From 1c447110e48bde6a2ef404a7d0528a5c5f5d1254 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Wed, 14 Feb 2024 18:04:23 +0000 Subject: [PATCH 01/70] FirstBatch --- CHANGELOG.md | 29 + .../MSFT_IntuneASRRulesPolicyWindows10.psm1 | 103 +--- ...alAdministratorPasswordSolutionPolicy.psm1 | 114 ++-- ...tectionLocalUserGroupMembershipPolicy.psm1 | 158 ++---- .../MSFT_IntuneAccountProtectionPolicy.psm1 | 141 ++--- ...ntivirusPolicyWindows10SettingCatalog.psm1 | 90 +-- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 101 +--- ...MSFT_IntuneAppProtectionPolicyAndroid.psm1 | 5 +- ...tuneApplicationControlPolicyWindows10.psm1 | 93 +--- ...T_IntuneDeviceCompliancePolicyAndroid.psm1 | 96 +--- ...iceCompliancePolicyAndroidDeviceOwner.psm1 | 98 +--- ...iceCompliancePolicyAndroidWorkProfile.psm1 | 98 +--- ...SFT_IntuneDeviceCompliancePolicyMacOS.psm1 | 99 +--- ...IntuneDeviceCompliancePolicyWindows10.psm1 | 100 +--- .../MSFT_IntuneDeviceCompliancePolicyiOs.psm1 | 60 +- ...iceConfigurationCustomPolicyWindows10.psm1 | 1 + ...inistratorPasswordSolutionPolicy.Tests.ps1 | 161 +++--- ...onLocalUserGroupMembershipPolicy.Tests.ps1 | 516 +++++++++--------- ...SC.IntuneAccountProtectionPolicy.Tests.ps1 | 119 +--- ...rusPolicyWindows10SettingCatalog.Tests.ps1 | 223 ++------ ...pplicationControlPolicyWindows10.Tests.ps1 | 16 +- 21 files changed, 833 insertions(+), 1588 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7f05a29c2..b36cd4474c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,34 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Added support for assignment GroupDisplayName +* IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Added support for assignment GroupDisplayName +* IntuneAccountProtectionPolicy + * Added support for assignment GroupDisplayName +* IntuneAntivirusPolicyWindows10SettingCatalog + * Added support for assignment GroupDisplayName +* IntuneAppConfigurationPolicy + * Added support for assignment GroupDisplayName +* IntuneApplicationControlPolicyWindows10 + * Added support for assignment GroupDisplayName +* IntuneASRRulesPolicyWindows10 + * Added support for assignment GroupDisplayName +* IntuneDeviceCompliancePolicyAndroid + * Added support for assignment GroupDisplayName +* IntuneDeviceCompliancePolicyAndroidDeviceOwner + * Added support for assignment GroupDisplayName +* IntuneDeviceCompliancePolicyAndroidWorkProfile + * Added support for assignment GroupDisplayName +* IntuneDeviceCompliancePolicyiOs + * Added support for assignment GroupDisplayName +* IntuneDeviceCompliancePolicyMacOS + * Added support for assignment GroupDisplayName +* IntuneDeviceCompliancePolicyWindows10 + * Added support for assignment GroupDisplayName + # 1.24.131.2 * TeamsMeetingPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 index 6482cb21d7..d9fa08a78b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 @@ -179,8 +179,10 @@ function Get-TargetResource try { #Retrieve policy general settings - - $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue + if (-not [string]::IsNullOrEmpty($Identity)) + { + $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue + } if ($null -eq $policy) { @@ -189,6 +191,11 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementIntent -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue } + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } if ($null -eq $policy) { @@ -225,19 +232,12 @@ function Get-TargetResource $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $graphAssignments -IncludeDeviceFilter:$true } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -260,7 +260,7 @@ function Get-TargetResource -Credential $Credential } - return $nullResult + throw } } @@ -546,7 +546,7 @@ function Set-TargetResource #Using Rest to reduce the number of calls $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null #region Assignments $assignmentsHash = @() @@ -748,75 +748,28 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null $ValuesToCheck.Remove('Identity') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index a6ff9a5167..b8344e7b02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -130,7 +130,7 @@ function Get-TargetResource try { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -138,28 +138,32 @@ function Get-TargetResource $policyTemplateID = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' $filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'" $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + if ($null -eq $policy) { Write-Verbose -Message "No Account Protection LAPS Policy {displayName: '$DisplayName'} was found" return $nullResult } + + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty settings -ErrorAction SilentlyContinue } $Identity = $policy.Id Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.id):$($policy.Name)}" - - #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` - -DeviceManagementConfigurationPolicyId $Identity ` - -ErrorAction Stop + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $Identity) $returnHashtable.Add('DisplayName', $policy.name) $returnHashtable.Add('Description', $policy.description) - foreach ($setting in $settings.settingInstance) + foreach ($setting in $settings.SettingInstance) { $addToParameters = $true $settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1 @@ -226,9 +230,16 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-DeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + if ($graphAssignments.count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) + } $returnHashtable.Add('Assignments', $returnAssignments) + Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.name)}" $returnHashtable.Add('Ensure', 'Present') @@ -249,7 +260,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -566,83 +577,24 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $ValuesToCheck = $PSBoundParameters + $ValuesToCheck = ([hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('Credential') | Out-Null $ValuesToCheck.Remove('ApplicationId') | Out-Null $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - $ValuesToCheck.Remove('Identity') | Out-Null - - if ($BackupDirectory -eq 0) - { - $ValuesToCheck.Remove('PasswordAgeDays_AAD') | Out-Null - $ValuesToCheck.Remove('PasswordAgeDays') | Out-Null - $ValuesToCheck.Remove('PasswordExpirationProtectionEnabled') | Out-Null - $ValuesToCheck.Remove('AdEncryptedPasswordHistorySize') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionEnabled') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionPrincipal') | Out-Null - } - elseif ($BackupDirectory -eq 1) { - $ValuesToCheck.Remove('PasswordAgeDays') | Out-Null - $ValuesToCheck.Remove('PasswordExpirationProtectionEnabled') | Out-Null - $ValuesToCheck.Remove('AdEncryptedPasswordHistorySize') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionEnabled') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionPrincipal') | Out-Null - } elseif ($BackupDirectory -eq 2) - { - $ValuesToCheck.Remove('PasswordAgeDays_AAD') | Out-Null - } $testResult = $true - if ([Array]$Assignments.count -ne $CurrentValues.Assignments.count) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)" - $testResult = $false + Write-Verbose -Message "Test-TargetResource returned $false" + return $false } - if ($testResult) - { - foreach ($assignment in $CurrentValues.Assignments) - { - if ($null -ne $Assignment) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - } - if (-not $testResult) - { - $testResult = $false - break - } - - } - - } + #Compare Cim instances + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target $ValuesToCheck.Remove('Assignments') | Out-Null if ($testResult) @@ -752,7 +704,8 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) ` + -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult @@ -771,12 +724,7 @@ function Export-TargetResource if ($Results.Assignments) { - $isCIMArray = $false - if ($Results.Assignments.getType().Fullname -like '*[[\]]') - { - $isCIMArray = $true - } - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } $dscContent += $currentDSCBlock diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 4b58e81abc..4fa2a0c027 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -79,7 +79,7 @@ function Get-TargetResource { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -87,18 +87,26 @@ function Get-TargetResource if (-not [String]::IsNullOrEmpty($DisplayName)) { $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter "Name eq '$DisplayName'" -ErrorAction SilentlyContinue + + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + + if ($null -eq $policy) + { + Write-Verbose -Message "No Account Protection Local User Group Membership Policy with displayName {$DisplayName} was found" + return $nullResult + } + + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.id -ExpandProperty settings -ErrorAction SilentlyContinue } } - if ($null -eq $policy) - { - Write-Verbose -Message "No Account Protection Local User Group Membership Policy with displayName {$DisplayName} was found" - return $nullResult - } + #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` - -DeviceManagementConfigurationPolicyId $policy.Id ` - -ErrorAction Stop + $Identity = $policy.id + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $policy.Id) @@ -148,19 +156,14 @@ function Get-TargetResource $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -183,7 +186,7 @@ function Get-TargetResource -Credential $Credential } - return $nullResult + throw } } @@ -412,109 +415,66 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null $ValuesToCheck.Remove('Identity') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false + $testResult = $false } #region LocalUserGroupCollection - $testResult = $true - if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' - return $false - } - - if ($CurrentValues.LocalUserGroupCollection) - { - if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) + if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) { - Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" + Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' return $false } - for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) - { - $source = $ValuesToCheck.LocalUserGroupCollection[$i] - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] - - if (-not $testResult) - { - $testResult = $false - break - } - } - } - if (-not $testResult) - { - return $false - } - $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null - #endregion - #region Assignments - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) - { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false - } - - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) + if ($CurrentValues.LocalUserGroupCollection) { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) + if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment + Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" + return $false } - #AllDevices/AllUsers assignment - else + for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) + $source = $ValuesToCheck.LocalUserGroupCollection[$i] + $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] + + if (-not $testResult) { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" $testResult = $false break } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment } - - if (-not $testResult) - { - $testResult = $false - break - } - } + if (-not $testResult) + { + return $false + } + $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null } - if (-not $testResult) + #endregion + + #region Assignments + if ($testResult) { - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - $ValuesToCheck.Remove('Assignments') | Out-Null #endregion - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index 327fc77e61..e12aff2340 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -144,7 +144,7 @@ function Get-TargetResource { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ExpandProperty settings,assignments -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -153,17 +153,25 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementIntent -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue } - } - if ($null -eq $policy) - { - Write-Verbose -Message "No Account Protection Policy with displayName {$DisplayName} was found" - return $nullResult + + if ($null -eq $policy) + { + Write-Verbose -Message "No Account Protection Policy with displayName {$DisplayName} was found" + return $nullResult + } + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + + $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $policy.id -ExpandProperty settings,assignments -ErrorAction SilentlyContinue + } - #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementIntentSetting ` - -DeviceManagementIntentId $policy.Id ` - -ErrorAction Stop + + $Identity = $policy.id + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $policy.Id) @@ -202,19 +210,11 @@ function Get-TargetResource $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + if ($policy.assignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $policy.assignments -IncludeDeviceFilter $true } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -237,7 +237,7 @@ function Get-TargetResource -Credential $Credential } - return $nullResult + throw } } @@ -443,7 +443,7 @@ function Set-TargetResource #Using Rest to reduce the number of calls $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null #region Assignments $assignmentsHash = @() @@ -610,96 +610,29 @@ function Test-TargetResource $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('Verbose') | Out-Null - foreach ($key in $PSBoundParameters.Keys) { - if ($null -eq $ValuesToCheck.