (Get-MgGroup -Filter $Filter).id.ToString() $UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.foreach('id',$groupid) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.psm1 index ddf5986b79..80d6cfdef0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.psm1 @@ -181,6 +181,10 @@ function Get-TargetResource { $myIncludeTargets.Add('TargetType', $currentIncludeTargets.targetType.toString()) } + if ($null -ne $currentIncludeTargets.isRegistrationRequired) + { + $myIncludeTargets.Add('isRegistrationRequired', [Boolean]$currentIncludeTargets.isRegistrationRequired) + } if ($myIncludeTargets.values.Where({ $null -ne $_ }).count -gt 0) { $complexIncludeTargets += $myIncludeTargets @@ -365,26 +369,21 @@ function Set-TargetResource { $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key } - if ($key -eq 'IncludeTargets') + if ($key -eq 'ExcludeTargets' -or $key -eq 'IncludeTargets') { $i = 0 - foreach ($entry in $UpdateParameters.$key){ - if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') - { - $Filter = "Displayname eq '$($entry.id)'" | Out-String - $UpdateParameters.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) - } - $i++ - } - } - if ($key -eq 'ExcludeTargets') - { - $i = 0 - foreach ($entry in $UpdateParameters.$key){ + foreach ($entry in $UpdateParameters.$key) + { if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') { - $Filter = "Displayname eq '$($entry.id)'" | Out-String - $UpdateParameters.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + $Filter = "Displayname eq '$($entry.id)'" + Write-Verbose -Message "Retrieving {$key} Group with DisplayName {$($entry.id)}" + $GroupInstance = Get-MgGroup -Filter $Filter -ErrorAction SilentlyContinue + if ($null -ne $GroupInstance) + { + Write-Verbose -Message "Found {$key} Group {$($GroupInstance.id.ToString())}" + $UpdateParameters.$key[$i].id = $GroupInstance.id.ToString() + } } $i++ } @@ -392,6 +391,7 @@ function Set-TargetResource } #region resource generator code $UpdateParameters.Add('@odata.type', '#microsoft.graph.x509CertificateAuthenticationMethodConfiguration') + Write-Verbose -Message "Updating with Values: $(Convert-M365DscHashtableToString -Hashtable $UpdateParameters)" Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration ` -AuthenticationMethodConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.schema.mof index 73f7cdce1a..5dcf2e7a00 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyX509/MSFT_AADAuthenticationMethodPolicyX509.schema.mof @@ -28,6 +28,7 @@ class MSFT_AADAuthenticationMethodPolicyX509ExcludeTarget class MSFT_AADAuthenticationMethodPolicyX509IncludeTarget { [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("Determines if the user is enforced to register the authentication method.")] Boolean isRegistrationRequired; [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"group","unknownFutureValue"}, Values{"group","unknownFutureValue"}] String TargetType; }; diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 index af044fae17..b57ce2441d 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 @@ -19,22 +19,14 @@ Configuration Example { Credential = $Credscredential; Ensure = "Present"; - ExcludeTargets = @( + ExcludeTargets = @( # Updated Property MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ Id = 'Legal Team' TargetType = 'group' } - MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ - Id = 'Paralegals' - TargetType = 'group' - } ); FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -42,10 +34,6 @@ Configuration Example State = 'default' } CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -53,10 +41,6 @@ Configuration Example State = 'default' } DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -75,7 +59,7 @@ Configuration Example TargetType = 'group' } ); - IsSoftwareOathEnabled = $True; # Updated Property + IsSoftwareOathEnabled = $False; State = "enabled"; } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 index 71aa99fb55..8ebd005c43 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyX509/2-Update.ps1 @@ -52,7 +52,7 @@ Configuration Example TargetType = 'group' } ); - State = "disabled"; # Updated Property + State = "enabled"; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 index 00f1203afd..7cbaf4e00b 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEntitlementManagementAccessPackageCatalogResource/2-Update.ps1 @@ -25,7 +25,6 @@ Configuration Example OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" - Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } From 3e9cd059b8eaaa55be16440121a26d22899fa1bd Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 10 Jan 2024 13:11:19 +0000 Subject: [PATCH 61/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/security-compliance/SCDLPComplianceRule.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/resources/security-compliance/SCDLPComplianceRule.md b/docs/docs/resources/security-compliance/SCDLPComplianceRule.md index 2ca9d67bb4..2dbbf71950 100644 --- a/docs/docs/resources/security-compliance/SCDLPComplianceRule.md +++ b/docs/docs/resources/security-compliance/SCDLPComplianceRule.md @@ -6,7 +6,7 @@ | --- | --- | --- | --- | --- | | **Name** | Key | String | Name of the Rule. | | | **Policy** | Required | String | Name of the associated DLP Compliance Policy. | | -| **AccessScope** | Write | StringArray[] | The AccessScope parameter specifies a condition for the DLP rule that's based on the access scope of the content. The rule is applied to content that matches the specified access scope. | `InOrganization`, `NotInOrganization`, `None` | +| **AccessScope** | Write | String | The AccessScope parameter specifies a condition for the DLP rule that's based on the access scope of the content. The rule is applied to content that matches the specified access scope. | `InOrganization`, `NotInOrganization`, `None` | | **BlockAccess** | Write | Boolean | The BlockAccess parameter specifies an action for the DLP rule that blocks access to the source item when the conditions of the rule are met. $true: Blocks further access to the source item that matched the rule. The owner, author, and site owner can still access the item. $false: Allows access to the source item that matched the rule. This is the default value. | | | **BlockAccessScope** | Write | String | The BlockAccessScope parameter specifies the scope of the block access action. | `All`, `PerUser` | | **Comment** | Write | String | The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks. | | From 4814fe7e5d1d0721b49ad79ae9602f64e8c0c6b3 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 10 Jan 2024 14:27:22 +0000 Subject: [PATCH 62/70] Updated Resources and Cmdlet