Merge pull request #5754 from NikCharlebois/Nullable-AuthenBehavior

AADApplication - Allow for Nullable AuthenticationBehaviors
microsoft · Feb 12, 2025 · 21f12ba · 21f12ba
2 parents cbdbfa4 + 182fd19
commit 21f12ba
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 # UNRELEASED
 
+* AADApplication
+  * Changing the AuthenticationBehaviors parameters to string to allow
+    for null values.
 * EXORetentionPolicyTag
   * Initial release.
 * MISC

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1
@@ -193,15 +193,15 @@ function Get-TargetResource
         $complexAuthenticationBehaviors = @{}
         if ($null -ne $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess)
         {
-            $complexAuthenticationBehaviors.Add('BlockAzureADGraphAccess', $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess)
+            $complexAuthenticationBehaviors.Add('BlockAzureADGraphAccess', $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess.ToString())
         }
         if ($null -ne $AADBetaApp.authenticationBehaviors.removeUnverifiedEmailClaim)
         {
-            $complexAuthenticationBehaviors.Add('RemoveUnverifiedEmailClaim', $AADBetaApp.authenticationBehaviors.removeUnverifiedEmailClaim)
+            $complexAuthenticationBehaviors.Add('RemoveUnverifiedEmailClaim', $AADBetaApp.authenticationBehaviors.removeUnverifiedEmailClaim.ToString())
         }
         if ($null -ne $AADBetaApp.authenticationBehaviors.requireClientServicePrincipal)
         {
-            $complexAuthenticationBehaviors.Add('RequireClientServicePrincipal', $AADBetaApp.authenticationBehaviors.requireClientServicePrincipal)
+            $complexAuthenticationBehaviors.Add('RequireClientServicePrincipal', $AADBetaApp.authenticationBehaviors.requireClientServicePrincipal.ToString())
         }
         if ($complexAuthenticationBehaviors.values.Where({ $null -ne $_ }).Count -eq 0)
         {
@@ -897,10 +897,6 @@ function Set-TargetResource
             $tries++
         } until ($null -eq $appEntity -or $tries -le 12)
     }
-    Write-Host "Ensure = $Ensure"
-    Write-Host "ApplicationTemplateId = $ApplicationTemplateId"
-    Write-Host "skipToUpdate = $skipToUpdate"
-    Write-Host "currentAADApp.Ensure = $($currentAADApp.Ensure))"
     if ($Ensure -eq 'Present' -and $currentAADApp.Ensure -eq 'Absent' -and -not $skipToUpdate)
     {
         $currentParameters.Remove('ObjectId') | Out-Null
@@ -1184,8 +1180,8 @@ function Set-TargetResource
             requireClientServicePrincipal = $AuthenticationBehaviors.requireClientServicePrincipal
         }
 
-        Update-MgBetaApplication -ApplicationId $currentAADApp.Id `
-                                 -AuthenticationBehaviors $IAuthenticationBehaviors | Out-Null
+        $uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/applications/$($currentAADApp.Id)/authenticationBehaviors"
+        Invoke-MgGraphRequest -Uri $uri -Method 'PATCH' -Body $IAuthenticationBehaviors
     }
 
     if ($needToUpdateKeyCredentials -and $KeyCredentials)

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof
@@ -107,9 +107,9 @@ class MSFT_MicrosoftGraphApiApplication
 [ClassVersion("1.0.0")]
 class MSFT_MicrosoftGraphAuthenticationBehaviors
 {
-    [Write, Description("If false, allows the app to have extended access to Azure AD Graph until June 30, 2025 when Azure AD Graph is fully retired. For more information on Azure AD retirement updates, see June 2024 update on Azure AD Graph API retirement.")] Boolean BlockAzureADGraphAccess;
-    [Write, Description("If true, removes the email claim from tokens sent to an application when the email address's domain can't be verified.")] Boolean RemoveUnverifiedEmailClaim;
-    [Write, Description("If true, requires multitenant applications to have a service principal in the resource tenant as part of authorization checks before they're granted access tokens. This property is only modifiable for multitenant resource applications that rely on access from clients without a service principal and had this behavior as set to false by Microsoft. Tenant administrators should respond to security advisories sent through Azure Health Service events and the Microsoft 365 message center.")] Boolean RequireClientServicePrincipal;
+    [Write, Description("If false, allows the app to have extended access to Azure AD Graph until June 30, 2025 when Azure AD Graph is fully retired. For more information on Azure AD retirement updates, see June 2024 update on Azure AD Graph API retirement.")] String BlockAzureADGraphAccess;
+    [Write, Description("If true, removes the email claim from tokens sent to an application when the email address's domain can't be verified.")] String RemoveUnverifiedEmailClaim;
+    [Write, Description("If true, requires multitenant applications to have a service principal in the resource tenant as part of authorization checks before they're granted access tokens. This property is only modifiable for multitenant resource applications that rely on access from clients without a service principal and had this behavior as set to false by Microsoft. Tenant administrators should respond to security advisories sent through Azure Health Service events and the Microsoft 365 message center.")] String RequireClientServicePrincipal;
 };
 
