Merge branch 'Dev' into fix/aad-export

microsoft · Feb 12, 2025 · 6fc37fc · 6fc37fc
2 parents 8d62005 + 6344857
commit 6fc37fc
Show file tree

Hide file tree

Showing 25 changed files with 975 additions and 427 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,13 +2,21 @@
 
 # UNRELEASED
 
+* AADApplication
+  * Changing the AuthenticationBehaviors parameters to string to allow
+    for null values.
 * AADCrossTenantAccessPolicyConfigurationDefault
   * Fixes an issue with CIM class export.
 * AADCrossTenantAccessPolicyConfigurationPartner
   * Fixes an issue with CIM class export.
     FIXES [#5711](https://github.com/microsoft/Microsoft365DSC/issues/5711)
 * EXORetentionPolicyTag
   * Initial release.
+* MISC
+  * PowerPlatform resource revamp to use direct REST API calls.
+* DEPENDENCIES
+  * Removed dependency on Microsoft.PowerApps.Administration.PowerShell.
+  * Updated MSCloudLoginAssistant to version 1.1.37.
 
 # 1.25.205.1
 

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1
@@ -193,15 +193,15 @@ function Get-TargetResource
         $complexAuthenticationBehaviors = @{}
         if ($null -ne $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess)
         {
-            $complexAuthenticationBehaviors.Add('BlockAzureADGraphAccess', $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess)
+            $complexAuthenticationBehaviors.Add('BlockAzureADGraphAccess', $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess.ToString())
         }
         if ($null -ne $AADBetaApp.authenticationBehaviors.removeUnverifiedEmailClaim)
         {
-            $complexAuthenticationBehaviors.Add('RemoveUnverifiedEmailClaim', $AADBetaApp.authenticationBehaviors.removeUnverifiedEmailClaim)
+            $complexAuthenticationBehaviors.Add('RemoveUnverifiedEmailClaim', $AADBetaApp.authenticationBehaviors.removeUnverifiedEmailClaim.ToString())
         }
         if ($null -ne $AADBetaApp.authenticationBehaviors.requireClientServicePrincipal)
         {
-            $complexAuthenticationBehaviors.Add('RequireClientServicePrincipal', $AADBetaApp.authenticationBehaviors.requireClientServicePrincipal)
+            $complexAuthenticationBehaviors.Add('RequireClientServicePrincipal', $AADBetaApp.authenticationBehaviors.requireClientServicePrincipal.ToString())
         }
         if ($complexAuthenticationBehaviors.values.Where({ $null -ne $_ }).Count -eq 0)
         {
@@ -897,10 +897,6 @@ function Set-TargetResource
             $tries++
         } until ($null -eq $appEntity -or $tries -le 12)
     }
-    Write-Host "Ensure = $Ensure"
-    Write-Host "ApplicationTemplateId = $ApplicationTemplateId"
-    Write-Host "skipToUpdate = $skipToUpdate"
-    Write-Host "currentAADApp.Ensure = $($currentAADApp.Ensure))"
     if ($Ensure -eq 'Present' -and $currentAADApp.Ensure -eq 'Absent' -and -not $skipToUpdate)
     {
         $currentParameters.Remove('ObjectId') | Out-Null
@@ -1184,8 +1180,8 @@ function Set-TargetResource
             requireClientServicePrincipal = $AuthenticationBehaviors.requireClientServicePrincipal
         }
 
-        Update-MgBetaApplication -ApplicationId $currentAADApp.Id `
-                                 -AuthenticationBehaviors $IAuthenticationBehaviors | Out-Null
+        $uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/applications/$($currentAADApp.Id)/authenticationBehaviors"
+        Invoke-MgGraphRequest -Uri $uri -Method 'PATCH' -Body $IAuthenticationBehaviors
     }
 
     if ($needToUpdateKeyCredentials -and $KeyCredentials)

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof
@@ -107,9 +107,9 @@ class MSFT_MicrosoftGraphApiApplication
 [ClassVersion("1.0.0")]
 class MSFT_MicrosoftGraphAuthenticationBehaviors
 {
-    [Write, Description("If false, allows the app to have extended access to Azure AD Graph until June 30, 2025 when Azure AD Graph is fully retired. For more information on Azure AD retirement updates, see June 2024 update on Azure AD Graph API retirement.")] Boolean BlockAzureADGraphAccess;
-    [Write, Description("If true, removes the email claim from tokens sent to an application when the email address's domain can't be verified.")] Boolean RemoveUnverifiedEmailClaim;
-    [Write, Description("If true, requires multitenant applications to have a service principal in the resource tenant as part of authorization checks before they're granted access tokens. This property is only modifiable for multitenant resource applications that rely on access from clients without a service principal and had this behavior as set to false by Microsoft. Tenant administrators should respond to security advisories sent through Azure Health Service events and the Microsoft 365 message center.")] Boolean RequireClientServicePrincipal;
+    [Write, Description("If false, allows the app to have extended access to Azure AD Graph until June 30, 2025 when Azure AD Graph is fully retired. For more information on Azure AD retirement updates, see June 2024 update on Azure AD Graph API retirement.")] String BlockAzureADGraphAccess;
+    [Write, Description("If true, removes the email claim from tokens sent to an application when the email address's domain can't be verified.")] String RemoveUnverifiedEmailClaim;
+    [Write, Description("If true, requires multitenant applications to have a service principal in the resource tenant as part of authorization checks before they're granted access tokens. This property is only modifiable for multitenant resource applications that rely on access from clients without a service principal and had this behavior as set to false by Microsoft. Tenant administrators should respond to security advisories sent through Azure Health Service events and the Microsoft 365 message center.")] String RequireClientServicePrincipal;
 };
 