$key) { - $ValuesToCheck.Remove($key) | Out-Null - } - } - - if ($CurrentValues.WindowsHelloForBusinessBlocked -in @('notconfigured', 'True')) - { - $ValuesToCheck.Remove('PinMinimumLength') | Out-Null - $ValuesToCheck.Remove('PinMaximumLength') | Out-Null - $ValuesToCheck.Remove('PinLowercaseCharactersUsage') | Out-Null - $ValuesToCheck.Remove('PinUppercaseCharactersUsage') | Out-Null - $ValuesToCheck.Remove('PinSpecialCharactersUsage') | Out-Null - $ValuesToCheck.Remove('PinExpirationInDays') | Out-Null - $ValuesToCheck.Remove('PinPreviousBlockCount') | Out-Null - $ValuesToCheck.Remove('PinRecoveryEnabled') | Out-Null - $ValuesToCheck.Remove('SecurityDeviceRequired') | Out-Null - $ValuesToCheck.Remove('UnlockWithBiometricsEnabled') | Out-Null - $ValuesToCheck.Remove('EnhancedAntiSpoofingForFacialFeaturesEnabled') | Out-Null - $ValuesToCheck.Remove('UseCertificatesForOnPremisesAuthEnabled') | Out-Null - } - + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false + $testResult = $false } - #region Assignments - $testResult = $true - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + #region assignments + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index 2659437cce..17989f35e9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -373,7 +373,7 @@ function Get-TargetResource try { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -385,12 +385,19 @@ function Get-TargetResource Write-Verbose -Message "No policy with name {$DisplayName} was found." return $nullResult } + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.id -ExpandProperty settings -ErrorAction SilentlyContinue + } #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` - -DeviceManagementConfigurationPolicyId $policy.Id ` - -ErrorAction Stop + $Identity = $policy.id + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $policy.id) @@ -442,19 +449,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) Write-Verbose -Message "Found Endpoint Protection Policy {$($policy.name)}" @@ -476,7 +478,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -1286,58 +1288,22 @@ function Test-TargetResource $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } $testResult = $true - if ([Array]$Assignments.count -ne $CurrentValues.Assignments.count) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)" $testResult = $false } - if ($testResult) - { - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - if (-not $testResult) - { - $testResult = $false - break - } - - } + #region Assignments + if ($testResult) + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - $ValuesToCheck.Remove('Assignments') | Out-Null + #endregion if ($testResult) { @@ -1656,7 +1622,7 @@ function Update-IntuneDeviceConfigurationPolicy } $body = $policy | ConvertTo-Json -Depth 20 #write-verbose -Message $body - Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop + Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop 4> Out-Null } catch diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index 2352b5643f..333ba8340e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -74,7 +74,10 @@ function Get-TargetResource { $configPolicy = Get-MgBetaDeviceAppManagementTargetedManagedAppConfiguration -Filter "displayName eq '$DisplayName'" ` -ErrorAction Stop - + if(([array]$configPolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $configPolicy) { Write-Verbose -Message "No App Configuration Policy with displayName {$DisplayName} was found" @@ -96,19 +99,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceAppManagementTargetedManagedAppConfigurationAssignment -TargetedManagedAppConfigurationId $configPolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceAppManagementTargetedManagedAppConfigurationAssignment -TargetedManagedAppConfigurationId $configPolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -120,7 +118,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -326,6 +324,11 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) + { + return $false + } + if ($null -ne $CurrentValues.CustomSettings -and $CurrentValues.CustomSettings.Length -gt 0 -and $null -ne $CustomSettings) { $value = Test-M365DSCAppConfigurationPolicyCustomSetting -Current $CurrentValues.CustomSettings -Desired $CustomSettings @@ -351,71 +354,19 @@ function Test-TargetResource $ValuesToCheck.Remove('CustomSettings') | Out-Null #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) - { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false - } - - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) - { - return $false - } + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target $ValuesToCheck.Remove('Assignments') | Out-Null #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 index 1a04856c16..867d527297 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 @@ -345,16 +345,13 @@ function Get-TargetResource } catch { - Write-Verbose -Message "ERROR on get-targetresource for $displayName" - $nullResult.Ensure = 'ERROR' - New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 index 7231018cf5..d4c6632855 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 @@ -84,6 +84,11 @@ function Get-TargetResource #Retrieve policy general settings $policy = Get-MgBetaDeviceManagementIntent -Filter "displayName eq '$DisplayName'" -ErrorAction Stop | Where-Object -FilterScript { $_.TemplateId -eq '63be6324-e3c9-4c97-948a-e7f4b96f0f20' } + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Application Control Policy {$DisplayName} was found" @@ -112,19 +117,12 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $graphAssignments -IncludeDeviceFilter:$true } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } catch @@ -135,7 +133,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -384,69 +382,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - #region Assignments $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) - { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false - } - - if ($CurrentValues.Assignments) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - } + $testResult = $false } - if (-not $testResult) + #region Assignments + if ($TestResult) { - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - $ValuesToCheck.Remove('Assignments') | Out-Null #endregion - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($TestResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $TestResult" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 index 6b3353da1a..69cd11f2e2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 @@ -186,6 +186,10 @@ function Get-TargetResource -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Android Device Compliance Policy with displayName {$DisplayName} was found" @@ -234,19 +238,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -258,7 +257,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -717,75 +716,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 index 75d548ae46..eec7a6f32a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 @@ -139,7 +139,10 @@ function Get-TargetResource $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidDeviceOwnerCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Intune Android Device Owner Device Compliance Policy with displayName {$DisplayName} was found" @@ -176,19 +179,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -200,7 +198,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -570,76 +568,28 @@ function Test-TargetResource $ValuesToCheck.Remove('CertificateThumbprint') | Out-Null $ValuesToCheck.Remove('ManagedIdentity') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 index da9d328933..0d1601f904 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 @@ -175,7 +175,10 @@ function Get-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidWorkProfileCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Intune Android Work Profile Device Compliance Policy with displayName {$DisplayName} was found" @@ -222,19 +225,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -246,7 +244,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -680,76 +678,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 index 864a3cf2c3..5bff227723 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 @@ -158,7 +158,10 @@ function Get-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.macOSCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No MacOS Device Compliance Policy with displayName {$DisplayName} was found" @@ -200,19 +203,15 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) + return [System.Collections.Hashtable] $results } @@ -224,7 +223,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -627,76 +626,28 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if (($null -ne $CurrentValues.Assignments) -xor ($null -ne $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($null -ne $CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 index 61399e6146..fc4a4d0a31 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 @@ -200,7 +200,10 @@ function Get-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10CompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Windows 10 Device Compliance Policy with displayName {$DisplayName} was found" @@ -252,9 +255,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $myAssignments = @() - $myAssignments += Get-M365DSCDeviceManagementPolicyAssignments -DeviceManagementPolicyId $devicePolicy.id -repository 'deviceCompliancePolicies' - $results.Add('Assignments', $myAssignments) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) + } + $results.Add('Assignments', $returnAssignments) + return [System.Collections.Hashtable] $results } catch @@ -265,7 +275,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -748,85 +758,20 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } $testResult = $true - if (([Array]$Assignments).count -ne $CurrentValues.Assignments.count) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)" $testResult = $false } + #region Assignments if ($testResult) { - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - - $CIMAssignmentAsHash = Get-M365DSCAssignmentsAsHashtable -CIMAssignment $source - } - #collectionId Assignment - elseif (-not [String]::IsNullOrEmpty($assignment.collectionId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.collectionId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: collectionId {$($assignment.collectionId)} not found" - $testResult = $false - break - } - - $CIMAssignmentAsHash = Get-M365DSCAssignmentsAsHashtable -CIMAssignment $source - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $CIMAssignmentAsHash = Get-M365DSCAssignmentsAsHashtable -CIMAssignment $source - } - - foreach ($key in $assignment.keys) - { - $compareResult = Compare-Object ` - -ReferenceObject @($assignment[$key] | Select-Object) ` - -DifferenceObject @($CIMAssignmentAsHash[$key] | Select-Object) - - if ($null -ne $compareResult) - { - Write-Verbose -Message "Configuration drift in assignment key: $key - CurrentValue $($assignment[$key]|Out-String)" - Write-Verbose -Message "Configuration drift in assignment key: $key - TargetValue $($CIMAssignmentAsHash[$key]|Out-String)" - return $false - } - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - - $ValuesToCheck.Remove('Assignments') | Out-Null + #endregion if ($testResult) { @@ -834,7 +779,6 @@ function Test-TargetResource -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys - } Write-Verbose -Message "Test-TargetResource returned $TestResult" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 index 4e5ccc567a..c9a44faabf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 @@ -149,7 +149,10 @@ function Get-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.iosCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No iOS Device Compliance Policy with displayName {$DisplayName} was found" @@ -189,19 +192,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -213,7 +211,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + throw } } @@ -611,46 +609,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - #region Assignments + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } - $testResult = $true - - #Compare Cim instances - foreach ($key in $PSBoundParameters.Keys) + #region Assignments + if ($testResult) { - $source = $PSBoundParameters.$key - $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - - if (-Not $testResult) - { - $testResult = $false - break - } - - $ValuesToCheck.Remove($key) | Out-Null - } + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } #endregion if ($testResult) { - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 index e35f2b96c7..14e92bd3d9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 @@ -115,6 +115,7 @@ function Get-TargetResource if ($currentomaSettings.isEncrypted -eq $true) { + write-verbose ("IsEncrypted = true -- $($currentomaSettings.displayName)") $SecretReferenceValueId = $currentomaSettings.secretReferenceValueId $OmaSettingPlainTextValue = Get-OmaSettingPlainTextValue -SecretReferenceValueId $SecretReferenceValueId if (![String]::IsNullOrEmpty($OmaSettingPlainTextValue)) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 index 2ed971ac91..6913e720b6 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 @@ -73,7 +73,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } }) } - + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -84,10 +100,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "When the instance doesn't already exist" -Fixture { BeforeAll { $testParams = @{ - Assignments = @( + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -123,7 +139,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -139,29 +155,27 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } + Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { } } @@ -191,7 +205,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) BackupDirectory = '1' @@ -202,27 +216,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -238,7 +249,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Assignments = @( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -253,27 +264,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -308,27 +316,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateReference = @{ TemplateId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 index d7c738d6a1..f7d1a937f2 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 @@ -68,7 +68,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "When the instance doesn't already exist" -Fixture { BeforeAll { $testParams = @{ - Assignments = @( + Assignments = [ciminstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -80,7 +80,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - LocalUserGroupCollection = @( + LocalUserGroupCollection = [ciminstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators', 'users') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') @@ -124,7 +124,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - LocalUserGroupCollection = @( + LocalUserGroupCollection = [ciminstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') @@ -139,78 +139,77 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'Non-existant value' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'Non-existant value' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } + + Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { } } @@ -259,76 +258,73 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -368,76 +364,73 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -472,80 +465,77 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateReference = @{ TemplateId = '5dd36540-eb22-4e7e-b19c-2a07772ba627_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( + @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() + }, @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - }, - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 index 19e09bc2af..ce354ae843 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 @@ -68,18 +68,33 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } - Mock -CommandName Get-MgBetaDeviceManagementIntentAssignment -MockWith { - return @(@{ - target = @{ - deviceAndAppManagementAssignmentFilterType = 'none' - deviceAndAppManagementAssignmentFilterId = $null - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' - groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' - } - } - }) + Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { + return @{ + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + DisplayName = 'My Test' + Assignments = @(@{ + target = @{ + deviceAndAppManagementAssignmentFilterType = 'none' + deviceAndAppManagementAssignmentFilterId = $null + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + } + }) + Settings = @(@{ + Id = 0 + DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' + ValueJson = 'true' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' + value = $true + } + }) + } } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -142,27 +157,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - UseSecurityKeyForSignin = $true - } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'false' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $false - } - }) + UseSecurityKeyForSignin = $false } Mock -CommandName Update-MgBetaDeviceManagementIntent -MockWith { } @@ -201,26 +196,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'true' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $true - } - }) - } } It 'Should return true from the Test method' { @@ -244,26 +219,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'false' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $false - } - }) - } } It 'Should return Present from the Get method' { @@ -287,26 +242,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'false' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $false - } - }) - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 index 74d382be01..11e38dfd2d 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 @@ -47,25 +47,64 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateId = 'd02f2162-fcac-48db-9b7b-b0a3f160d2c2_1' } } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { return @{ - Id = '12345-12345-12345-12345-12345' - Source = 'direct' - SourceId = '12345-12345-12345-12345-12345' - Target = @{ - DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' - DeviceAndAppManagementAssignmentFilterType = 'none' - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' - groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' - } - ) + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + TemplateReference = @{ + TemplateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' + TemplateFamily = 'endpointSecurityAntivirus' } + Settings = @(@{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' + AdditionalProperties = $null + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_0' #drift + settingValueTemplateReference = @{ + settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' + useTemplateDefault = $false + } + children = $null + } + } + + } + AdditionalProperties = $null + }) } } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -76,7 +115,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { BeforeAll { $testParams = @{ allowarchivescanning = '1' - Assignments = @( + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -115,7 +154,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { BeforeAll { $testParams = @{ allowarchivescanning = '1' - Assignments = @( + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -130,41 +169,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_0' #drift - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should return Present from the Get method' { @@ -184,8 +188,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the instance already exists and IS in the Desired State' -Fixture { BeforeAll { $testParams = @{ - allowarchivescanning = '1' - Assignments = @( + allowarchivescanning = '0' + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -200,42 +204,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1' - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should return true from the Test method' { @@ -246,8 +214,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the instance exists and it SHOULD NOT' -Fixture { BeforeAll { $testParams = @{ - allowarchivescanning = '1' - Assignments = @( + allowarchivescanning = '0' + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -262,42 +230,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1' - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should return Present from the Get method' { @@ -321,45 +253,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test policy' - TemplateReference = @{ - templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' - templateFamily = 'endpointSecurityAntivirus' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1' - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 index 71d0b9db9d..77b72e6eea 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 @@ -85,7 +85,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ DisplayName = 'Test App Configuration Policy' Description = 'Test Definition' - Assignments = (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + Assignments = [CimInstance[]]@(New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ groupId = '123456789' dataType = '#microsoft.graph.groupAssignmentTarget' deviceAndAppManagementAssignmentFilterType = 'include' @@ -104,13 +104,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @{ - DisplayName = 'Test App Configuration Policy' - Description = 'Different Value' - Id = 'A_19dbaff5-9aff-48b0-a60d-d0471ddaf141' + return @(@{ + #DisplayName = 'Test App Configuration Policy' + #Description = 'Different Value' + #Id = 'A_19dbaff5-9aff-48b0-a60d-d0471ddaf141' DefinitionId = 'appLockerApplicationControl' ValueJSON = "'true'" - } + }) } Mock -CommandName Get-MgBetaDeviceManagementIntentAssignment -MockWith { return @( @@ -167,13 +167,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @{ + return @(@{ DisplayName = 'Test App Configuration Policy' Description = 'Test Definition' Id = 'A_19dbaff5-9aff-48b0-a60d-d0471ddaf141' DefinitionId = 'appLockerApplicationControl' ValueJSON = "'true'" - } + }) } Mock -CommandName Get-MgBetaDeviceManagementIntentAssignment -MockWith { return @( From 0ef78311a0407e51583793eed861b066e5a3104b Mon Sep 17 00:00:00 2001 From: William-francillette Date: Wed, 14 Feb 2024 18:33:33 +0000 Subject: [PATCH 02/70] update settings.json --- .../MSFT_IntuneASRRulesPolicyWindows10/settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../MSFT_IntuneAppConfigurationPolicy/settings.json | 6 ++++++ .../MSFT_IntuneAppProtectionPolicyAndroid/settings.json | 6 ++++++ .../MSFT_IntuneAppProtectionPolicyiOS/settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../MSFT_IntuneDeviceCompliancePolicyiOs/settings.json | 6 ++++++ 13 files changed, 78 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json index a21e872c90..0250bfc33a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json index 76338d2e0a..7f3c9f6cc3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json index 76dcf45483..d6aeda8c71 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json index b3e924b2f7..e5bfa4dcaf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json index c70b824025..10e50f1081 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json index d2fd86113a..270c79777d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json index 6c5d9e4b38..0bd2d39195 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json index 6ac3bd8092..f744b68ee9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json index c3b7a98d3f..d32693cec5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json index 2a9f984ec7..ab503e6e12 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json index f939681409..bd59e189c5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json index 08a66e8728..876c98b3c1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json index 40c5882040..4f70de0036 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } From db3f82da0b0c83d7627fe103f316cc66a25bd086 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Tue, 20 Feb 2024 19:12:26 +0000 Subject: [PATCH 03/70] temp commit --- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 116 ++++++++++++++---- 1 file changed, 93 insertions(+), 23 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index c18aa2332a..14f1f1a2a8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -145,7 +145,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -354,6 +355,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune App Configuration Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Id') | Out-Null @@ -361,26 +367,10 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false - } - - if ($null -ne $CurrentValues.CustomSettings -and $CurrentValues.CustomSettings.Length -gt 0 -and $null -ne $CustomSettings) - { - $value = Test-M365DSCAppConfigurationPolicyCustomSetting -Current $CurrentValues.CustomSettings -Desired $CustomSettings - if ($value -eq $false) - { - return $false - } - } - else - { - if (($null -eq $CurrentValues.CustomSettings -and $null -ne $CustomSettings) -or - ($null -ne $CurrentValues.CustomSettings -and $null -eq $CustomSettings)) - { - return $false - } + $testResult = $false } $ValuesToCheck = $PSBoundParameters @@ -390,11 +380,34 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null $ValuesToCheck.Remove('CustomSettings') | Out-Null + #region CustomSettings + if ($testResult) + { + $source = $PSBoundParameters.CustomSettings + $target = $CurrentValues.CustomSettings + + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + $ValuesToCheck.Remove('CustomSettings') | Out-Null + } + #endregion + #region Assignments - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - $ValuesToCheck.Remove('Assignments') | Out-Null + if ($testResult) + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null + } #endregion if ($testResult) @@ -610,6 +623,63 @@ function ConvertTo-M365DSCIntuneAppConfigurationPolicyCustomSettings $result += $currentSetting } return $result + Remove-M365DSCAuthenticationParameter +} + +function Clear-M365DSCAuthenticationParameter +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $BoundParameters + ) + + $BoundParameters.Credential = $null + $BoundParameters.ApplicationId = $null + $BoundParameters.ApplicationSecret = $null + $BoundParameters.TenantId = $null + $BoundParameters.CertificatePassword = $null + $BoundParameters.CertificatePath = $null + $BoundParameters.CertificateThumbprint = $null + $BoundParameters.ManagedIdentity = $null + + return $BoundParameters +} +function Test-M365DSCAuthenticationParameter +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $BoundParameters + ) + + $authenticationParameterList = @( + 'Credential' + 'ApplicationId' + 'ApplicationSecret' + 'TenantId' + 'CertificatePassword' + 'CertificatePath' + 'CertificateThumbprint' + 'ManagedIdentity' + ) + + $validAuthenticationParameter = $false + foreach ($parameter in $authenticationParameterList) + { + if ($null -ne $BoundParameters.$parameter) + { + write-host ("$parameter is not null" ) + $validAuthenticationParameter = $true + break + } + } + + return $validAuthenticationParameter } Export-ModuleMember -Function *-TargetResource From d840c1644460a0f625502cc9cc38493ecde89234 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Tue, 20 Feb 2024 19:28:10 +0000 Subject: [PATCH 04/70] Fix an issue with error handling in Get-TargetResource - implemented in IntuneAppConfigurationPolicy --- CHANGELOG.md | 39 +++++++++-- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 56 --------------- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 70 +++++++++++++++++++ 3 files changed, 105 insertions(+), 60 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 179cb40a4b..5c97c83c52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,6 @@ # Change log for Microsoft365DSC +# UNRELEASED -# 1.24.214.3 - -<<<<<<<<< Temporary merge branch 1 * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy * Added support for assignment GroupDisplayName * IntuneAccountProtectionLocalUserGroupMembershipPolicy @@ -29,7 +27,40 @@ * Added support for assignment GroupDisplayName * IntuneDeviceCompliancePolicyWindows10 * Added support for assignment GroupDisplayName -========= + +# 1.24.214.3 + +* AADAuthenticationMethodPolicy + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicyAuthenticator + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicyEmail + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicyFido2 + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicySms + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicySoftware + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicyTemporary + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicyVoice + * Fixed an error where the Export method would loop through the response header. +* AADAuthenticationMethodPolicyX509 + * Fixed an error where the Export method would loop through the response header. +* IntuneAppConfigurationPolicy + * Fixed an error in the export on the Settings property. +* IntuneDeviceEnrollmentStatusPageWindows10 + * Fixed an error where the Export method would loop through the response header. +* IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Fixed an error where the Export method would loop through the response header. +* SCDLPComplianceRule + * Fixed the NotifyEmailCustomText and NotifyPolicyTipCustomText to escape fancy + quotes. +* DEPENDENCIES + * Updated Microsoft.Graph to version 2.14.1. + +# 1.24.214.2 * AADConditionalAccessPolicy * Removed invalid empty string value that was added to the validate set of two parameters. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index bca70b6f47..81280bf36c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -626,60 +626,4 @@ function ConvertTo-M365DSCIntuneAppConfigurationPolicyCustomSettings Remove-M365DSCAuthenticationParameter } -function Clear-M365DSCAuthenticationParameter -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param( - [Parameter(Mandatory = $true)] - [System.Collections.Hashtable] - $BoundParameters - ) - - $BoundParameters.Credential = $null - $BoundParameters.ApplicationId = $null - $BoundParameters.ApplicationSecret = $null - $BoundParameters.TenantId = $null - $BoundParameters.CertificatePassword = $null - $BoundParameters.CertificatePath = $null - $BoundParameters.CertificateThumbprint = $null - $BoundParameters.ManagedIdentity = $null - - return $BoundParameters -} -function Test-M365DSCAuthenticationParameter -{ - [CmdletBinding()] - [OutputType([System.Boolean])] - param( - [Parameter(Mandatory = $true)] - [System.Collections.Hashtable] - $BoundParameters - ) - - $authenticationParameterList = @( - 'Credential' - 'ApplicationId' - 'ApplicationSecret' - 'TenantId' - 'CertificatePassword' - 'CertificatePath' - 'CertificateThumbprint' - 'ManagedIdentity' - ) - - $validAuthenticationParameter = $false - foreach ($parameter in $authenticationParameterList) - { - if ($null -ne $BoundParameters.$parameter) - { - write-host ("$parameter is not null" ) - $validAuthenticationParameter = $true - break - } - } - - return $validAuthenticationParameter -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 79bbb1650c..3b4a6d9993 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4403,6 +4403,76 @@ function Remove-M365DSCAuthenticationParameter return $BoundParameters } +<# +.Description +This function clears the authentication parameters from the hashtable. + +.Functionality +Internal +#> +function Clear-M365DSCAuthenticationParameter +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $BoundParameters + ) + + $BoundParameters.Credential = $null + $BoundParameters.ApplicationId = $null + $BoundParameters.ApplicationSecret = $null + $BoundParameters.TenantId = $null + $BoundParameters.CertificatePassword = $null + $BoundParameters.CertificatePath = $null + $BoundParameters.CertificateThumbprint = $null + $BoundParameters.ManagedIdentity = $null + + return $BoundParameters +} +<# +.Description +This function validate if the authentication parameters from the hashtable have been cleared. + +.Functionality +Internal +#> +function Test-M365DSCAuthenticationParameter +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $BoundParameters + ) + + $authenticationParameterList = @( + 'Credential' + 'ApplicationId' + 'ApplicationSecret' + 'TenantId' + 'CertificatePassword' + 'CertificatePath' + 'CertificateThumbprint' + 'ManagedIdentity' + ) + + $validAuthenticationParameter = $false + foreach ($parameter in $authenticationParameterList) + { + if ($null -ne $BoundParameters.