 [ClassVersion("1.0.0")]

diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADApplication.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADApplication.Tests.ps1
@@ -44,7 +44,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
             Mock -CommandName Remove-MgApplication -MockWith {
             }
 
-            Mock -CommandName MgBetaDirectoryDeletedItemAsApplication -MockWith {
+            Mock -CommandName Get-MgBetaDirectoryDeletedItemAsApplication -MockWith {
+            }
+
+            Mock -CommandName Invoke-MgGraphRequest -MockWith {
             }
 
             Mock -CommandName New-MgApplication -MockWith {
@@ -72,7 +75,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
             # Mock Write-Host to hide output during the tests
             Mock -CommandName Write-Host -MockWith {
             }
-            $Script:exportedInstances =$null
+            $Script:exportedInstance =$null
             $Script:ExportMode = $false
         }
 
@@ -241,9 +244,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                         )
                     } -ClientOnly
                     AuthenticationBehaviors   = New-CimInstance -ClassName MSFT_MicrosoftGraphAuthenticationBehaviors -Property @{
-                             blockAzureADGraphAccess       = $false
-                             removeUnverifiedEmailClaim    = $true
-                             requireClientServicePrincipal = $false
+                             blockAzureADGraphAccess       = 'false'
+                             removeUnverifiedEmailClaim    = 'true'
+                             requireClientServicePrincipal = 'false'
                      } -ClientOnly
                     Api = New-CimInstance -ClassName MSFT_MicrosoftGraphapiApplication -Property @{
                         PreAuthorizedApplications = [CimInstance[]]@(
@@ -341,9 +344,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     $AADApp | Add-Member -MemberType NoteProperty -Name Oauth2RequirePostResponse -Value $false
                     $AADApp | Add-Member -MemberType NoteProperty -Name PublicClient -Value $false
                     $AADApp | Add-Member -MemberType NoteProperty -Name AuthenticationBehaviors -Value @{
-                         blockAzureADGraphAccess       = $false
-                         removeUnverifiedEmailClaim    = $true
-                         requireClientServicePrincipal = $false
+                         blockAzureADGraphAccess       = 'false'
+                         removeUnverifiedEmailClaim    = 'true'
+                         requireClientServicePrincipal = 'false'
                     }
                     return $AADApp
                 }
@@ -422,9 +425,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     PublicClient              = $false
                     ReplyURLs                 = 'https://app.contoso.com'
                     AuthenticationBehaviors   = New-CimInstance -ClassName MSFT_MicrosoftGraphAuthenticationBehaviors -Property @{
-                            blockAzureADGraphAccess       = $false
-                            removeUnverifiedEmailClaim    = $true
-                            requireClientServicePrincipal = $false
+                            blockAzureADGraphAccess       = 'false'
+                            removeUnverifiedEmailClaim    = 'true'
+                            requireClientServicePrincipal = 'false'
                     } -ClientOnly
                     Ensure                  = 'Present'
                     Credential              = $Credential
@@ -452,7 +455,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
 
             It 'Should call the new method' {
                 Set-TargetResource @testParams
-                Should -Invoke -CommandName 'Update-MgBetaApplication' -Exactly 1
+                Should -Invoke -CommandName 'Invoke-MgGraphRequest' -Exactly 2
             }
 
         }