 [ClassVersion("1.0.0")]

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.psm1
@@ -49,7 +49,7 @@ function Get-TargetResource
         [System.String[]]
         $AccessTokens
     )
-    New-M365DSCConnection -Workload 'PowerPlatforms' `
+    New-M365DSCConnection -Workload 'PowerPlatformREST' `
         -InboundParameters $PSBoundParameters | Out-Null
 
     #Ensure the proper dependencies are installed in the current environment.
@@ -68,28 +68,17 @@ function Get-TargetResource
     $nullResult.Ensure = 'Absent'
     try
     {
-        if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
-        {
-            if (-not [System.String]::IsNullOrEmpty($PolicyName))
-            {
-                $instances = $Script:exportedInstances | Where-Object -FilterScript { $_.PolicyName -eq $PolicyName }
-            }
+        $uri = "https://" + (Get-MSCloudLoginConnectionProfile -Workload 'PowerPlatformREST').BapEndpoint + `
+               "/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies?api-version=2016-11-01"
 
-            if ($null -eq $instance)
-            {
-                $instance = $Script:exportedInstances | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
-            }
-        }
-        else
-        {
-            if (-not [System.String]::IsNullOrEmpty($PolicyName))
-            {
-                $instance = Get-AdminDlpPolicy -PolicyName $PolicyName -ErrorAction SilentlyContinue
-            }
+        $policies = Invoke-M365DSCPowerPlatformRESTWebRequest -Uri $uri -Method 'GET'
 
-            if ($null -eq $instance)
+        $instance = $null
+        foreach ($policyInfo in $policies.value)
+        {
+            if ($policyInfo.properties.displayName -eq $DisplayName)
             {
-                $instance = Get-AdminDlpPolicy | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
+                $instance = $policyInfo
             }
         }
         if ($null -eq $instance)
@@ -98,10 +87,10 @@ function Get-TargetResource
         }
 
         $results = @{
-            DisplayName           = $instance.DisplayName
+            DisplayName           = $instance.properties.displayName
             PolicyName            = $instance.PolicyName
-            Environments          = $instance.Environments.name
-            FilterType            = $instance.FilterType
+            Environments          = [array]$instance.properties.definition.constraints.environmentFilter1.parameters.environments.name
+            FilterType            = $instance.properties.definition.constraints.environmentFilter1.parameters.filterType
             Ensure                = 'Present'
             Credential            = $Credential
             ApplicationId         = $ApplicationId
@@ -191,14 +180,85 @@ function Set-TargetResource
     $currentInstance = Get-TargetResource @PSBoundParameters
     $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
 