documentation pages --- ...AuthenticationMethodPolicyAuthenticator.md | 20 ++----------------- .../AADAuthenticationMethodPolicyX509.md | 3 ++- ...tManagementAccessPackageCatalogResource.md | 1 - 3 files changed, 4 insertions(+), 20 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md index 1033682cb1..4e52342a9c 100644 --- a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md @@ -206,22 +206,14 @@ Configuration Example { Credential = $Credscredential; Ensure = "Present"; - ExcludeTargets = @( + ExcludeTargets = @( # Updated Property MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ Id = 'Legal Team' TargetType = 'group' } - MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ - Id = 'Paralegals' - TargetType = 'group' - } ); FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -229,10 +221,6 @@ Configuration Example State = 'default' } CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -240,10 +228,6 @@ Configuration Example State = 'default' } DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -262,7 +246,7 @@ Configuration Example TargetType = 'group' } ); - IsSoftwareOathEnabled = $True; # Updated Property + IsSoftwareOathEnabled = $False; State = "enabled"; } } diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md index 6dc986c758..d7b1e36665 100644 --- a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyX509.md @@ -63,6 +63,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **Id** | Write | String | The object identifier of an Azure AD group. | | +| **isRegistrationRequired** | Write | Boolean | Determines if the user is enforced to register the authentication method. | | | **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `group`, `unknownFutureValue` | @@ -214,7 +215,7 @@ Configuration Example TargetType = 'group' } ); - State = "disabled"; # Updated Property + State = "enabled"; } } } diff --git a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md index 358cb9dbf2..5570af13c9 100644 --- a/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md +++ b/docs/docs/resources/azure-ad/AADEntitlementManagementAccessPackageCatalogResource.md @@ -193,7 +193,6 @@ Configuration Example OriginSystem = 'SharePointOnline' ResourceType = 'SharePoint Online Site' Url = "https://$($Domain.Split('.')[0]).sharepoint.com/sites/HumanResources" - Url = "https://$Domain.sharepoint.com/sites/HumanResources" Ensure = 'Present' Credential = $Credscredential } From 7cb5b9e12fc57c23e60990dd43c1b8e9f6d558d3 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 10 Jan 2024 14:42:05 +0000 Subject: [PATCH 63/70] Updated Resources and Cmdlet documentation pages --- .../docs/resources/exchange/EXOMailContact.md | 52 +++++++++++++------ 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/docs/docs/resources/exchange/EXOMailContact.md b/docs/docs/resources/exchange/EXOMailContact.md index 5266f130b1..e7cc1779c4 100644 --- a/docs/docs/resources/exchange/EXOMailContact.md +++ b/docs/docs/resources/exchange/EXOMailContact.md @@ -19,6 +19,26 @@ | **OrganizationalUnit** | Write | String | The OrganizationalUnit parameter specifies the location in Active Directory where the new contact is created. | | | **SendModerationNotifications** | Write | String | The SendModerationNotifications parameter specifies when moderation notification messages are sent. Valid values are: ALways, Internal, Never | `Always`, `Internal`, `Never` | | **UsePreferMessageFormat** | Write | Boolean | The UsePreferMessageFormat specifies whether the message format settings configured for the mail user or mail contact override the global settings configured for the remote domain or configured by the message sender | | +| **CustomAttribute1** | Write | String | The CustomAttribute1 parameter specifies the value of the CustomAttribute1 | | +| **CustomAttribute2** | Write | String | The CustomAttribute2 parameter specifies the value of the CustomAttribute2 | | +| **CustomAttribute3** | Write | String | The CustomAttribute3 parameter specifies the value of the CustomAttribute3 | | +| **CustomAttribute4** | Write | String | The CustomAttribute4 parameter specifies the value of the CustomAttribute4 | | +| **CustomAttribute5** | Write | String | The CustomAttribute5 parameter specifies the value of the CustomAttribute5 | | +| **CustomAttribute6** | Write | String | The CustomAttribute6 parameter specifies the value of the CustomAttribute6 | | +| **CustomAttribute7** | Write | String | The CustomAttribute7 parameter specifies the value of the CustomAttribute7 | | +| **CustomAttribute8** | Write | String | The CustomAttribute8 parameter specifies the value of the CustomAttribute8 | | +| **CustomAttribute9** | Write | String | The CustomAttribute9 parameter specifies the value of the CustomAttribute9 | | +| **CustomAttribute10** | Write | String | The CustomAttribute10 parameter specifies the value of the CustomAttribute10 | | +| **CustomAttribute11** | Write | String | The CustomAttribute11 parameter specifies the value of the CustomAttribute11 | | +| **CustomAttribute12** | Write | String | The CustomAttribute12 parameter specifies the value of the CustomAttribute12 | | +| **CustomAttribute13** | Write | String | The CustomAttribute13 parameter specifies the value of the CustomAttribute13 | | +| **CustomAttribute14** | Write | String | The CustomAttribute14 parameter specifies the value of the CustomAttribute14 | | +| **CustomAttribute15** | Write | String | The CustomAttribute15 parameter specifies the value of the CustomAttribute15 | | +| **ExtensionCustomAttribute1** | Write | StringArray[] | The ExtensionCustomAttribute1 parameter specifies the value of the ExtensionCustomAttribute1 | | +| **ExtensionCustomAttribute2** | Write | StringArray[] | The ExtensionCustomAttribute2 parameter specifies the value of the ExtensionCustomAttribute2 | | +| **ExtensionCustomAttribute3** | Write | StringArray[] | The ExtensionCustomAttribute3 parameter specifies the value of the ExtensionCustomAttribute3 | | +| **ExtensionCustomAttribute4** | Write | StringArray[] | The ExtensionCustomAttribute4 parameter specifies the value of the ExtensionCustomAttribute4 | | +| **ExtensionCustomAttribute5** | Write | StringArray[] | The ExtensionCustomAttribute5 parameter specifies the value of the ExtensionCustomAttribute5 | | | **Ensure** | Write | String | Specifies if this Contact should exist. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Exchange Global Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | @@ -61,7 +81,7 @@ Configuration Example param( [Parameter(Mandatory = $true)] [PSCredential] - $credsCredential + $Credscredential ) Import-DscResource -ModuleName Microsoft365DSC @@ -69,20 +89,22 @@ Configuration Example { EXOMailContact 'TestMailContact' { - Alias = "TestMailContact"; - Credential = $Credscredential; - DisplayName = "My Test Contact"; - Ensure = "Present"; - ExternalEmailAddress = "SMTP:test@tailspintoys.com"; - MacAttachmentFormat = "BinHex"; - MessageBodyFormat = "TextAndHtml"; - MessageFormat = "Mime"; - ModeratedBy = @(); - ModerationEnabled = $False; - Name = "My Test Contact"; - OrganizationalUnit = "nampr03a010.prod.outlook.com/Microsoft Exchange Hosted Organizations/$OrganizationName"; - SendModerationNotifications = "Always"; - UsePreferMessageFormat = $True; + Alias = 'TestMailContact' + Credential = $Credscredential + DisplayName = 'My Test Contact' + Ensure = 'Present' + ExternalEmailAddress = 'SMTP:test@tailspintoys.com' + MacAttachmentFormat = 'BinHex' + MessageBodyFormat = 'TextAndHtml' + MessageFormat = 'Mime' + ModeratedBy = @() + ModerationEnabled = $false + Name = 'My Test Contact' + OrganizationalUnit = "nampr03a010.prod.outlook.com/Microsoft Exchange Hosted Organizations/$OrganizationName" + SendModerationNotifications = 'Always' + UsePreferMessageFormat = $true + CustomAttribute1 = 'Custom Value 1' + ExtensionCustomAttribute5 = 'Extension Custom Value 1', 'Extension Custom Value 2' } } } From 389c899a1b705f8895dc4785fd8dce33e88d577d Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 10 Jan 2024 09:43:35 -0500 Subject: [PATCH 64/70] Update CHANGELOG.md --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2916cf3c18..89841c7431 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.24.110.1 * AADAdministrativeUnit * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. @@ -9,9 +9,11 @@ * Implement Fix #3885. Manage Exclude Application. FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * EXOHostedContentFilterPolicy - * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders, + * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders, BlockSenderDomains if desired state is empty but current state is not empty. FIXES[#4124](https://github.com/microsoft/Microsoft365DSC/issues/4124) +* EXOMailContact + * Added support for Custom Attributes and Extension Custom Attributes. * IntuneDeviceConfigurationPolicyMacOS * Fix workaround added on PR #4099 in order to be able to use this resource for deployments From 5225a928439c38d71a88ed49fe8720efb5318156 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 10 Jan 2024 16:54:42 +0000 Subject: [PATCH 65/70] Updated Resources and Cmdlet documentation pages --- .../azure-ad/AADGroupOwnerConsentSettings.md | 114 ++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md diff --git a/docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md b/docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md new file mode 100644 index 0000000000..8c87bd96a1 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md @@ -0,0 +1,114 @@ +# AADGroupOwnerConsentSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **EnableGroupSpecificConsent** | Write | Boolean | Flag indicating if groups owners are allowed to grant group specific permissions. | | +| **BlockUserConsentForRiskyApps** | Write | Boolean | Flag indicating if user consent will be blocked when a risky request is detected. Administrators will still be able to consent to apps considered risky. | | +| **EnableAdminConsentRequests** | Write | Boolean | Flag indicating if users will be able to request admin consent when they are unable to grant consent to an app themselves. | | +| **ConstrainGroupSpecificConsentToMembersOfGroupName** | Write | String | If EnableGroupSpecificConsent is set to “True” and this is set to a security group name, members (both direct and transitive) of the group identified will be authorized to grant group-specific permissions to the groups they own. | | +| **Ensure** | Write | String | Specify if the Azure AD Group Consent Settings should exist or not. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | + + +# AADGroupOwnerConsentPolicySettings + +## Description + +Azure AD Group Owner Consent Settings + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Directory.Read.All, Group.Read.All + +- **Update** + + - Directory.ReadWrite.All, Policy.ReadWrite.Authorization + +#### Application permissions + +- **Read** + + - Directory.Read.All, Group.Read.All + +- **Update** + + - Directory.ReadWrite.All, Policy.ReadWrite.Authorization + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADGroupOwnerConsentSettings 'Example' + { + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $false + BlockUserConsentForRiskyApps = $true + EnableAdminConsentRequests = $false + #ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 + Ensure = 'Present' + Credential = $Credscredential + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADGroupOwnerConsentSettings 'Example' + { + IsSingleInstance = "Yes" + EnableGroupSpecificConsent = $true # prerequisite for specifying a constraining group + ConstrainGroupSpecificConsentToMembersOfGroupName = 'Group-Vetted-GroupOwners' + Ensure = 'Present' + Credential = $Credscredential + } + } +} +``` + From 299f9341f58b1b47694a6de5625e3701d9f7d792 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 10 Jan 2024 13:16:00 -0500 Subject: [PATCH 66/70] Fixes Tests --- .../1-Create.ps1 | 13 ------------- .../2-Update.ps1 | 12 ------------ 2 files changed, 25 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 index fb6900710a..0b8f318d57 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 @@ -30,11 +30,6 @@ Configuration Example } ); FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ - DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -42,10 +37,6 @@ Configuration Example State = 'default' } CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -53,10 +44,6 @@ Configuration Example State = 'default' } DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 index af044fae17..0d6ef9e0e0 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 @@ -31,10 +31,6 @@ Configuration Example ); FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -42,10 +38,6 @@ Configuration Example State = 'default' } CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -53,10 +45,6 @@ Configuration Example State = 'default' } DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' From 2a9927fc110fae3263312ec4df5a6aa4d4606b0b Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 10 Jan 2024 13:19:53 -0500 Subject: [PATCH 67/70] Release candidate --- CHANGELOG.md | 4 +- Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 60 +++++++++----------- 2 files changed, 28 insertions(+), 36 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3139ee3450..d15532bb40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,14 +2,12 @@ # 1.24.110.1 - * AADAdministrativeUnit * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. * AADAuthenticationMethodPolicyX509 * Added support for the property for include targets * AADConditionalAccessPolicy * Added support for application filters in the conditions. -* AADConditionalAccessPolicy * Implement Fix #3885. Manage Exclude Application. FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] * AADGroupOwnerConsentSettings @@ -28,6 +26,8 @@ * SCDLPComplianceRule * Fix type of AccessScope FIXES [#3463](https://github.com/microsoft/Microsoft365DSC/issues/3463) +* TeamsTenantDialPlan + * FIXES [#3767](https://github.com/microsoft/Microsoft365DSC/issues/3767) # 1.24.103.1 diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index ffe31fa83a..7f2b2f7538 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-01-03 +# Generated on: 2024-01-10 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.103.1' + ModuleVersion = '1.24.110.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -140,40 +140,32 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADConditionalAccessPolicy - * Fix Get-TargetResource when the parameter Id is not present - FIXES [#4029](https://github.com/microsoft/Microsoft365DSC/issues/4003) - * EXOInboundConnector - * Corrected parameter descriptions, so the documentation on microsoft365dsc.com is generated correctly. - * EXOMailTips - * Added parameter descriptions for better documentation - * EXOOutboundConnector - * Corrected parameter descriptions, so the documentation on microsoft365dsc.com is generated correctly. - * EXOReportSubmissionPolicy + ReleaseNotes = '* AADAdministrativeUnit + * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. + * AADAuthenticationMethodPolicyX509 + * Added support for the property for include targets + * AADConditionalAccessPolicy + * Added support for application filters in the conditions. + * Implement Fix #3885. Manage Exclude Application. + FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] + * AADGroupOwnerConsentSettings * Initial release - FIXES [#3690](https://github.com/microsoft/Microsoft365DSC/issues/3690) - * EXOReportSubmissionRule - * Initial release - FIXES [#3690](https://github.com/microsoft/Microsoft365DSC/issues/3690) - * EXOTransportRule - * Stop supporting DLP-related rules, conditions, and actions (https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-mail-flow-rules-to-stop-supporting-dlp-related/ba-p/3959870) - FIXES [#3929](https://github.com/microsoft/Microsoft365DSC/issues/3929) + Implements [#4112](https://github.com/microsoft/Microsoft365DSC/issues/4112) + * EXOHostedContentFilterPolicy + * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders, + BlockSenderDomains if desired state is empty but current state is not empty. + FIXES[#4124](https://github.com/microsoft/Microsoft365DSC/issues/4124) + * EXOMailContact + * Added support for Custom Attributes and Extension Custom Attributes. * IntuneDeviceConfigurationPolicyMacOS - * Added parameter descriptions for better documentation - * IntuneSettingCatalogCustomPolicyWindows10 - * Fix Get-TargetResource when the parameter Id is not present - FIXES [#4029](https://github.com/microsoft/Microsoft365DSC/issues/4003) - * SPOTenantSettings - * Added parameter descriptions for better documentation - * TeamsChannel - * Add error handling if GroupId of a team is null - FIXES [#3943](https://github.com/microsoft/Microsoft365DSC/issues/3943) - * TeamsFeedbackPolicy - * Added parameter descriptions for better documentation - * TeamsMobilityPolicy - * Added parameter descriptions for better documentation - * TeamsNetworkRoamingPolicy - * Added parameter descriptions for better documentation' + * Fix workaround added on PR #4099 in order to be able to use this resource + for deployments + FIXES [#4105](https://github.com/microsoft/Microsoft365DSC/issues/4105) + * SCDLPComplianceRule + * Fix type of AccessScope + FIXES [#3463](https://github.com/microsoft/Microsoft365DSC/issues/3463) + * TeamsTenantDialPlan + * FIXES [#3767](https://github.com/microsoft/Microsoft365DSC/issues/3767)' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false From 5eb0e1a105d7221bcd2be7d323ad79d511742d38 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 10 Jan 2024 14:21:10 -0500 Subject: [PATCH 68/70] Fixes --- .../MSFT_AADGroupOwnerConsentSettings.psm1 | 90 +++++-------------- .../1-Create.ps1 | 5 +- .../2-Update.ps1 | 4 +- 3 files changed, 27 insertions(+), 72 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 index 507f857ec8..f28a7d0546 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 @@ -77,7 +77,7 @@ function Get-TargetResource $getValue = $null $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" + Write-Verbose -Message "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId $getValue = Get-MgGroupSetting -GroupSettingId $consentPolicySettingsTemplateId -ErrorAction SilentlyContinue @@ -97,9 +97,9 @@ function Get-TargetResource Write-Verbose -Message "UNEXPECTED: Could not find an Azure AD Group Consent Settings with DisplayName {$($templateSettings.DisplayName)}" # insert default values from template - $nullresult.EnableGroupSpecificConsent = $templateSettings.Values.Where({$_.Name -eq 'EnableGroupSpecificConsent' }).DefaultValue - $nullresult.BlockUserConsentForRiskyApps = $templateSettings.Values.Where({$_.Name -eq 'BlockUserConsentForRiskyApps'}).DefaultValue - $nullresult.EnableAdminConsentRequests = $templateSettings.Values.Where({$_.Name -eq 'EnableAdminConsentRequests' }).DefaultValue + $nullresult.EnableGroupSpecificConsent = [Boolean]($templateSettings.Values.Where({$_.Name -eq 'EnableGroupSpecificConsent' }).DefaultValue) + $nullresult.BlockUserConsentForRiskyApps = [Boolean]($templateSettings.Values.Where({$_.Name -eq 'BlockUserConsentForRiskyApps'}).DefaultValue) + $nullresult.EnableAdminConsentRequests = [Boolean]($templateSettings.Values.Where({$_.Name -eq 'EnableAdminConsentRequests' }).DefaultValue) $nullresult.ConstrainGroupSpecificConsentToMembersOfGroupName = $null return $nullResult } @@ -124,9 +124,9 @@ function Get-TargetResource $results = @{ IsSingleInstance = 'Yes' - EnableGroupSpecificConsent = $groupSettingsValues.EnableGroupSpecificConsent - BlockUserConsentForRiskyApps = $groupSettingsValues.BlockUserConsentForRiskyApps - EnableAdminConsentRequests = $groupSettingsValues.EnableAdminConsentRequests + EnableGroupSpecificConsent = [Boolean]$groupSettingsValues.EnableGroupSpecificConsent + BlockUserConsentForRiskyApps = [Boolean]$groupSettingsValues.BlockUserConsentForRiskyApps + EnableAdminConsentRequests = [Boolean]$groupSettingsValues.EnableAdminConsentRequests ConstrainGroupSpecificConsentToMembersOfGroupName = $constrainConsentToGroupName Ensure = 'Present' Credential = $Credential @@ -380,41 +380,11 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of the Azure AD Group Consent Settings with Id {$Id} and DisplayName {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Azure AD Group Consent Settings" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } - $testResult = $true - - #Compare Cim instances - foreach ($key in $PSBoundParameters.Keys) - { - $source = $PSBoundParameters.