$parameter) + { + write-host ("$parameter is not null" ) + $validAuthenticationParameter = $true + break + } + } + + return $validAuthenticationParameter +} + <# .Description This function analyzes an M365DSC configuration file and returns information about potential issues (e.g., duplicate primary keys). From 2c99885dc9743cfd02c50aad264fc05ac6e3909b Mon Sep 17 00:00:00 2001 From: William-Francillette <79221284+William-Francillette@users.noreply.github.com> Date: Tue, 20 Feb 2024 20:28:06 +0000 Subject: [PATCH 05/70] Update MSFT_IntuneAppConfigurationPolicy.psm1 --- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index 81280bf36c..f2403583bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -623,7 +623,6 @@ function ConvertTo-M365DSCIntuneAppConfigurationPolicyCustomSettings $result += $currentSetting } return $result - Remove-M365DSCAuthenticationParameter } Export-ModuleMember -Function *-TargetResource From 7f8bfd1d3655ba22f0a82946a0a87b8faf95ae21 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Mon, 26 Feb 2024 19:02:55 +0000 Subject: [PATCH 06/70] modified error handling from Get,Test and Export-TargetResource and updated M365DSCUtil exported functions --- .../MSFT_IntuneASRRulesPolicyWindows10.psm1 | 13 ++++++++++++- ...LocalAdministratorPasswordSolutionPolicy.psm1 | 15 ++++++++++++--- ...ProtectionLocalUserGroupMembershipPolicy.psm1 | 14 ++++++++++++-- .../MSFT_IntuneAccountProtectionPolicy.psm1 | 13 ++++++++++++- ...neAntivirusPolicyWindows10SettingCatalog.psm1 | 13 ++++++++++++- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 6 ++++++ .../MSFT_IntuneAppProtectionPolicyAndroid.psm1 | 15 +++++++++++++-- ..._IntuneApplicationControlPolicyWindows10.psm1 | 14 ++++++++++++-- ...MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 | 15 +++++++++++++-- ...DeviceCompliancePolicyAndroidDeviceOwner.psm1 | 15 +++++++++++++-- ...DeviceCompliancePolicyAndroidWorkProfile.psm1 | 15 +++++++++++++-- .../MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 | 16 ++++++++++++++-- ...FT_IntuneDeviceCompliancePolicyWindows10.psm1 | 16 ++++++++++++++-- .../MSFT_IntuneDeviceCompliancePolicyiOs.psm1 | 15 +++++++++++++-- Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 9 +++++---- 15 files changed, 176 insertions(+), 28 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 index d9fa08a78b..5d7db7ea9e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 @@ -260,7 +260,8 @@ function Get-TargetResource -Credential $Credential } - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -737,6 +738,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -861,6 +867,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index b8344e7b02..d4f7dfbf59 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -260,7 +260,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -573,7 +574,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection LAPS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -696,7 +701,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Ensure -eq 'Present') { $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 4fa2a0c027..e29a872555 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -186,7 +186,8 @@ function Get-TargetResource -Credential $Credential } - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -404,7 +405,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Local User Group Membership Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -567,6 +572,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.LocalUserGroupCollection) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index e12aff2340..4efcd196ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -237,7 +237,8 @@ function Get-TargetResource -Credential $Credential } - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -598,6 +599,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -725,6 +731,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index 17989f35e9..a0aebd0e44 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -478,7 +478,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -1281,6 +1282,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Endpoint Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -1417,6 +1423,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Ensure -eq 'Present') { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index 81280bf36c..484bef96f7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -499,6 +499,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + if ($Results.CustomSettings.Count -gt 0) { $Results.CustomSettings = Get-M365DSCIntuneAppConfigurationPolicyCustomSettingsAsString -Settings $Results.CustomSettings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 index 867d527297..b2e0ebca32 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 @@ -351,7 +351,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -929,6 +930,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Android App Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } if ($CurrentValues.Ensure -eq 'ERROR') { @@ -1104,7 +1110,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 index d4c6632855..3f7a12d3d9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 @@ -133,7 +133,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -373,6 +374,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Endpoint Protection Application Control Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -491,7 +497,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 index 3eca1d66dc..49d3415dd6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 @@ -257,7 +257,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -706,6 +707,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Android Device Compliance Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -821,7 +827,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 index eec7a6f32a..d52429d287 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 @@ -198,7 +198,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -556,6 +557,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Android Work Profile Device Compliance Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -675,7 +681,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 index 815bc7bae8..5f38012691 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 @@ -244,7 +244,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -668,6 +669,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Android Work Profile Device Compliance Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -783,7 +789,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 index 5bff227723..537f689115 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 @@ -223,7 +223,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -615,6 +616,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Device Compliance MacOS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -732,7 +738,13 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $results = Get-TargetResource @params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 index 3c6da9fad1..ca8a3c3d06 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 @@ -275,7 +275,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -748,6 +749,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Device Compliance Windows 10 Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -863,7 +869,13 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 index 4dad89f8fd..be6be2df95 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 @@ -211,7 +211,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - throw + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -599,6 +600,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Device Compliance iOS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -714,7 +720,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.RestrictedApps) { diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 3b4a6d9993..2e3ce54a23 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4459,18 +4459,17 @@ function Test-M365DSCAuthenticationParameter 'ManagedIdentity' ) - $validAuthenticationParameter = $false + $containsAuthenticationParameter = $false foreach ($parameter in $authenticationParameterList) { if ($null -ne $BoundParameters.$parameter) { - write-host ("$parameter is not null" ) - $validAuthenticationParameter = $true + $containsAuthenticationParameter = $true break } } - return $validAuthenticationParameter + return $containsAuthenticationParameter } <# @@ -4662,6 +4661,7 @@ function Sync-M365DSCParameter Export-ModuleMember -Function @( 'Assert-M365DSCBlueprint', + 'Clear-M365DSCAuthenticationParameter', 'Confirm-ImportedCmdletIsAvailable', 'Confirm-M365DSCDependencies', 'Convert-M365DscHashtableToString', @@ -4695,6 +4695,7 @@ Export-ModuleMember -Function @( 'Set-EXOSafeAttachmentRule', 'Set-EXOSafeLinksRule', 'Split-ArrayByParts', + 'Test-M365DSCAuthenticationParameter' 'Test-M365DSCDependenciesForNewVersions', 'Test-M365DSCModuleValidity', 'Test-M365DSCParameterState', From b1c9e651ff6b6f4da22525ecf329133b11a9208d Mon Sep 17 00:00:00 2001 From: William-francillette Date: Mon, 26 Feb 2024 19:09:48 +0000 Subject: [PATCH 07/70] added missing Group.Read.All permission --- .../MSFT_IntuneAccountProtectionPolicy/settings.json | 6 ++++++ .../settings.json | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json index bdddc7e8c6..1d0cdf0573 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json index f00abc50c8..307c2f8403 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } From 4c4f312713d88a55cc7f5af8827ccbe9aa4701aa Mon Sep 17 00:00:00 2001 From: William-francillette Date: Mon, 26 Feb 2024 19:42:13 +0000 Subject: [PATCH 08/70] fix an issue with unit test due to $nullResult not being a clone of $PSBoundParameters --- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 4 +--- .../Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index bf57ca1ee3..de530f8d76 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -70,9 +70,7 @@ function Get-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $nullResult = @{ - DisplayName = $DisplayName - } + $nullResult = ([Hashtable]$PSBoundParameters).clone() $nullResult.Ensure = 'Absent' try { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 index c503c826ec..926700fdfd 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 @@ -67,7 +67,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } It 'Should return absent from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + (Get-TargetResource @testParams ).Ensure | Should -Be 'Absent' } It 'Should return false from the Test method' { From bd8b07b97dcc9ea330f112c293f8be1cac052a0d Mon Sep 17 00:00:00 2001 From: William-francillette Date: Mon, 26 Feb 2024 19:46:59 +0000 Subject: [PATCH 09/70] fix changelog --- CHANGELOG.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b613dc6e9..01c035d038 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ # Change log for Microsoft365DSC + # UNRELEASED * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy @@ -27,9 +28,6 @@ * Added support for assignment GroupDisplayName * IntuneDeviceCompliancePolicyWindows10 * Added support for assignment GroupDisplayName - -# UNRELEASED - * AADApplication * Show current values of resource in Test-TargetResource * AADAuthorizationPolicy From 6511193044f6cedba39d45ead25ea98bc75d0385 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Tue, 27 Feb 2024 20:20:50 +0000 Subject: [PATCH 10/70] added groupDisplayName support to an additional 7 resources and to allDevices/allUsers groups --- CHANGELOG.md | 42 ++++-- ...AdministrativeTemplatePolicyWindows10.psm1 | 51 ++++--- .../settings.json | 10 +- ...iceConfigurationCustomPolicyWindows10.psm1 | 55 +++++--- .../settings.json | 12 +- ...rForEndpointOnboardingPolicyWindows10.psm1 | 51 ++++--- .../settings.json | 10 +- ...onDeliveryOptimizationPolicyWindows10.psm1 | 56 +++++--- .../settings.json | 6 + ...onfigurationDomainJoinPolicyWindows10.psm1 | 54 +++++--- .../settings.json | 10 +- ...figurationEmailProfilePolicyWindows10.psm1 | 128 ++++++++++-------- .../settings.json | 63 +++++---- ...tionEndpointProtectionPolicyWindows10.psm1 | 67 +++++---- .../settings.json | 6 + .../Modules/M365DSCDRGUtil.psm1 | 16 ++- 16 files changed, 409 insertions(+), 228 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 01c035d038..6bb9b65211 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,31 +3,47 @@ # UNRELEASED * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneAccountProtectionLocalUserGroupMembershipPolicy - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneAccountProtectionPolicy - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneAntivirusPolicyWindows10SettingCatalog - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneAppConfigurationPolicy - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneApplicationControlPolicyWindows10 - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneASRRulesPolicyWindows10 - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceCompliancePolicyAndroid - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceCompliancePolicyAndroidDeviceOwner - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceCompliancePolicyAndroidWorkProfile - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceCompliancePolicyiOs - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceCompliancePolicyMacOS - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceCompliancePolicyWindows10 - * Added support for assignment GroupDisplayName + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationCustomPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationDomainJoinPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationEmailProfilePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* M365DSCDRGUtil + * Added support for groupDisplayName to all devices and all users groups * AADApplication * Show current values of resource in Test-TargetResource * AADAuthorizationPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index 14affae7de..144f52df92 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -94,14 +94,19 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceManagementGroupPolicyConfiguration ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Administrative Template Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Administrative Template Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Administrative Template Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -227,19 +232,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment -GroupPolicyConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment -GroupPolicyConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return $results } @@ -261,6 +262,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential } + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -665,6 +667,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Administrative Template Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() @@ -714,6 +721,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -835,7 +847,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json index ef5aae1c68..4636671998 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -17,7 +20,10 @@ }, "application": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 index 14e92bd3d9..4586beaf3f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 @@ -96,14 +96,20 @@ function Get-TargetResource -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration" ` } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Custom Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Custom Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Custom Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -166,20 +172,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -191,7 +193,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -447,6 +450,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Custom Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -469,6 +477,10 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } if (-Not $testResult) { $testResult = $false @@ -588,7 +600,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($null -ne $Results.OmaSettings) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json index a9b8d6e3a0..4f57251847 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -16,8 +19,11 @@ ] }, "application": { - "read": [ - { + "read": [ + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 index 5607bb05f1..c5ea49acb8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 @@ -116,14 +116,19 @@ function Get-TargetResource -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windowsDefenderAdvancedThreatProtectionConfiguration" ` } + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -148,20 +153,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -173,6 +173,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -447,6 +448,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -469,6 +475,10 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } if (-Not $testResult) { $testResult = $false @@ -588,7 +598,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json index fa063bd0d5..1ec45e354d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -17,7 +20,10 @@ }, "application": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 index 133d05a210..ce5217efc4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 @@ -160,14 +160,20 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceManagementDeviceConfiguration ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Delivery Optimization Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Delivery Optimization Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Delivery Optimization Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -288,23 +294,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) - + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } catch @@ -315,6 +313,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -681,6 +680,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Delivery Optimization Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Id') | Out-Null @@ -705,6 +709,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -819,7 +828,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ( $null -ne $Results.BandwidthMode) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json index 7a4ac875c3..ad18510898 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 index 01120c5c19..627f2bd758 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 @@ -108,14 +108,19 @@ function Get-TargetResource -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windowsDomainJoinConfiguration" ` } + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Domain Join Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Domain Join Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Domain Join Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -138,20 +143,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -163,7 +163,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -421,6 +422,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Domain Join Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -443,6 +449,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -562,7 +573,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json index 283b168e60..2ebe5a545e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -17,7 +20,10 @@ }, "application": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 index 1666e3262e..00adc0b616 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 @@ -10,17 +10,17 @@ function Get-TargetResource $AccountName, [Parameter()] - [ValidateSet('userDefined','oneDay','threeDays','oneWeek','twoWeeks','oneMonth','unlimited')] + [ValidateSet('userDefined', 'oneDay', 'threeDays', 'oneWeek', 'twoWeeks', 'oneMonth', 'unlimited')] [System.String] $DurationOfEmailToSync, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $EmailAddressSource, [Parameter()] - [ValidateSet('userDefined','asMessagesArrive','manual','fifteenMinutes','thirtyMinutes','sixtyMinutes','basedOnMyUsage')] + [ValidateSet('userDefined', 'asMessagesArrive', 'manual', 'fifteenMinutes', 'thirtyMinutes', 'sixtyMinutes', 'basedOnMyUsage')] [System.String] $EmailSyncSchedule, @@ -49,17 +49,17 @@ function Get-TargetResource $CustomDomainName, [Parameter()] - [ValidateSet('fullDomainName','netBiosDomainName')] + [ValidateSet('fullDomainName', 'netBiosDomainName')] [System.String] $UserDomainNameSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress','samAccountName')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress', 'samAccountName')] [System.String] $UsernameAADSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $UsernameSource, @@ -132,7 +132,7 @@ function Get-TargetResource $getValue = $null #region resource generator code - $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue if ($null -eq $getValue) { @@ -144,16 +144,22 @@ function Get-TargetResource -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue | Where-Object ` -FilterScript { ` - $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows10EasEmailProfileConfiguration" ` - } + $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10EasEmailProfileConfiguration' ` + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Email Profile Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if (([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Email Profile Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Email Profile Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -222,20 +228,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -247,6 +249,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -262,17 +265,17 @@ function Set-TargetResource $AccountName, [Parameter()] - [ValidateSet('userDefined','oneDay','threeDays','oneWeek','twoWeeks','oneMonth','unlimited')] + [ValidateSet('userDefined', 'oneDay', 'threeDays', 'oneWeek', 'twoWeeks', 'oneMonth', 'unlimited')] [System.String] $DurationOfEmailToSync, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $EmailAddressSource, [Parameter()] - [ValidateSet('userDefined','asMessagesArrive','manual','fifteenMinutes','thirtyMinutes','sixtyMinutes','basedOnMyUsage')] + [ValidateSet('userDefined', 'asMessagesArrive', 'manual', 'fifteenMinutes', 'thirtyMinutes', 'sixtyMinutes', 'basedOnMyUsage')] [System.String] $EmailSyncSchedule, @@ -301,17 +304,17 @@ function Set-TargetResource $CustomDomainName, [Parameter()] - [ValidateSet('fullDomainName','netBiosDomainName')] + [ValidateSet('fullDomainName', 'netBiosDomainName')] [System.String] $UserDomainNameSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress','samAccountName')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress', 'samAccountName')] [System.String] $UsernameAADSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $UsernameSource, @@ -380,7 +383,7 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Device Configuration Email Profile Policy for Windows10 with DisplayName {$DisplayName}" - $BoundParameters.Remove("Assignments") | Out-Null + $BoundParameters.Remove('Assignments') | Out-Null $CreateParameters = ([Hashtable]$BoundParameters).clone() $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters @@ -395,7 +398,7 @@ function Set-TargetResource } } #region resource generator code - $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10EasEmailProfileConfiguration") + $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EasEmailProfileConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters $assignmentsHash = @() foreach ($assignment in $Assignments) @@ -405,7 +408,7 @@ function Set-TargetResource if ($policy.id) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' } @@ -414,7 +417,7 @@ function Set-TargetResource elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Updating the Intune Device Configuration Email Profile Policy for Windows10 with Id {$($currentInstance.Id)}" - $BoundParameters.Remove("Assignments") | Out-Null + $BoundParameters.Remove('Assignments') | Out-Null $UpdateParameters = ([Hashtable]$BoundParameters).clone() $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters @@ -430,7 +433,7 @@ function Set-TargetResource } } #region resource generator code - $UpdateParameters.Add("@odata.type", "#microsoft.graph.windows10EasEmailProfileConfiguration") + $UpdateParameters.Add('@odata.type', '#microsoft.graph.windows10EasEmailProfileConfiguration') Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters @@ -466,17 +469,17 @@ function Test-TargetResource $AccountName, [Parameter()] - [ValidateSet('userDefined','oneDay','threeDays','oneWeek','twoWeeks','oneMonth','unlimited')] + [ValidateSet('userDefined', 'oneDay', 'threeDays', 'oneWeek', 'twoWeeks', 'oneMonth', 'unlimited')] [System.String] $DurationOfEmailToSync, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $EmailAddressSource, [Parameter()] - [ValidateSet('userDefined','asMessagesArrive','manual','fifteenMinutes','thirtyMinutes','sixtyMinutes','basedOnMyUsage')] + [ValidateSet('userDefined', 'asMessagesArrive', 'manual', 'fifteenMinutes', 'thirtyMinutes', 'sixtyMinutes', 'basedOnMyUsage')] [System.String] $EmailSyncSchedule, @@ -505,17 +508,17 @@ function Test-TargetResource $CustomDomainName, [Parameter()] - [ValidateSet('fullDomainName','netBiosDomainName')] + [ValidateSet('fullDomainName', 'netBiosDomainName')] [System.String] $UserDomainNameSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress','samAccountName')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress', 'samAccountName')] [System.String] $UsernameAADSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $UsernameSource, @@ -581,6 +584,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Email Profile Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -603,6 +611,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -689,7 +702,7 @@ function Export-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10EasEmailProfileConfiguration' ` - } + } #endregion $i = 1 @@ -711,18 +724,23 @@ function Export-TargetResource } Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline $params = @{ - Id = $config.Id - DisplayName = $config.DisplayName - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) @@ -744,7 +762,7 @@ function Export-TargetResource -Credential $Credential if ($Results.Assignments) { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } $dscContent += $currentDSCBlock @@ -758,7 +776,7 @@ function Export-TargetResource catch { if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` - $_.Exception -like "*Request not applicable to target tenant*") + $_.Exception -like '*Request not applicable to target tenant*') { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json index 2dd5dfecf6..7f59aea637 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json @@ -1,33 +1,38 @@ { "resourceName": "IntuneDeviceConfigurationEmailProfilePolicyWindows10", "description": "This resource configures an Intune Device Configuration Email Profile Policy for Windows10.", - "permissions": { - "graph": { - "delegated": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - } - ], - "update": [ - { - "name": "DeviceManagementConfiguration.ReadWrite.All" - } - ] - }, - "application": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - } - ], - "update": [ - { - "name": "DeviceManagementConfiguration.ReadWrite.All" - } - ] - } - } -} - + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index c9b1f664a1..8d7ccd8c35 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -1043,7 +1043,7 @@ function Get-TargetResource $getValue = $null #region resource generator code - $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue if ($null -eq $getValue) { @@ -1054,14 +1054,19 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceManagementDeviceConfiguration ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Endpoint Protection Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if (([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Endpoint Protection Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Endpoint Protection Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -2618,22 +2623,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) - { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -2645,6 +2644,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -3705,10 +3705,10 @@ function Set-TargetResource } } #region resource generator code - $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10EndpointProtectionConfiguration") + $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters $assignmentsHash = @() - foreach($assignment in $Assignments) + foreach ($assignment in $Assignments) { $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment } @@ -3740,7 +3740,7 @@ function Set-TargetResource } } #region resource generator code - $UpdateParameters.Add("@odata.type", "#microsoft.graph.windows10EndpointProtectionConfiguration") + $UpdateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters @@ -4801,6 +4801,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Endpoint Protection Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Id') | Out-Null @@ -4825,6 +4830,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -4939,7 +4949,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ( $null -ne $Results.BitLockerFixedDrivePolicy) @@ -6077,7 +6092,7 @@ function Export-TargetResource catch { if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` - $_.Exception -like "*Request not applicable to target tenant*") + $_.Exception -like '*Request not applicable to target tenant*') { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json index 31fc646302..eb9da4aa9e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 84a923e68d..1cfbe9a39f 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1153,9 +1153,21 @@ function ConvertFrom-IntunePolicyAssignment $group = Get-MgGroup -GroupId ($groupId) -ErrorAction SilentlyContinue if ($null -ne $group) { - $hashAssignment.add('groupDisplayName', $group.DisplayName) + $groupDisplayName = $group.DisplayName } } + if ($dataType -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') + { + $groupDisplayName = 'All users' + } + if ($dataType -eq '#microsoft.graph.allDevicesAssignmentTarget') + { + $groupDisplayName = 'All devices' + } + if ($null -ne $groupDisplayName) + { + $hashAssignment.add('groupDisplayName', $groupDisplayName) + } if ($IncludeDeviceFilter) { if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterType) @@ -1338,7 +1350,7 @@ function Update-DeviceConfigurationPolicyAssignment $body = @{$RootIdentifier = $deviceManagementPolicyAssignments} | ConvertTo-Json -Depth 20 Write-Verbose -Message $body - + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop } catch From b390b182b81be296bbc327bf696dcc7b54015e02 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Thu, 29 Feb 2024 09:13:10 +0000 Subject: [PATCH 11/70] fix firewall rules interfaceTypes parameter to support multiple values --- CHANGELOG.md | 1 + ...tionEndpointProtectionPolicyWindows10.psm1 | 28 ++++++++++++++++++- ...dpointProtectionPolicyWindows10.schema.mof | 2 +- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 561a577b7c..3238c424ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource * IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Fixed an issue with the parameter InterfaceTypes from firewallrules defined as a string instead of string[] * M365DSCDRGUtil * Added support for groupDisplayName to all devices and all users groups * AADApplication diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index 8d7ccd8c35..36da338cf7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -1305,7 +1305,7 @@ function Get-TargetResource $myfirewallRules.Add('FilePath', $currentfirewallRules.filePath) if ($null -ne $currentfirewallRules.interfaceTypes) { - $myfirewallRules.Add('InterfaceTypes', $currentfirewallRules.interfaceTypes.toString()) + $myfirewallRules.Add('InterfaceTypes', $currentfirewallRules.interfaceTypes.toString() -split ',') } $myfirewallRules.Add('LocalAddressRanges', $currentfirewallRules.localAddressRanges) $myfirewallRules.Add('LocalPortRanges', $currentfirewallRules.localPortRanges) @@ -3704,6 +3704,19 @@ function Set-TargetResource $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key } } + if ($CreateParameters.FirewallRules.count -gt 0) + { + $intuneFirewallRules = @() + foreach ($firewallRule in $CreateParameters.FirewallRules) + { + if ($firewallRule.interfaceTypes -gt 1) + { + $firewallRule.interfaceTypes = $firewallRule.interfaceTypes -join ',' + } + $intuneFirewallRules += $firewallRule + } + $CreateParameters.FirewallRules = $intuneFirewallRules + } #region resource generator code $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters @@ -3739,6 +3752,19 @@ function Set-TargetResource $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key } } + if ($UpdateParameters.FirewallRules.count -gt 0) + { + $intuneFirewallRules = @() + foreach ($firewallRule in $UpdateParameters.FirewallRules) + { + if ($firewallRule.interfaceTypes -gt 1) + { + $firewallRule.interfaceTypes = $firewallRule.interfaceTypes -join ',' + } + $intuneFirewallRules += $firewallRule + } + $UpdateParameters.FirewallRules = $intuneFirewallRules + } #region resource generator code $UpdateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') Update-MgBetaDeviceManagementDeviceConfiguration ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof index fe67f8bd62..0ddd9c37aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof @@ -92,7 +92,7 @@ class MSFT_MicrosoftGraphWindowsFirewallRule [Write, Description("The display name of the rule. Does not need to be unique.")] String DisplayName; [Write, Description("Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. Possible values are: notConfigured, blocked, allowed."), ValueMap{"notConfigured","blocked","allowed"}, Values{"notConfigured","blocked","allowed"}] String EdgeTraversal; [Write, Description("The full file path of an app that's affected by the firewall rule.")] String FilePath; - [Write, Description("The interface types of the rule. Possible values are: notConfigured, remoteAccess, wireless, lan."), ValueMap{"notConfigured","remoteAccess","wireless","lan"}, Values{"notConfigured","remoteAccess","wireless","lan"}] String InterfaceTypes; + [Write, Description("The interface types of the rule. Possible values are: notConfigured, remoteAccess, wireless, lan."), ValueMap{"notConfigured","remoteAccess","wireless","lan"}, Values{"notConfigured","remoteAccess","wireless","lan"}] String InterfaceTypes[]; [Write, Description("List of local addresses covered by the rule. Default is any address. Valid tokens include:'' indicates any local address. If present, this must be the only token included.A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.A valid IPv6 address.An IPv4 address range in the format of 'start address - end address' with no spaces included.An IPv6 address range in the format of 'start address - end address' with no spaces included.")] String LocalAddressRanges[]; [Write, Description("List of local port ranges. For example, '100-120', '200', '300-320'. If not specified, the default is All.")] String LocalPortRanges[]; [Write, Description("Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.")] String LocalUserAuthorizations; From 66070a2cb0d216e61323792e8d8a67384014a8d0 Mon Sep 17 00:00:00 2001 From: mario Date: Thu, 29 Feb 2024 12:48:31 +0100 Subject: [PATCH 12/70] Fix TargetSharingEpr --- CHANGELOG.md | 4 ++++ .../MSFT_EXOIntraOrganizationConnector.psm1 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..9ccb16f52e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Change log for Microsoft365DSC +# UNRELEASED +* EXOIntraOrganizationConnector + * Fixed issue with TargetSharingEpr + FIXES [#4381](https://github.com/microsoft/Microsoft365DSC/issues/4381) # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 index b70c9d634e..29460f72f1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 @@ -106,7 +106,7 @@ function Get-TargetResource DiscoveryEndpoint = $IntraOrganizationConnector.DiscoveryEndpoint.ToString() Enabled = $IntraOrganizationConnector.Enabled TargetAddressDomains = $IntraOrganizationConnector.TargetAddressDomains - TargetSharingEpr = $IntraOrganizationConnector.TargetSharingEpr + TargetSharingEpr = $IntraOrganizationConnector.TargetSharingEpr.ToString() Credential = $Credential Ensure = 'Present' ApplicationId = $ApplicationId From 0243ab8da080a640d130ae65364e9308fb68b5d5 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 09:41:50 +0000 Subject: [PATCH 13/70] Fix issue when filtering groups by display name --- CHANGELOG.md | 5 +++++ .../DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..25bab8d161 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* AADGroup + * Fixed issue when filtering groups by display name + FIXES [#4394](https://github.com/microsoft/Microsoft365DSC/issues/4394) # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index f7462b3563..d9747b56e9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -166,7 +166,11 @@ function Get-TargetResource } else { - $filter = "DisplayName eq '$DisplayName'" -replace "'", "''" + if ($DisplayName.Contains("'")) + { + $DisplayName = $DisplayName -replace "'", "''" + } + $filter = "DisplayName eq '$DisplayName'" $Group = Get-MgGroup -Filter $filter -ErrorAction Stop } if ($Group.Length -gt 1) From 795de55001ccdb5dccafedbb30d72af795117531 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 09:42:55 +0000 Subject: [PATCH 14/70] Current values already shown in Test-TargetResource --- .../DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index d9747b56e9..a3d44b0fc2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -277,7 +277,7 @@ function Get-TargetResource Credential = $Credential Managedidentity = $ManagedIdentity.IsPresent } - Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" + return $result } } From 4a927d9e97f252b9eb45924e4b138032d78ebcf6 Mon Sep 17 00:00:00 2001 From: Bart Vermeersch Date: Fri, 1 Mar 2024 10:47:08 +0100 Subject: [PATCH 15/70] Fix AADGroup owners, only updating owners when specified in config parameters --- .../MSFT_AADGroup/MSFT_AADGroup.psm1 | 74 ++++++++++--------- 1 file changed, 39 insertions(+), 35 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index f7462b3563..29641d1a6a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -618,48 +618,52 @@ function Set-TargetResource if ($Ensure -ne 'Absent') { #Owners - $currentOwnersValue = @() - if ($currentParameters.Owners.Length -gt 0) + if ($PSBoundParameters.ContainsKey('Owners')) { - $currentOwnersValue = $backCurrentOwners - } - $desiredOwnersValue = @() - if ($Owners.Length -gt 0) - { - $desiredOwnersValue = $Owners - } - if ($backCurrentOwners -eq $null) - { - $backCurrentOwners = @() - } - $ownersDiff = Compare-Object -ReferenceObject $backCurrentOwners -DifferenceObject $desiredOwnersValue - foreach ($diff in $ownersDiff) - { - $user = Get-MgUser -UserId $diff.InputObject - - if ($diff.SideIndicator -eq '=>') + $currentOwnersValue = @() + if ($currentParameters.Owners.Length -gt 0) { - Write-Verbose -Message "Adding new owner {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" - $ownerObject = @{ - '@odata.id' = "https://graph.microsoft.com/v1.0/users/{$($user.Id)}" - } - try - { - New-MgGroupOwnerByRef -GroupId ($currentGroup.Id) -BodyParameter $ownerObject -ErrorAction Stop | Out-Null - } - catch + $currentOwnersValue = $backCurrentOwners + } + $desiredOwnersValue = @() + if ($Owners.Length -gt 0) + { + $desiredOwnersValue = $Owners + } + if ($backCurrentOwners -eq $null) + { + $backCurrentOwners = @() + } + $ownersDiff = Compare-Object -ReferenceObject $backCurrentOwners -DifferenceObject $desiredOwnersValue + foreach ($diff in $ownersDiff) + { + $user = Get-MgUser -UserId $diff.InputObject + + if ($diff.SideIndicator -eq '=>') { - if ($_.Exception.Message -notlike '*One or more added object references already exist for the following modified properties*') + Write-Verbose -Message "Adding new owner {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" + $ownerObject = @{ + '@odata.id' = "https://graph.microsoft.com/v1.0/users/{$($user.Id)}" + } + try + { + New-MgGroupOwnerByRef -GroupId ($currentGroup.Id) -BodyParameter $ownerObject -ErrorAction Stop | Out-Null + } + catch { - throw $_ + if ($_.Exception.Message -notlike '*One or more added object references already exist for the following modified properties*') + { + throw $_ + } } } + elseif ($diff.SideIndicator -eq '<=') + { + Write-Verbose -Message "Removing new owner {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" + Remove-MgGroupOwnerByRef -GroupId ($currentGroup.Id) -DirectoryObjectId ($user.Id) | Out-Null + } } - elseif ($diff.SideIndicator -eq '<=') - { - Write-Verbose -Message "Removing new owner {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" - Remove-MgGroupOwnerByRef -GroupId ($currentGroup.Id) -DirectoryObjectId ($user.Id) | Out-Null - } + } #Members From 241ed20ef2373759f7c97f2f0f41d3da1a5b51f3 Mon Sep 17 00:00:00 2001 From: Bart Vermeersch Date: Fri, 1 Mar 2024 12:51:03 +0100 Subject: [PATCH 16/70] add change to changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..e44447b95d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* AADGroup + * Fixed issue where group owners were removed from existing groups when unspecified in the config + FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390) + # 1.24.228.1 * AADApplication From c40a6addd07cfd8a59dcea42225659c0df48e38c Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:23:51 +0000 Subject: [PATCH 17/70] Only get policy by Id if property is not null --- ...iceConfigurationPolicyAndroidDeviceAdministrator.psm1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 index 8d468a7d9b..5171d3b8da 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 @@ -283,7 +283,14 @@ function Get-TargetResource $nullResult.Ensure = 'Absent' try { - $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $id -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $id -ErrorAction SilentlyContinue + } + else + { + $getValue = $null + } if ($null -eq $getValue) { From b1cc0d2ac9b3ba45493f3b6c6fd5924c8b8a4e81 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:26:43 +0000 Subject: [PATCH 18/70] Cope with Id being null --- ...iceConfigurationPolicyAndroidDeviceAdministrator.psm1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 index 5171d3b8da..3bc3fa4b52 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 @@ -377,7 +377,14 @@ function Get-TargetResource } if ($null -eq $getValue) { - Write-Verbose -Message "Nothing with id {$id} was found" + if (-not [String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Nothing with id {$id} was found" + } + else + { + Write-Verbose -Message "Nothing with display name {$DisplayName} was found" + } return $nullResult } From af94711bf5b663bb4a3324120acb7561c0a30384 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:27:29 +0000 Subject: [PATCH 19/70] Use Id of retrieved policy not of the one in blueprint --- ...DeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 index 3bc3fa4b52..32e9eba66b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 @@ -379,7 +379,7 @@ function Get-TargetResource { if (-not [String]::IsNullOrEmpty($Id)) { - Write-Verbose -Message "Nothing with id {$id} was found" + Write-Verbose -Message "Nothing with id {$Id} was found" } else { @@ -388,7 +388,7 @@ function Get-TargetResource return $nullResult } - Write-Verbose -Message "Found something with id {$id}" + Write-Verbose -Message "Found something with id {$($getValue.Id)}" $results = @{ #region resource generator code @@ -454,7 +454,7 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() foreach ($assignmentEntry in $AssignmentsValues) { From 81d5501a39b08f0bc65a6d306a33cb9bf272d506 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:37:54 +0000 Subject: [PATCH 20/70] Update CHANGELOG.md --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..dad8c71021 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator + * Fixed policy assignment when Id is from other tenant, bogus or null + FIXES [#3970](https://github.com/microsoft/Microsoft365DSC/issues/3970) # 1.24.228.1 From 6e9bac1d374b8e0532285dca592d8b5761d5d025 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:40:32 +0000 Subject: [PATCH 21/70] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dad8c71021..ce5695ab65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ # UNRELEASED * IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator - * Fixed policy assignment when Id is from other tenant, bogus or null + * Fixed policy assignment retrieval when Id is from other tenant, bogus or + null FIXES [#3970](https://github.com/microsoft/Microsoft365DSC/issues/3970) # 1.24.228.1 From 97d90b2ec9ae495aaad84efb472ebf9c966423f2 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:51:54 +0000 Subject: [PATCH 22/70] Cope with Id being from another tenant, null or bogus --- ...urationPolicyAndroidOpenSourceProject.psm1 | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 index 72f8b9ab6e..c0e2322c87 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 @@ -135,7 +135,14 @@ function Get-TargetResource $nullResult.Ensure = 'Absent' try { - $getValue = $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $id -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $id -ErrorAction SilentlyContinue + } + else + { + $getValue = $null + } #region resource generator code if ($null -eq $getValue) @@ -149,11 +156,19 @@ function Get-TargetResource if ($null -eq $getValue) { - Write-Verbose -Message "Nothing with id {$id} was found" + if (-not [String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Nothing with id {$Id} was found" + } + else + { + Write-Verbose -Message "Nothing with display name {$DisplayName} was found" + } + return $nullResult } - Write-Verbose -Message "Found something with id {$id}" + Write-Verbose -Message "Found something with id {$($getValue.Id)}" $results = @{ #region resource generator code @@ -183,7 +198,7 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() foreach ($assignmentEntry in $AssignmentsValues) { From c10843f0999c20a324c242af1ef0293c9b2ceb5a Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 12:55:33 +0000 Subject: [PATCH 23/70] Update CHANGELOG.md --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..63f7ae7eb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceConfigurationPolicyAndroidOpenSourceProject + * Fixed policy assignment retrieval when Id is from other tenant, bogus or + null + FIXES [#3971](https://github.com/microsoft/Microsoft365DSC/issues/3971) # 1.24.228.1 From b043b0bc7c0c717942a847c6709ab6e734d21327 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 13:32:59 +0000 Subject: [PATCH 24/70] Fix compare logic --- ...urationPolicyAndroidOpenSourceProject.psm1 | 33 +++++-------------- 1 file changed, 9 insertions(+), 24 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 index c0e2322c87..ae5c70951f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 @@ -611,34 +611,19 @@ function Test-TargetResource } $testResult = $true + #Compare Cim instances foreach ($key in $PSBoundParameters.Keys) { - if ($PSBoundParameters[$key].getType().Name -like '*CimInstance*') + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') { - $CIMArraySource = @() - $CIMArrayTarget = @() - $CIMArraySource += $PSBoundParameters[$key] - $CIMArrayTarget += $CurrentValues.