From a46fcc7c08c7f437921d9909adf14b6ff0d9994e Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 19 Jan 2024 12:47:37 -0500 Subject: [PATCH] AAD Group Restore from Deleted --- CHANGELOG.md | 3 + .../MSFT_AADGroup/MSFT_AADGroup.psm1 | 56 ++++++++++++++----- 2 files changed, 45 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad7eb5a77..ce029d2282 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,9 @@ * Removed the ability to specify a value of Absent for the Ensure property. * AADCrossTenantAccessPolicyCOnfigurationDefault * Removed the ability to specify a value of Absent for the Ensure property. +* AADGroup + * Changed Set logic to restore groups from the deleted list if a match by + DisplayName is found. * SPOSharingSettings * Fixed an Issue where the MySiteSharingCapability could be returned as an empty string instead of a null value from the Get method. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index 293ac6fd29..1c9ae1a71b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -559,26 +559,44 @@ function Set-TargetResource } elseif ($Ensure -eq 'Present' -and $currentGroup.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new group {$DisplayName}" - $currentParameters.Remove('Id') | Out-Null + Write-Verbose -Message "Checking to see if an existing deleted group exists with DisplayName {$DisplayName}" + $restorinExisting = $false + [Array]$groups = Get-MgBetaDirectoryDeletedItemAsGroup -Filter "DisplayName eq '$DisplayName'" + if ($groups.Length -gt 1) + { + throw "Multiple deleted groups with the name {$DisplayName} were found. Cannot restore the existig group. Please ensure that you either have no instance of the group in the deleted list or that you have a single one." + } - try + if ($groups.Length -eq 1) + { + Write-Verbose -Message "Found an instance of a deleted group {$DisplayName}. Restoring it." + Restore-MgBetaDirectoryDeletedItem -DirectoryObjectId $groups[0].Id + $restoringExisting = $true + $currentGroup = Get-MgGroup -Filter "DisplayName eq '$DisplayName'" -ErrorAction Stop + } + + if (-not $restoringExisting) { - Write-Verbose -Message "Creating Group with Values: $(Convert-M365DscHashtableToString -Hashtable $currentParameters)" - $currentGroup = New-MgGroup @currentParameters + Write-Verbose -Message "Creating new group {$DisplayName}" + $currentParameters.Remove('Id') | Out-Null - Write-Verbose -Message "Created Group $($currentGroup.id)" - if ($assignedLicensesGUIDs.Length -gt 0) + try { - Set-MgGroupLicense -GroupId $currentGroup.Id -AddLicenses $licensesToAdd -RemoveLicenses @() + Write-Verbose -Message "Creating Group with Values: $(Convert-M365DscHashtableToString -Hashtable $currentParameters)" + $currentGroup = New-MgGroup @currentParameters + Write-Verbose -Message "Created Group $($currentGroup.id)" + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message "Couldn't create group $DisplayName" ` + -Exception $_ ` + -Source $MyInvocation.MyCommand.ModuleName } } - catch + if ($assignedLicensesGUIDs.Length -gt 0) { - Write-Verbose -Message $_ - New-M365DSCLogEntry -Message "Couldn't create group $DisplayName" ` - -Exception $_ ` - -Source $MyInvocation.MyCommand.ModuleName + Set-MgGroupLicense -GroupId $currentGroup.Id -AddLicenses $licensesToAdd -RemoveLicenses @() } } elseif ($Ensure -eq 'Absent' -and $currentGroup.Ensure -eq 'Present') @@ -623,7 +641,17 @@ function Set-TargetResource $ownerObject = @{ '@odata.id' = "https://graph.microsoft.com/v1.0/users/{$($user.Id)}" } - New-MgGroupOwnerByRef -GroupId ($currentGroup.Id) -BodyParameter $ownerObject | Out-Null + try + { + New-MgGroupOwnerByRef -GroupId ($currentGroup.Id) -BodyParameter $ownerObject -ErrorAction Stop| Out-Null + } + catch + { + if ($_.Exception.Message -notlike "*One or more added object references already exist for the following modified properties*") + { + throw $_ + } + } } elseif ($diff.SideIndicator -eq '<=') {