$key - $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - - if (-Not $testResult) - { - $testResult = $false - break - } - - $ValuesToCheck.Remove($key) | Out-Null - } - } - $ValuesToCheck.remove('Id') | Out-Null $ValuesToCheck.Remove('Credential') | Out-Null $ValuesToCheck.Remove('ApplicationId') | Out-Null @@ -424,13 +394,10 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - if ($testResult) - { - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - } + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $testResult" @@ -503,29 +470,20 @@ function Export-TargetResource } $results = Get-TargetResource @params - if ($results -is [System.Collections.Hashtable] -and $results.Count -gt 1) - { - Write-Host "`r`n" -NoNewline - Write-Host " |---[1/1] $($groupConsentSettingsTemplate.DisplayName)" -NoNewline - $results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $results - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $results ` - -Credential $Credential - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName - - Write-Host $Global:M365DSCEmojiGreenCheckMark - } - else - { - Write-Host $Global:M365DSCEmojiRedX - } + Write-Host "`r`n" -NoNewline + Write-Host " |---[1/1] $($groupConsentSettingsTemplate.DisplayName)" -NoNewline + $results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $results + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $results ` + -Credential $Credential + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark return $currentDSCBlock - } catch { diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 index 0b8f318d57..4154df76fb 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/1-Create.ps1 @@ -24,12 +24,9 @@ Configuration Example Id = 'Legal Team' TargetType = 'group' } - MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ - Id = 'Paralegals' - TargetType = 'group' - } ); FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ + DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 index b57ce2441d..e5249bc9b3 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyAuthenticator/2-Update.ps1 @@ -19,9 +19,9 @@ Configuration Example { Credential = $Credscredential; Ensure = "Present"; - ExcludeTargets = @( # Updated Property + ExcludeTargets = @( MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ - Id = 'Legal Team' + Id = 'Finance Team' # Updated Property TargetType = 'group' } ); From 83473a9a7f1fb13025afccb46b9ec0842abdbb46 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 10 Jan 2024 15:14:41 -0500 Subject: [PATCH 69/70] Revert "AADGroupOwnerConsentSettings - initial release" --- CHANGELOG.md | 5 - .../MSFT_AADGroupOwnerConsentSettings.psm1 | 552 ------------------ ...FT_AADGroupOwnerConsentSettings.schema.mof | 16 - .../readme.md | 6 - .../settings.json | 45 -- ...1-AADGroupOwnerConsentSettings-Example.ps1 | 28 - ...2-AADGroupOwnerConsentSettings-Example.ps1 | 26 - ...DSC.AADGroupOwnerConsentSettings.Tests.ps1 | 312 ---------- 8 files changed, 990 deletions(-) delete mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 delete mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof delete mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md delete mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json delete mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 delete mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 delete mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 08e9875496..ada57933f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,19 +2,14 @@ # UNRELEASED - * AADAdministrativeUnit * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. * AADAuthenticationMethodPolicyX509 * Added support for the property for include targets * AADConditionalAccessPolicy * Added support for application filters in the conditions. -* AADConditionalAccessPolicy * Implement Fix #3885. Manage Exclude Application. FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] -* AADGroupOwnerConsentSettings - * Initial release - Implements [#4112](https://github.com/microsoft/Microsoft365DSC/issues/4112) * EXOHostedContentFilterPolicy * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders, BlockSenderDomains if desired state is empty but current state is not empty. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 deleted file mode 100644 index 507f857ec8..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 +++ /dev/null @@ -1,552 +0,0 @@ -function Get-TargetResource -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param - ( - [Parameter(Mandatory = $true)] - [validateset('Yes')] - [System.String] - $IsSingleInstance, - - [Parameter()] - [System.Boolean] - $EnableGroupSpecificConsent, - - [Parameter()] - [System.Boolean] - $BlockUserConsentForRiskyApps, - - [Parameter()] - [System.Boolean] - $EnableAdminConsentRequests, - - [Parameter()] - [system.string] - $ConstrainGroupSpecificConsentToMembersOfGroupName, - - [Parameter()] - [System.String] - [ValidateSet('Present')] - $Ensure = 'Present', - - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - try - { - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - $nullResult = $PSBoundParameters - $nullResult.Ensure = 'Absent' - - $getValue = $null - $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" - $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId - - $getValue = Get-MgGroupSetting -GroupSettingId $consentPolicySettingsTemplateId -ErrorAction SilentlyContinue - - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Azure AD Group Consent Settings with Id {$($settings.Id)}" - - if (-Not [string]::IsNullOrEmpty($templateSettings.DisplayName)) - { - $getValue = Get-MgGroupSetting -Filter "DisplayName eq '$($templateSettings.DisplayName)'" -ErrorAction SilentlyContinue - } - } - #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "UNEXPECTED: Could not find an Azure AD Group Consent Settings with DisplayName {$($templateSettings.DisplayName)}" - - # insert default values from template - $nullresult.EnableGroupSpecificConsent = $templateSettings.Values.Where({$_.Name -eq 'EnableGroupSpecificConsent' }).DefaultValue - $nullresult.BlockUserConsentForRiskyApps = $templateSettings.Values.Where({$_.Name -eq 'BlockUserConsentForRiskyApps'}).DefaultValue - $nullresult.EnableAdminConsentRequests = $templateSettings.Values.Where({$_.Name -eq 'EnableAdminConsentRequests' }).DefaultValue - $nullresult.ConstrainGroupSpecificConsentToMembersOfGroupName = $null - return $nullResult - } - $Id = $getValue.Id - - Write-Verbose -Message "An Azure AD Group Consent Settings with Id {$Id} and DisplayName {$($settings.DisplayName)} was found." - - # translate returned Values array to hashtable - $getValue.Values | ForEach-Object -Begin {$groupSettingsValues = @{}} -Process {$groupSettingsValues.