$key - if ($CIMArraySource.count -ne $CIMArrayTarget.count) - { - Write-Verbose -Message "Configuration drift:Number of items does not match: Source=$($CIMArraySource.count) Target=$($CIMArrayTarget.count)" - $testResult = $false - break - } - $i = 0 - foreach ($item in $CIMArraySource ) - { - $testResult = Compare-M365DSCComplexObject ` - -Source (Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $CIMArraySource[$i]) ` - -Target ($CIMArrayTarget[$i]) + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) - $i++ - if (-Not $testResult) - { - $testResult = $false - break - } - } if (-Not $testResult) { $testResult = $false From 5a11ae5141eec8a736ea458c49a616ccee4434c1 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 13:34:00 +0000 Subject: [PATCH 25/70] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63f7ae7eb1..65df95886f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Fixed policy assignment retrieval when Id is from other tenant, bogus or null FIXES [#3971](https://github.com/microsoft/Microsoft365DSC/issues/3971) + * Fix compare logic for CIM instances in Test-TargetResource # 1.24.228.1 From deae12bdd46341b7d93905b09050021ebb9c46f7 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 13:34:31 +0000 Subject: [PATCH 26/70] Use past tense --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65df95886f..fba5e1ccdc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ * Fixed policy assignment retrieval when Id is from other tenant, bogus or null FIXES [#3971](https://github.com/microsoft/Microsoft365DSC/issues/3971) - * Fix compare logic for CIM instances in Test-TargetResource + * Fixed compare logic for CIM instances in Test-TargetResource # 1.24.228.1 From b06a880764a714c2bb2193284381983ea5242c70 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 15:08:02 +0000 Subject: [PATCH 27/70] Add support for assigning root certs by display name --- CHANGELOG.md | 6 ++ ...urationScepCertificatePolicyWindows10.psm1 | 78 ++++++++++++++++++- ...nScepCertificatePolicyWindows10.schema.mof | 1 + 3 files changed, 82 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..0d4e2eee41 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceConfigurationScepCertificatePolicyWindows10 + * Add property RootCertificateDisplayName in order to support assigning root + certificates by display name since their Ids in a blueprint might be from a + different source tenant # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 index 20e1ef39bc..e79219b454 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 @@ -73,6 +73,10 @@ function Get-TargetResource [System.String] $SubjectNameFormat, + [Parameter()] + [System.String] + $RootCertificateDisplayName, + [Parameter()] [System.String] $RootCertificateId, @@ -250,6 +254,10 @@ function Get-TargetResource } #endregion + $RootCertificate = Get-DeviceConfigurationPolicyRootCertificate -DeviceConfigurationPolicyId $getValue.Id + $RootCertificateId = $RootCertificate.Id + $RootCertificateDisplayName = $RootCertificate.DisplayName + $results = @{ #region resource generator code CertificateStore = $enumCertificateStore @@ -267,7 +275,8 @@ function Get-TargetResource RenewalThresholdPercentage = $getValue.AdditionalProperties.renewalThresholdPercentage SubjectAlternativeNameType = $enumSubjectAlternativeNameType SubjectNameFormat = $enumSubjectNameFormat - RootCertificateId = Get-DeviceConfigurationPolicyRootCertificateId -DeviceConfigurationPolicyId $getValue.Id + RootCertificateId = $RootCertificateId + RootCertificateDisplayName = $RootCertificateDisplayName Description = $getValue.Description DisplayName = $getValue.DisplayName Id = $getValue.Id @@ -383,6 +392,10 @@ function Set-TargetResource [System.String] $SubjectNameFormat, + [Parameter()] + [System.String] + $RootCertificateDisplayName, + [Parameter()] [System.String] $RootCertificateId, @@ -470,6 +483,38 @@ function Set-TargetResource $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key } } + + $RootCertificate = Get-MgBetaDeviceManagementDeviceConfiguration ` + -DeviceConfigurationId $RootCertificateId ` + -ErrorAction SilentlyContinue | ` + Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows81TrustedRootCertificate" + } + + if ($null -eq $RootCertificate) + { + Write-Verbose -Message "Could not find trusted root certificate with Id {$RootCertificateId}, searching by display name {$RootCertificateDisplayName}" + + $RootCertificate = Get-MgBetaDeviceManagementDeviceConfiguration ` + -Filter "DisplayName eq '$RootCertificateDisplayName'" ` + -ErrorAction SilentlyContinue | ` + Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows81TrustedRootCertificate" + } + $RootCertificateId = $RootCertificate.Id + + if ($null -eq $RootCertificate) + { + throw "Could not find trusted root certificate with Id {$RootCertificateId} or display name {$RootCertificateDisplayName}" + } + + Write-Verbose -Message "Found trusted root certificate with Id {$($RootCertificate.Id)} and DisplayName {$($RootCertificate.DisplayName)}" + } + else + { + Write-Verbose -Message "Found trusted root certificate with Id {$RootCertificateId}" + } + #region resource generator code $CreateParameters.Add("rootCertificate@odata.bind", "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$RootCertificateId')") $CreateParameters.Add("@odata.type", "#microsoft.graph.windows81SCEPCertificateProfile") @@ -493,6 +538,7 @@ function Set-TargetResource Write-Verbose -Message "Updating the Intune Device Configuration Scep Certificate Policy for Windows10 with Id {$($currentInstance.Id)}" $BoundParameters.Remove("Assignments") | Out-Null $BoundParameters.Remove('RootCertificateId') | Out-Null + $BoundParameters.Remove('RootCertificateDisplayName') | Out-Null $UpdateParameters = ([Hashtable]$BoundParameters).clone() $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters @@ -524,6 +570,24 @@ function Set-TargetResource -Repository 'deviceManagement/deviceConfigurations' #endregion + $RootCertificate = Get-MgBetaDeviceManagementDeviceConfiguration ` + -DeviceConfigurationId $RootCertificateId ` + -ErrorAction SilentlyContinue | ` + Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows81TrustedRootCertificate" + } + + if ($null -eq $RootCertificate) + { + $RootCertificate = Get-MgBetaDeviceManagementDeviceConfiguration ` + -Filter "DisplayName eq '$RootCertificateDisplayName'" ` + -ErrorAction SilentlyContinue | ` + Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows81TrustedRootCertificate" + } + $RootCertificateId = $RootCertificate.Id + } + Update-DeviceConfigurationPolicyRootCertificateId ` -DeviceConfigurationPolicyId $currentInstance.id ` -RootCertificateId $RootCertificateId @@ -612,6 +676,10 @@ function Test-TargetResource [System.String] $SubjectNameFormat, + [Parameter()] + [System.String] + $RootCertificateDisplayName, + [Parameter()] [System.String] $RootCertificateId, @@ -715,6 +783,10 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationId') | Out-Null $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + if ($null -ne $ValuesToCheck.RootCertificateDisplayName) + { + $ValuesToCheck.Remove('RootCertificateId') | Out-Null + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" @@ -909,7 +981,7 @@ function Export-TargetResource } } -function Get-DeviceConfigurationPolicyRootCertificateId +function Get-DeviceConfigurationPolicyRootCertificate { [CmdletBinding()] [OutputType([System.String])] @@ -922,7 +994,7 @@ function Get-DeviceConfigurationPolicyRootCertificateId $Uri = " https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate" $result = Invoke-MgGraphRequest -Method Get -Uri $Uri -ErrorAction Stop - return $result.id + return $result } function Update-DeviceConfigurationPolicyRootCertificateId diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.schema.mof index b206990518..90c392fbe6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.schema.mof @@ -39,6 +39,7 @@ class MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10 : OMI_BaseRes [Write, Description("Certificate renewal threshold percentage. Valid values 1 to 99")] UInt32 RenewalThresholdPercentage; [Write, Description("Certificate Subject Alternative Name Type. Possible values are: none, emailAddress, userPrincipalName, customAzureADAttribute, domainNameService, universalResourceIdentifier."), ValueMap{"none","emailAddress","userPrincipalName","customAzureADAttribute","domainNameService","universalResourceIdentifier"}, Values{"none","emailAddress","userPrincipalName","customAzureADAttribute","domainNameService","universalResourceIdentifier"}] String SubjectAlternativeNameType; [Write, Description("Certificate Subject Name Format. Possible values are: commonName, commonNameIncludingEmail, commonNameAsEmail, custom, commonNameAsIMEI, commonNameAsSerialNumber, commonNameAsAadDeviceId, commonNameAsIntuneDeviceId, commonNameAsDurableDeviceId."), ValueMap{"commonName","commonNameIncludingEmail","commonNameAsEmail","custom","commonNameAsIMEI","commonNameAsSerialNumber","commonNameAsAadDeviceId","commonNameAsIntuneDeviceId","commonNameAsDurableDeviceId"}, Values{"commonName","commonNameIncludingEmail","commonNameAsEmail","custom","commonNameAsIMEI","commonNameAsSerialNumber","commonNameAsAadDeviceId","commonNameAsIntuneDeviceId","commonNameAsDurableDeviceId"}] String SubjectNameFormat; + [Write, Description("Trusted Root Certificate DisplayName")] String RootCertificateDisplayName; [Write, Description("Trusted Root Certificate Id")] String RootCertificateId; [Write, Description("Admin provided description of the Device Configuration.")] String Description; [Key, Description("Admin provided name of the device configuration.")] String DisplayName; From d53c1815e9f9397336d9211887787747a7ba53b9 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 15:09:06 +0000 Subject: [PATCH 28/70] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d4e2eee41..c10613875c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Add property RootCertificateDisplayName in order to support assigning root certificates by display name since their Ids in a blueprint might be from a different source tenant + FIXES [#3965](https://github.com/microsoft/Microsoft365DSC/issues/3965) # 1.24.228.1 From 421d88b52bc6c5e44fc28f3f5a4164a6fbfecdbd Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 16:31:46 +0000 Subject: [PATCH 29/70] Use same code as used during creation of resource --- ...ConfigurationScepCertificatePolicyWindows10.psm1 | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 index e79219b454..38e2374751 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10.psm1 @@ -579,6 +579,8 @@ function Set-TargetResource if ($null -eq $RootCertificate) { + Write-Verbose -Message "Could not find trusted root certificate with Id {$RootCertificateId}, searching by display name {$RootCertificateDisplayName}" + $RootCertificate = Get-MgBetaDeviceManagementDeviceConfiguration ` -Filter "DisplayName eq '$RootCertificateDisplayName'" ` -ErrorAction SilentlyContinue | ` @@ -586,6 +588,17 @@ function Set-TargetResource $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows81TrustedRootCertificate" } $RootCertificateId = $RootCertificate.Id + + if ($null -eq $RootCertificate) + { + throw "Could not find trusted root certificate with Id {$RootCertificateId} or display name {$RootCertificateDisplayName}" + } + + Write-Verbose -Message "Found trusted root certificate with Id {$($RootCertificate.Id)} and DisplayName {$($RootCertificate.DisplayName)}" + } + else + { + Write-Verbose -Message "Found trusted root certificate with Id {$RootCertificateId}" } Update-DeviceConfigurationPolicyRootCertificateId ` From f82f26f60bc830904d781a5cc242ba95d16963da Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 1 Mar 2024 16:32:18 +0000 Subject: [PATCH 30/70] Fix Unit Tests --- ...onScepCertificatePolicyWindows10.Tests.ps1 | 44 ++++++++++++++++--- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationScepCertificatePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationScepCertificatePolicyWindows10.Tests.ps1 index 3ccde18392..3db238b35c 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationScepCertificatePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationScepCertificatePolicyWindows10.Tests.ps1 @@ -54,16 +54,22 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementDeviceConfigurationAssignment -MockWith { } - Mock -CommandName Get-DeviceConfigurationPolicyRootCertificateId -MockWith { - return "00000000-0000-0000-0000-000000000000" + Mock -CommandName Get-DeviceConfigurationPolicyRootCertificate -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "RootCertificate" + } } Mock -CommandName Update-DeviceConfigurationPolicyRootCertificateId -MockWith { } } + # Test contexts Context -Name "The IntuneDeviceConfigurationScepCertificatePolicyWindows10 should exist but it DOES NOT" -Fixture { BeforeAll { + $RootCertificateId = ([Guid]::Empty).ToString() + $testParams = @{ CertificateStore = "user" certificateValidityPeriodScale = "days" @@ -93,7 +99,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { subjectAlternativeNameType = "none" subjectNameFormat = "commonName" SubjectNameFormatString = "FakeStringValue" - RootCertificateId = "00000000-0000-0000-0000-000000000000" + RootCertificateId = $RootCertificateId + RootCertificateDisplayName = "RootCertificate" Ensure = "Present" Credential = $Credential; } @@ -101,6 +108,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -MockWith { return $null } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -ParameterFilter { $DeviceConfigurationId -eq $RootCertificateId } -MockWith { + $AdditionalProperties = @{} + $AdditionalProperties.'@odata.type' = "#microsoft.graph.windows81TrustedRootCertificate" + + return @{ + Id = $RootCertificateId + DisplayName = "RootCertificate" + AdditionalProperties = $AdditionalProperties + } + } } It 'Should return Values from the Get method' { (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' @@ -145,7 +163,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { subjectAlternativeNameType = "none" subjectNameFormat = "commonName" SubjectNameFormatString = "FakeStringValue" - RootCertificateId = "00000000-0000-0000-0000-000000000000" + RootCertificateId = $RootCertificateId + RootCertificateDisplayName = "RootCertificate" Ensure = 'Absent' Credential = $Credential; } @@ -233,6 +252,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { subjectNameFormat = "commonName" SubjectNameFormatString = "FakeStringValue" RootCertificateId = "00000000-0000-0000-0000-000000000000" + RootCertificateDisplayName = "RootCertificate" Ensure = 'Present' Credential = $Credential; } @@ -283,6 +303,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The IntuneDeviceConfigurationScepCertificatePolicyWindows10 exists and values are NOT in the desired state" -Fixture { BeforeAll { + $RootCertificateId = ([Guid]::Empty).ToString() + $testParams = @{ CertificateStore = "user" certificateValidityPeriodScale = "days" @@ -312,7 +334,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { subjectAlternativeNameType = "none" subjectNameFormat = "commonName" SubjectNameFormatString = "FakeStringValue" - RootCertificateId = "00000000-0000-0000-0000-000000000000" + RootCertificateId = $RootCertificateId + RootCertificateDisplayName = "RootCertificate" Ensure = 'Present' Credential = $Credential; } @@ -352,6 +375,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { id = "FakeStringValue" } } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -ParameterFilter { $DeviceConfigurationId -eq $RootCertificateId } -MockWith { + $AdditionalProperties = @{} + $AdditionalProperties.'