+    $schema = "https://schema.management.azure.com/providers/Microsoft.BusinessAppPlatform/schemas/2016-10-01-preview/apiPolicyDefinition.json#"
+    $constraints = @{}
+    if ($null -ne $Environments -and $Environments.Length -gt 0)
+    {
+        $environmentInfo = @()
+        foreach ($environment in $Environments)
+        {
+            $uri = "https://" + (Get-MSCloudLoginConnectionProfile -Workload 'PowerPlatformREST').BapEndpoint + `
+                "/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/$($environment)?`$expand=permissions&api-version=2016-11-01"
+
+            Write-Verbose -Message "Creating new policy with body:`r`n$(ConvertTo-Json $newPolicy -Depth 20)"
+            $environmentInfo += Invoke-M365DSCPowerPlatformRESTWebRequest -Uri $uri -Method 'GET'
+        }
+
+        $constraints = @{
+            environmentFilter1 = @{
+                parameters = @{
+                    environments = $environmentInfo
+                    filterType = $FilterType
+                }
+                type = "environmentFilter"
+            }
+        }
+    }
+    $rules = @{
+        dataFlowRule = @{
+            actions = @{
+                blockAction = @{
+                    type = "Block"
+                }
+            }
+            parameters = @{
+                destinationApiGroup = "lbi"
+                sourceApiGroup = "hbi"
+            }
+            type = "DataFlowRestriction"
+        }
+    }
+    $CreatedTime = Get-Date -Format "o"
+    $policyObject = @{
+        id = ""
+        name = ""
+        type = $type
+        tags = @{}
+        properties = @{
+            createdTime = $CreatedTime
+            displayName = $DisplayName
+            definition = @{
+                "`$schema" = $schema
+                defaultApiGroup = "lbi"
+                constraints = $constraints
+                apiGroups = @{
+                    hbi = @{
+                        apis = $hbiApis
+                        description = "Business data only"
+                    }
+                    lbi = @{
+                        apis =  @()
+                        description = $lbiDescription
+                    }
+                }
+                rules = $rules
+            }
+        }
+    }
+
     # CREATE
     $needToUpdateNewInstance = $false
     $policyName = $currentInstance.PolicyName
     if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
     {
         Write-Verbose -Message "Creating new Data Policy {$DisplayName}"
-        $policy = New-AdminDlpPolicy -DisplayName $DisplayName
-        $policyName = $policy.PolicyName
+        $uri = "https://" + (Get-MSCloudLoginConnectionProfile -Workload 'PowerPlatformREST').BapEndpoint + `
+               "/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies?api-version=2016-11-01"
+
+
+        Write-Verbose -Message "Creating new policy with body:`r`n$(ConvertTo-Json $newPolicy -Depth 20)"
+        $policy = Invoke-M365DSCPowerPlatformRESTWebRequest -Uri $uri -Method 'POST' -Body $policyObject
+        $policyName = $policy.name
     }
     if ($setParameters.ContainsKey('PolicyName'))
     {
@@ -220,13 +280,19 @@ function Set-TargetResource
             $setParameters.Environments = ($setParameters.Environments -join ',')
         }
         Write-Verbose -Message "Updating Data Policy {$DisplayName} with values:`r`n$(Convert-M365DscHashtableToString -Hashtable $setParameters)"
-        Set-AdminDlpPolicy @setParameters
+        $uri = "https://" + (Get-MSCloudLoginConnectionProfile -Workload 'PowerPlatformREST').BapEndpoint + `
+               "/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/$($policyName)?api-version=2016-11-01"
+
+        $policy = Invoke-M365DSCPowerPlatformRESTWebRequest -Uri $uri -Method 'PUT' -Body $policyObject
     }
     # REMOVE
     elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
     {
         Write-Verbose -Message "Removing Data Policy {$DisplayName}"
-        Remove-AdminDlpPolicy -PolicyName $policyName
+        $uri = "https://" + (Get-MSCloudLoginConnectionProfile -Workload 'PowerPlatformREST').BapEndpoint + `
+               "/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/$($policyName)?api-version=2016-11-01"
+
+        $policy = Invoke-M365DSCPowerPlatformRESTWebRequest -Uri $uri -Method 'DELETE'
     }
 }
 
@@ -345,7 +411,7 @@ function Export-TargetResource
         $AccessTokens
     )
 
-    $ConnectionMode = New-M365DSCConnection -Workload 'PowerPlatforms' `
+    $ConnectionMode = New-M365DSCConnection -Workload 'PowerPlatformREST' `
         -InboundParameters $PSBoundParameters
 
     #Ensure the proper dependencies are installed in the current environment.
@@ -363,7 +429,10 @@ function Export-TargetResource
     try
     {
         $Script:ExportMode = $true
-        [array] $Script:exportedInstances = Get-AdminDlpPolicy -ErrorAction Stop
+        $uri = "https://" + (Get-MSCloudLoginConnectionProfile -Workload 'PowerPlatformREST').BapEndpoint + `
+            "/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies?api-version=2016-11-01"
+
+        [array] $Script:exportedInstances = Invoke-M365DSCPowerPlatformRESTWebRequest -Uri $uri -Method 'GET'
 
         $i = 1
         $dscContent = ''
@@ -375,18 +444,18 @@ function Export-TargetResource
         {
             Write-Host "`r`n" -NoNewline
         }
-        foreach ($config in $Script:exportedInstances)
+        foreach ($config in $Script:exportedInstances.value)
         {
             if ($null -ne $Global:M365DSCExportResourceInstancesCount)
             {
                 $Global:M365DSCExportResourceInstancesCount++
             }
 
-            $displayedKey = $config.DisplayName
-            Write-Host "    |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
+            $displayedKey = $config.properties.displayName
+            Write-Host "    |---[$i/$($Script:exportedInstances.value.Count)] $displayedKey" -NoNewline
             $params = @{
-                DisplayName           = $config.DisplayName
-                PolicyName            = $config.PolicyName
+                DisplayName           = $config.properties.displayName
+                PolicyName            = $config.name
                 Credential            = $Credential
                 ApplicationId         = $ApplicationId
                 TenantId              = $TenantId