($_.Name) = $_.Value} - - if ($groupSettingsValues.EnableGroupSpecificConsent -eq $true -and -not [string]::IsNullOrEmpty($groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId)) - { - write-verbose -message "Get-TargetResource: Get Group for ConstrainGroupSpecificConsentToMembersOfGroupId=$($groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId)" - $constrainConsentToGroupName = Get-MgGroup -GroupId $groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId | Select-Object -ExpandProperty DisplayName - write-verbose -message "Group DisplayName='$constrainConsentToGroupName'" - } - else - { - write-verbose -message 'Get-TargetResource: ConstrainGroupSpecificConsentToMembersOfGroupId=$null' - $constrainConsentToGroupName = $null - } - - $results = @{ - IsSingleInstance = 'Yes' - EnableGroupSpecificConsent = $groupSettingsValues.EnableGroupSpecificConsent - BlockUserConsentForRiskyApps = $groupSettingsValues.BlockUserConsentForRiskyApps - EnableAdminConsentRequests = $groupSettingsValues.EnableAdminConsentRequests - ConstrainGroupSpecificConsentToMembersOfGroupName = $constrainConsentToGroupName - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - } - - return [System.Collections.Hashtable] $results - } - catch - { - New-M365DSCLogEntry -Message 'Error retrieving data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return $nullResult - } -} - -function Set-TargetResource -{ - [CmdletBinding()] - param - ( - [Parameter(Mandatory = $true)] - [validateset('Yes')] - [system.string] - $IsSingleInstance, - - [Parameter()] - [System.Boolean] - $EnableGroupSpecificConsent, - - [Parameter()] - [System.Boolean] - $BlockUserConsentForRiskyApps, - - [Parameter()] - [System.Boolean] - $EnableAdminConsentRequests, - - [Parameter()] - [system.string] - $ConstrainGroupSpecificConsentToMembersOfGroupName, - - [Parameter()] - [System.String] - [ValidateSet('Present')] - $Ensure = 'Present', - - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - $currentInstance = Get-TargetResource @PSBoundParameters - - write-verbose "Retrieve Group Settings Template" - $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId - - $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - - if ($Ensure -eq 'Present') - { - Write-Verbose -Message "Creating an Azure AD Group Consent Setting - common code" - $valuesParam = @() - - # build array of values - if specified in Set-TargetResource, that value is included otherwise the existing value is used - - if ($PSBoundParameters.ContainsKey('EnableGroupSpecificConsent')) - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableGroupSpecificConsent'; Value=$EnableGroupSpecificConsent}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableGroupSpecificConsent'; Value=$currentInstance.EnableGroupSpecificConsent}) - } - - if ($PSBoundParameters.ContainsKey('BlockUserConsentForRiskyApps')) - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='BlockUserConsentForRiskyApps'; Value=$BlockUserConsentForRiskyApps}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='BlockUserConsentForRiskyApps'; Value=$currentInstance.BlockUserConsentForRiskyApps}) - } - - if ($PSBoundParameters.ContainsKey('EnableAdminConsentRequests')) - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableAdminConsentRequests'; Value=$EnableAdminConsentRequests}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableAdminConsentRequests'; Value=$currentInstance.EnableAdminConsentRequests}) - } - - if ($EnableGroupSpecificConsent -and -not [string]::IsNullOrEmpty($ConstrainGroupSpecificConsentToMembersOfGroupName)) - { - $constrainConsentGroupObj = Get-MgGroup -Filter "DisplayName eq '$ConstrainGroupSpecificConsentToMembersOfGroupName'" - if ($null -eq $constrainConsentGroupObj -or $constrainConsentGroupObj.securityEnabled -ne $true) - { - $message = "ConstrainGroupSpecificConsentToMembersOfGroupName '$ConstrainGroupSpecificConsentToMembersOfGroupName' does not exist or is not a security group" - Add-M365DscEvent -Message $message ` - -Source $($MyInvocation.MyCommand.Source) ` - -EntryType Error ` - -EventId 2 ` - -EventType Error ` - -TenantId $TenantId - - throw $message - } - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId'; Value=$constrainConsentGroupObj.Id}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId'; Value=$null}) - } - - - $BodyParam = @{ - DisplayName = $templateSettings.DisplayName - Values = $valuesParam - } - - if ($currentInstance.Ensure -eq 'Absent') - { - $BodyParam.Add('TemplateId', $templateSettings.Id) - $policy = New-MgGroupSetting @BodyParam - } - elseif ($currentInstance.Ensure -eq 'Present') - { - Write-Verbose -Message "Updating the Azure AD Group Consent Settings" - $BodyParam.Add('GroupSettingId', $templateSettings.Id) - - Update-MgGroupSetting @BodyParam - } - } - else - { - if ($currentInstance.Ensure -eq 'Present') - { - Remove-MgGroupSetting -GroupSettingId $templateSettings.Id - } - } -} - -function Test-TargetResource -{ - [CmdletBinding()] - [OutputType([System.Boolean])] - param - ( - [Parameter(Mandatory = $true)] - [validateset('Yes')] - [system.string] - $IsSingleInstance, - - [Parameter()] - [System.Boolean] - $EnableGroupSpecificConsent, - - [Parameter()] - [System.Boolean] - $BlockUserConsentForRiskyApps, - - [Parameter()] - [System.Boolean] - $EnableAdminConsentRequests, - - [Parameter()] - [system.string] - $ConstrainGroupSpecificConsentToMembersOfGroupName, - - [Parameter()] - [System.String] - [ValidateSet('Present')] - $Ensure = 'Present', - - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - Write-Verbose -Message "Testing configuration of the Azure AD Group Consent Settings with Id {$Id} and DisplayName {$DisplayName}" - - $CurrentValues = Get-TargetResource @PSBoundParameters - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } - $testResult = $true - - #Compare Cim instances - foreach ($key in $PSBoundParameters.Keys) - { - $source = $PSBoundParameters.