microsoft · NikCharlebois · Nov 5, 2024 · Nov 4, 2024
@@ -4,6 +4,8 @@
 
 * AADServicePrincipal
   * Added support for KeyCredentials and PasswordCredentials.
+  * Added support for SAML.
+  * Fixed issue with Owners.
 * AADAccessReviewDefinition
   * Initial release.
 * AADAccessReviewPolicy

@@ -60,6 +60,10 @@ function Get-TargetResource
         [System.String[]]
         $Owners,
 
+        [Parameter()]
+        [System.String]
+        $PreferredSingleSignOnMode,
+
         [Parameter()]
         [System.String]
         $PublisherName,
@@ -317,6 +321,7 @@ function Get-TargetResource
                 LogoutUrl                          = $AADServicePrincipal.LogoutUrl
                 Notes                              = $AADServicePrincipal.Notes
                 Owners                             = $ownersValues
+                PreferredSingleSignOnMode          = $AADServicePrincipal.PreferredSingleSignOnMode
                 PublisherName                      = $AADServicePrincipal.PublisherName
                 ReplyURLs                          = $AADServicePrincipal.ReplyURLs
                 SamlMetadataURL                    = $AADServicePrincipal.SamlMetadataURL
@@ -412,6 +417,10 @@ function Set-TargetResource
         [System.String[]]
         $Owners,
 
+        [Parameter()]
+        [System.String]
+        $PreferredSingleSignOnMode,
+
         [Parameter()]
         [System.String]
         $PublisherName,
@@ -505,6 +514,7 @@ function Set-TargetResource
     $currentParameters.Remove('ObjectID') | Out-Null
     $currentParameters.Remove('ApplicationSecret') | Out-Null
     $currentParameters.Remove('AccessTokens') | Out-Null
+    $currentParameters.Remove('Owners') | Out-Null
 
     # update the custom security attributes to be cmdlet comsumable
     if ($null -ne $currentParameters.CustomSecurityAttributes -and $currentParameters.CustomSecurityAttributes -gt 0) {
@@ -518,7 +528,7 @@ function Set-TargetResource
     {
         if ($null -ne $AppRoleAssignedTo)
         {
-            $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue
+            $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValues
         }
         # removing Delegated permission classifications from this new call, as adding below separately
         $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
@@ -569,9 +579,14 @@ function Set-TargetResource
         Write-Verbose -Message "CurrentParameters: $($currentParameters | Out-String)"
         Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)"
         $currentParameters.Remove('AppRoleAssignedTo') | Out-Null
-        $currentParameters.Remove('Owners') | Out-Null
         $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
 
+        if ($PreferredSingleSignOnMode -eq 'saml')
+        {
+            $IdentifierUris = $ServicePrincipalNames | Where-Object { $_ -notmatch $AppId }
+            $currentParameters.Remove('ServicePrincipalNames')
+        }
+
         #removing the current custom security attributes
         if ($currentAADServicePrincipal.CustomSecurityAttributes.Count -gt 0) {
             $currentAADServicePrincipal.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentAADServicePrincipal.CustomSecurityAttributes -GetForDelete $true
@@ -583,6 +598,12 @@ function Set-TargetResource
 
         Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters
 
+        if ($IdentifierUris)
+        {
+            Write-Verbose -Message "Updating the Application ID Uri on the application instance."
+            $appInstance = Get-MgApplication -Filter "AppId eq '$AppId'"
+            Update-MgApplication -ApplicationId $appInstance.Id -IdentifierUris $IdentifierUris
+        }
         if ($AppRoleAssignedTo)
         {
             [Array]$currentPrincipals = $currentAADServicePrincipal.AppRoleAssignedTo.Identity
@@ -785,6 +806,10 @@ function Test-TargetResource
         [System.String[]]
         $Owners,
 
+        [Parameter()]
+        [System.String]
+        $PreferredSingleSignOnMode,
+
         [Parameter()]
         [System.String]
         $PublisherName,

@@ -46,6 +46,7 @@ class MSFT_AADServicePrincipal : OMI_BaseResource
     [Write, Description("Notes associated with the ServicePrincipal.")] String Notes;
     [Write, Description("Specifies the PublisherName of the ServicePrincipal.")] String PublisherName;
     [Write, Description("List of the owners of the service principal.")] String Owners[];
+    [Write, Description("Specifies the signle sign-on mode configured for this application.")] String PreferredSingleSignOnMode;
     [Write, Description("The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.")] String ReplyUrls[];
     [Write, Description("The URL for the SAML metadata of the ServicePrincipal.")] String SamlMetadataUrl;
     [Write, Description("Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal.")] String ServicePrincipalNames[];