$key - $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - - if (-Not $testResult) - { - $testResult = $false - break - } - - $ValuesToCheck.Remove($key) | Out-Null - } - } - - $ValuesToCheck.remove('Id') | Out-Null - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - - if ($testResult) - { - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - } - - Write-Verbose -Message "Test-TargetResource returned $testResult" - - return $testResult -} - -function Export-TargetResource -{ - [CmdletBinding()] - [OutputType([System.String])] - param - ( - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - - try - { - $currentDSCBlock = $null - - $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" - $groupConsentSettingsTemplate = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId - - $params = @{ - IsSingleInstance = 'Yes' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity - } - $results = Get-TargetResource @params - - if ($results -is [System.Collections.Hashtable] -and $results.Count -gt 1) - { - Write-Host "`r`n" -NoNewline - Write-Host " |---[1/1] $($groupConsentSettingsTemplate.DisplayName)" -NoNewline - $results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $results - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $results ` - -Credential $Credential - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName - - Write-Host $Global:M365DSCEmojiGreenCheckMark - } - else - { - Write-Host $Global:M365DSCEmojiRedX - } - - return $currentDSCBlock - - } - catch - { - Write-Host $Global:M365DSCEmojiRedX - - New-M365DSCLogEntry -Message 'Error during Export:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return '' - } -} - -function Get-MSConsentPolicySettingsTemplateId -{ -param() - - # fixed GUID - return 'dffd5d46-495d-40a9-8e21-954ff55e198a' -} - -Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof deleted file mode 100644 index ff5899f641..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof +++ /dev/null @@ -1,16 +0,0 @@ -[ClassVersion("1.0.0.0"), FriendlyName("AADGroupOwnerConsentSettings")] -class MSFT_AADGroupOwnerConsentSettings : OMI_BaseResource -{ - [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; - [Write, Description("Flag indicating if groups owners are allowed to grant group specific permissions.")] Boolean EnableGroupSpecificConsent; - [Write, Description("Flag indicating if user consent will be blocked when a risky request is detected. Administrators will still be able to consent to apps considered risky.")] Boolean BlockUserConsentForRiskyApps; - [Write, Description("Flag indicating if users will be able to request admin consent when they are unable to grant consent to an app themselves.")] Boolean EnableAdminConsentRequests; - [Write, Description("If EnableGroupSpecificConsent is set to “True” and this is set to a security group name, members (both direct and transitive) of the group identified will be authorized to grant group-specific permissions to the groups they own.")] String ConstrainGroupSpecificConsentToMembersOfGroupName; - [Write, Description("Specify if the Azure AD Group Consent Settings should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; - [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; - [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; - [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; - [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; - [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; -}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md deleted file mode 100644 index 42c5aafab6..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md +++ /dev/null @@ -1,6 +0,0 @@ - -# AADGroupOwnerConsentPolicySettings - -## Description - -Azure AD Group Owner Consent Settings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json deleted file mode 100644 index b2f664fc10..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "resourceName": "AADGroupOwnerConsentSettings", - "description": "This resource configures an Azure AD Group Owner Consent Settings.", - "permissions": { - "graph": { - "delegated": { - "read": [ - { - "name": "Directory.Read.All" - }, - { - "name": "Group.Read.All" - } - ], - "update": [ - { - "name": "Directory.ReadWrite.All" - }, - { - "name": "Policy.ReadWrite.Authorization" - } - ] - }, - "application": { - "read": [ - { - "name": "Directory.Read.All" - }, - { - "name": "Group.Read.All" - } - ], - "update": [ - { - "name": "Directory.ReadWrite.All" - }, - { - "name": "Policy.ReadWrite.Authorization" - } - ] - } - } -} - -} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 deleted file mode 100644 index 7cd08b1b41..0000000000 --- a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 +++ /dev/null @@ -1,28 +0,0 @@ -<# -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. -#> - -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADGroupOwnerConsentSettings 'Example' - { - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - #ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = 'Present' - Credential = $Credscredential - } - } -} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 deleted file mode 100644 index 867199f2d5..0000000000 --- a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 +++ /dev/null @@ -1,26 +0,0 @@ -<# -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. -#> - -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADGroupOwnerConsentSettings 'Example' - { - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true # prerequisite for specifying a constraining group - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Group-Vetted-GroupOwners' - Ensure = 'Present' - Credential = $Credscredential - } - } -} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 deleted file mode 100644 index 813b9d6922..0000000000 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 +++ /dev/null @@ -1,312 +0,0 @@ -[CmdletBinding()] -param( -) -$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` - -ChildPath '..\..\Unit' ` - -Resolve -$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\Stubs\Microsoft365.psm1' ` - -Resolve) -$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\Stubs\Generic.psm1' ` - -Resolve) -Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\UnitTestHelper.psm1' ` - -Resolve) - -$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` - -DscResource "AADGroupOwnerConsentSettings" -GenericStubModule $GenericStubPath -Describe -Name $Global:DscHelper.DescribeHeader -Fixture { - InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { - Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope - BeforeAll { - - $secpasswd = ConvertTo-SecureString "f@kepassword1" -AsPlainText -Force - $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) - - Mock -CommandName Confirm-M365DSCDependencies -MockWith { - } - - Mock -CommandName Get-PSSession -MockWith { - } - - Mock -CommandName Remove-PSSession -MockWith { - } - - Mock -CommandName Get-MgGroupSettingTemplateGroupSettingTemplate -MockWith { - } - - Mock -CommandName Get-MgGroupSettingTemplateGroupSettingTemplate -ParameterFilter {$GroupSettingTemplateId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';DefaultValue=$null}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';DefaultValue=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';DefaultValue=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';DefaultValue=$null} - ) - } - } - - Mock -CommandName Get-MgGroupSetting -MockWith { - } - - Mock -CommandName Get-MgGroup -MockWith { - } - - Mock -CommandName Update-MgGroupSetting -MockWith { - } - - Mock -CommandName New-MgGroupSetting -MockWith { - } - - Mock -CommandName New-M365DSCConnection -MockWith { - return "Credentials" - } - - #Mock Write-Host to hide output during the tests - Mock -CommandName Write-Host -MockWith { - } - } - # Test contexts - Context -Name "The AADGroupOwnerConsentSettings should exist but it DOES NOT" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -MockWith { - return $null - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - It 'Should Create the group from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName New-MgGroupSetting -Exactly 1 - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists and Values are already in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$false}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value=$null} - ) - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return true from the Test method' { - Test-TargetResource @testParams | Should -Be $true - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists with a constrain-group and Values are already in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Fake Group' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} - ) - } - } - - Mock -CommandName Get-MgGroup -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Fake Group' - Id = '111-111111-1111-1111-111111' - SecurityEnabled = $true - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return true from the Test method' { - Test-TargetResource @testParams | Should -Be $true - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists and Values are NOT in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $true - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = 'Present' - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$false}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value=$null} - ) - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - It 'Should Update the GroupSetting from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName Update-MgGroupSetting -Exactly 1 - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists with a constrain-group and Values are NOT in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Another Fake Group' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} - ) - } - } - - Mock -CommandName Get-MgGroup -ParameterFilter {$GroupId -eq '111-111111-1111-1111-111111'} -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Fake Group' - Id = '111-111111-1111-1111-111111' - SecurityEnabled = $true - } - } - <# - Mock -CommandName Get-MgGroup -ParameterFilter {$Filter -eq "DisplayName eq 'Fake Group'"} -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Fake Group' - Id = '111-111111-1111-1111-111111' - SecurityEnabled = $true - } - } - #> - Mock -CommandName Get-MgGroup -ParameterFilter {$Filter -eq "DisplayName eq 'Another Fake Group'"} -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Another Fake Group' - Id = '222-111111-2222-2222-111111' - SecurityEnabled = $true - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - Should -Invoke -CommandName Get-MgGroupSetting -Exactly 1 - Should -Invoke -CommandName Get-MgGroup -Exactly 1 - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - It 'Should Update the GroupSetting from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName Get-MgGroup -Exactly 2 # 1st for Get-TargetResource (pre-existing value), 2nd for Set-TargetResource (new value) - Should -Invoke -CommandName Update-MgGroupSetting -Exactly 1 - } - } - - Context -Name 'ReverseDSC Tests' -Fixture { - BeforeAll { - $Global:CurrentModeIsExport = $true - $Global:PartialExportFileName = "$(New-Guid).partial.ps1" - $testParams = @{ - Credential = $Credential - } - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} - ) - } - } - Mock -CommandName Get-MgGroup -ParameterFilter {$GroupId -eq '111-111111-1111-1111-111111'} -MockWith { - return [pscustomobject]@{ - Id = '111-111111-1111-1111-111111' - DisplayName = 'Fake Export Group' - SecurityEnabled = $true - } - } - } - It 'Should Reverse Engineer resource from the Export method' { - $result = Export-TargetResource @testParams - Should -Invoke -CommandName Get-MgGroupSetting -Exactly 1 - Should -Invoke -CommandName Get-MgGroup -Exactly 1 - $result | Should -Not -BeNullOrEmpty - } - } - } -} - -Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 6cef7e461d032990249b170a3ddb47dfb39a2607 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 10 Jan 2024 20:34:08 +0000 Subject: [PATCH 70/70] Updated Resources and Cmdlet documentation pages --- ...AuthenticationMethodPolicyAuthenticator.md | 20 ++----------------- 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md index 4e52342a9c..ddebf6dff2 100644 --- a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyAuthenticator.md @@ -126,17 +126,9 @@ Configuration Example Id = 'Legal Team' TargetType = 'group' } - MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ - Id = 'Paralegals' - TargetType = 'group' - } ); FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{ DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -144,10 +136,6 @@ Configuration Example State = 'default' } CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -155,10 +143,6 @@ Configuration Example State = 'default' } DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{ - ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ - Id = 'all_users' - TargetType = 'group' - } IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{ Id = 'all_users' TargetType = 'group' @@ -206,9 +190,9 @@ Configuration Example { Credential = $Credscredential; Ensure = "Present"; - ExcludeTargets = @( # Updated Property + ExcludeTargets = @( MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{ - Id = 'Legal Team' + Id = 'Finance Team' # Updated Property TargetType = 'group' } );