@odata.type' = "#microsoft.graph.windows81TrustedRootCertificate" + + return @{ + Id = $RootCertificateId + DisplayName = "RootCertificate" + AdditionalProperties = $AdditionalProperties + } + } } It 'Should return Values from the Get method' { From a8049ca254ea72e4b4e7d387c00a9f53dfb69e63 Mon Sep 17 00:00:00 2001 From: mlhickey Date: Fri, 1 Mar 2024 19:34:17 -0800 Subject: [PATCH 31/70] Add support for Authentication Context --- .../MSFT_AADRoleSetting.psm1 | 69 ++++++++++++++++++- .../MSFT_AADRoleSetting.schema.mof | 3 + 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 index a88e290821..fb4fd4a2e7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 @@ -164,6 +164,18 @@ function Get-TargetResource [System.Boolean] $EligibleAssignmentAssigneeNotificationOnlyCritical, + [Parameter()] + [System.Boolean] + $AuthenticationContextRequired, + + [Parameter()] + [System.String] + $AuthenticationContextId, + + [Parameter()] + [System.String] + $AuthenticationContextName, + [Parameter()] [ValidateSet('Present')] [System.String] @@ -217,7 +229,7 @@ function Get-TargetResource $RoleDefintion = $null if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { - $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id } } elseif (-not [System.String]::IsNullOrEmpty($Id)) { @@ -229,7 +241,7 @@ function Get-TargetResource { if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { - $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName } } else { @@ -245,7 +257,7 @@ function Get-TargetResource $Script:PolicyAssignments = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter $allFilter -All } - $Policy = $Script:PolicyAssignments | Where-Object -FilterScript {$_.RoleDefinitionId -eq $RoleDefinition.Id} + $Policy = $Script:PolicyAssignments | Where-Object -FilterScript { $_.RoleDefinitionId -eq $RoleDefinition.Id } } catch { @@ -269,6 +281,13 @@ function Get-TargetResource $ActivationReqJustification = (($role | Where-Object { $_.Id -eq 'Enablement_EndUser_Assignment' }).AdditionalProperties.enabledRules) -contains 'Justification' $ActivationReqTicket = (($role | Where-Object { $_.Id -eq 'Enablement_EndUser_Assignment' }).AdditionalProperties.enabledRules) -contains 'Ticketing' $ActivationReqMFA = (($role | Where-Object { $_.Id -eq 'Enablement_EndUser_Assignment' }).AdditionalProperties.enabledRules) -contains 'MultiFactorAuthentication' + $AuthenticationContext = ($role | Where-Object { $_.Id -eq 'AuthenticationContext_EndUser_Assignment' }).AdditionalProperties + $AuthenticationContextRequired = $AuthenticationContext.isEnabled + if ($AuthenticationContextRequired) + { + $AuthenticationContextId = $AuthenticationContext.claimValue + $AuthenticationContextName = (Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference -AuthenticationContextClassReferenceId $AuthenticationContextId).DisplayName + } $ApprovaltoActivate = (($role | Where-Object { $_.Id -eq 'Approval_EndUser_Assignment' }).AdditionalProperties.setting.isApprovalRequired) [array]$ActivateApprovers = (($role | Where-Object { $_.Id -eq 'Approval_EndUser_Assignment' }).AdditionalProperties.setting.approvalStages.primaryApprovers) [string[]]$ActivateApprover = @() @@ -369,6 +388,9 @@ function Get-TargetResource EligibleAssignmentAssigneeNotificationDefaultRecipient = $EligibleAssignmentAssigneeNotificationDefaultRecipient EligibleAssignmentAssigneeNotificationAdditionalRecipient = [System.String[]]$EligibleAssignmentAssigneeNotificationAdditionalRecipient EligibleAssignmentAssigneeNotificationOnlyCritical = $EligibleAssignmentAssigneeNotificationOnlyCritical + AuthenticationContextRequired = $AuthenticationContextRequired + AuthenticationContextId = $AuthenticationContextId + AuthenticationContextName = $AuthenticationContextName Ensure = 'Present' ApplicationId = $ApplicationId TenantId = $TenantId @@ -557,6 +579,18 @@ function Set-TargetResource [System.Boolean] $EligibleAssignmentAssigneeNotificationOnlyCritical, + [Parameter()] + [System.Boolean] + $AuthenticationContextRequired, + + [Parameter()] + [System.String] + $AuthenticationContextId, + + [Parameter()] + [System.String] + $AuthenticationContextName, + [Parameter()] [ValidateSet('Present')] [System.String] @@ -591,6 +625,7 @@ function Set-TargetResource #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies + #$PSBoundParameters.Remove('AuthenticationContextName') | Out-Null #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' @@ -1083,6 +1118,22 @@ function Set-TargetResource } } } + elseif ($role.Id -match 'AuthenticationContext_EndUser_Assignment') + { + if ($PSBoundParameters.ContainsKey('AuthenticationContextRequired') ` + -and $PSBoundParameters.ContainsKey('AuthenticationContextId')) + { + $params = @{ + '@odata.type' = $odatatype + 'id' = $role.Id + 'isEnabled' = $true + 'claimValue' = $AuthenticationContextId + target = @{ + '@odata.type' = 'microsoft.graph.unifiedRoleManagementPolicyRuleTarget' + } + } + } + } if ($params.Count -gt 0) { @@ -1269,6 +1320,18 @@ function Test-TargetResource [System.Boolean] $EligibleAssignmentAssigneeNotificationOnlyCritical, + [Parameter()] + [System.Boolean] + $AuthenticationContextRequired, + + [Parameter()] + [System.String] + $AuthenticationContextId, + + [Parameter()] + [System.String] + $AuthenticationContextName, + [Parameter()] [ValidateSet('Present')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.schema.mof index 9239601277..6b7e78718c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.schema.mof @@ -41,6 +41,9 @@ class MSFT_AADRoleSetting : OMI_BaseResource [Write, Description("Send notifications when eligible members activate this role: Notification to activated user (requestor), default recipient (True/False)")] Boolean EligibleAssignmentAssigneeNotificationDefaultRecipient; [Write, Description("Send notifications when eligible members activate this role: Notification to activated user (requestor), additional recipient (UPN)")] String EligibleAssignmentAssigneeNotificationAdditionalRecipient[]; [Write, Description("Send notifications when eligible members activate this role: Notification to activated user (requestor), only critical Email (True/False)")] Boolean EligibleAssignmentAssigneeNotificationOnlyCritical; + [Write, Description("Authorization context is required (True/False)")] Boolean AuthenticationContextRequired; + [Write, Description("Descriptive name of associated authorization context")] String AuthenticationContextName; + [Write, Description("Authorization context id")] String AuthenticationContextId; [Write, Description("Specify if the Azure AD role setting should exist or not."), ValueMap{"Present"}, Values{"Present"}] String Ensure; [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From c7190395d28f0b04c56235cae4a3eab84e5e3fcd Mon Sep 17 00:00:00 2001 From: mario Date: Mon, 4 Mar 2024 15:25:12 +0100 Subject: [PATCH 32/70] fix --- .../MSFT_EXOIntraOrganizationConnector.psm1 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 index 29460f72f1..568e5894bf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOIntraOrganizationConnector/MSFT_EXOIntraOrganizationConnector.psm1 @@ -101,12 +101,20 @@ function Get-TargetResource { $DiscoveryEndpointValue += '/' } + if ($IntraOrganizationConnector.TargetSharingEpr) + { + $TargetSharingEprValue = $IntraOrganizationConnector.TargetSharingEpr.AbsoluteUri.ToString() + } + else + { + $TargetSharingEprValue = '' + } $result = @{ Identity = $Identity DiscoveryEndpoint = $IntraOrganizationConnector.DiscoveryEndpoint.ToString() Enabled = $IntraOrganizationConnector.Enabled TargetAddressDomains = $IntraOrganizationConnector.TargetAddressDomains - TargetSharingEpr = $IntraOrganizationConnector.TargetSharingEpr.ToString() + TargetSharingEpr = $TargetSharingEprValue Credential = $Credential Ensure = 'Present' ApplicationId = $ApplicationId From 2468b32c71f68763545dceb281f29059759faf49 Mon Sep 17 00:00:00 2001 From: mario Date: Mon, 4 Mar 2024 15:49:49 +0100 Subject: [PATCH 33/70] fix issue --- CHANGELOG.md | 5 +++++ .../MSFT_EXOHostedContentFilterRule.psm1 | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..8b72dd64aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* EXOHostedContentFilterRule + * Fixed issue in case of different names of filter rule and filter policy + FIXES [#4401](https://github.com/microsoft/Microsoft365DSC/issues/4401) # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterRule/MSFT_EXOHostedContentFilterRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterRule/MSFT_EXOHostedContentFilterRule.psm1 index ff9a042c4b..8a09720c02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterRule/MSFT_EXOHostedContentFilterRule.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterRule/MSFT_EXOHostedContentFilterRule.psm1 @@ -114,7 +114,7 @@ function Get-TargetResource { try { - $HostedContentFilterRule = Get-HostedContentFilterRule -Identity $HostedContentFilterPolicy -ErrorAction Stop + $HostedContentFilterRule = Get-HostedContentFilterRule -Identity $Identity -ErrorAction Stop } catch { From 9dc42c7d7a830977691e050d75d335a48b4cf0e7 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 7 Mar 2024 10:52:46 +0000 Subject: [PATCH 34/70] Use name for permission instead of GUID --- .../DSCResources/MSFT_O365OrgSettings/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json index fbf73c095e..0a32202dfb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json @@ -77,7 +77,7 @@ "name": "ReportSettings.ReadWrite.All" }, { - "name": "83f7232f-763c-47b2-a097-e35d2cbe1da5" + "name": "OrgSettings-Microsoft365Install.ReadWrite.All" }, { "name": "OrgSettings-Forms.ReadWrite.All" From bb81b35bcadfb4fed4a161bee654b3a42d75a9de Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 7 Mar 2024 10:53:17 +0000 Subject: [PATCH 35/70] This can be used with delegated permissions now --- .../DSCResources/MSFT_O365OrgSettings/settings.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json index 0a32202dfb..d84fda6c93 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json @@ -31,6 +31,9 @@ { "name": "ReportSettings.ReadWrite.All" }, + { + "name": "OrgSettings-Microsoft365Install.ReadWrite.All" + }, { "name": "OrgSettings-Forms.ReadWrite.All" }, From 52f0abd186648393eb0e93b8c12fcc34172ddc09 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 7 Mar 2024 10:54:41 +0000 Subject: [PATCH 36/70] Add read permission for reading M365 apps installation settings --- .../DSCResources/MSFT_O365OrgSettings/settings.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json index d84fda6c93..0cb2978d9e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_O365OrgSettings/settings.json @@ -11,6 +11,9 @@ { "name": "ReportSettings.Read.All" }, + { + "name": "OrgSettings-Microsoft365Install.Read.All" + }, { "name": "OrgSettings-Forms.Read.All" }, @@ -56,6 +59,9 @@ { "name": "ReportSettings.Read.All" }, + { + "name": "OrgSettings-Microsoft365Install.Read.All" + }, { "name": "OrgSettings-Forms.Read.All" }, From 7fbd0702219bf6e2f911b6b7d86a688954f1d998 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 7 Mar 2024 10:56:23 +0000 Subject: [PATCH 37/70] Missing word --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..9d370be923 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* O365OrgSettings + * Add read permission for extracting M365 apps installation settings instead + of extracting them only with read/write permissions + FIXES [#4418](https://github.com/microsoft/Microsoft365DSC/issues/4418) # 1.24.228.1 From 9d6515d9da7a7844652a71f30f41c4323aa6163a Mon Sep 17 00:00:00 2001 From: Derek Smay Date: Thu, 7 Mar 2024 08:38:23 -0500 Subject: [PATCH 38/70] Fix example in docs --- CHANGELOG.md | 3 +++ .../user-guide/cmdlets/Update-M365DSCAzureAdApplication.md | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..781f1c1f4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Change log for Microsoft365DSC +# Unrelease +* Fix example in documentation for Update-M365DSCAzureAdApplication + # 1.24.228.1 diff --git a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md index 77ddc22059..13ccd59634 100644 --- a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md +++ b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md @@ -86,6 +86,6 @@ This function does not generate any output. -------------------------- EXAMPLE 4 -------------------------- -`Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` +`Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList $(Get-M365DSCAllResources) -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` From 61892c1b9556aac7350d891011e68b24d4a06b84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Thu, 7 Mar 2024 21:15:07 +0100 Subject: [PATCH 39/70] Update CHANGELOG.md --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 781f1c1f4d..68b55da523 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,7 @@ # Change log for Microsoft365DSC -# Unrelease -* Fix example in documentation for Update-M365DSCAzureAdApplication - +# UNRELEASED + * Fix example in documentation for Update-M365DSCAzureAdApplication # 1.24.228.1 From dd5e9950df332af259292c6aaa62e9ad7f74786d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Thu, 7 Mar 2024 21:42:46 +0100 Subject: [PATCH 40/70] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68b55da523..af3776ff6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Change log for Microsoft365DSC # UNRELEASED + * Fix example in documentation for Update-M365DSCAzureAdApplication # 1.24.228.1 From 26a26e78bff2af1d6bca538372721313faafae6d Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 20:56:02 +0000 Subject: [PATCH 41/70] Remove auth methods from PSBoundParameters --- .../MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index 0e93d5c877..61f345717b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -223,19 +223,12 @@ function Set-TargetResource Write-Verbose -Message "Setting Voice Route {$Identity}" $CurrentValues = Get-TargetResource @PSBoundParameters - - $SetParameters = $PSBoundParameters - $SetParameters.Remove('Ensure') | Out-Null - $SetParameters.Remove('Credential') | Out-Null - $SetParameters.Remove('ApplicationId') | Out-Null - $SetParameters.Remove('TenantId') | Out-Null - $SetParameters.Remove('CertificateThumbprint') | Out-Null - $SetParameters.Remove('ManagedIdentity') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $CurrentValues.Ensure -eq 'Absent') { Write-Verbose -Message "Creating a new Voice Route {$Identity}" - New-CsOnlineVoiceRoute @SetParameters + New-CsOnlineVoiceRoute @PSBoundParameters } elseif ($Ensure -eq 'Present' -and $CurrentValues.Ensure -eq 'Present') { @@ -244,7 +237,7 @@ function Set-TargetResource into the Set-CsOnlineVoiceRoute cmdlet. #> Write-Verbose -Message "Updating settings for Voice Route {$Identity}" - Set-CsOnlineVoiceRoute @SetParameters + Set-CsOnlineVoiceRoute @PSBoundParameters } elseif ($Ensure -eq 'Absent' -and $CurrentValues.Ensure -eq 'Present') { From de6b2cad1cb538530f7e3f3b422e58d92a529075 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 20:56:26 +0000 Subject: [PATCH 42/70] Fix policy removal --- .../DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index 61f345717b..1bce17b814 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -242,7 +242,7 @@ function Set-TargetResource elseif ($Ensure -eq 'Absent' -and $CurrentValues.Ensure -eq 'Present') { Write-Verbose -Message "Removing existing Voice Route {$Identity}" - Remove-CsOnlineVoiceRoute -Identity $Identity -Confirm:$false + Remove-CsOnlineVoiceRoute -Identity $Identity } } From df0d77700c86d017e7f20a3e8962e1b8b0ed5f39 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 21:17:03 +0000 Subject: [PATCH 43/70] Fix comparison in Test-TargetResource --- .../MSFT_TeamsVoiceRoute.psm1 | 29 ++++++++++++++----- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index 1bce17b814..6b5b4bfed1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -316,16 +316,31 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Voice Route {$Identity}" $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + if ($CurrentValues.Ensure -eq 'Absent' -and $PSBoundParameters.Ensure -eq 'Absent') + { + Write-Verbose -Message "Test-TargetResource returned $true" + return $true + } + $TestResult = $true - $ValuesToCheck = $PSBoundParameters + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($TestResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $TestResult" From 4d3a36f7d473a1b3da482dd7003da701c3ea4eed Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 21:17:47 +0000 Subject: [PATCH 44/70] Add new lines --- .../MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index 6b5b4bfed1..6830225462 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -171,6 +171,7 @@ function Set-TargetResource [Switch] $ManagedIdentity ) + #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -301,6 +302,7 @@ function Test-TargetResource [Switch] $ManagedIdentity ) + #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -373,6 +375,7 @@ function Export-TargetResource [Switch] $ManagedIdentity ) + $InformationPreference = 'Continue' $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftTeams' ` From 326ca909abd1b779fddb9691902bcfc613fa18df Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 21:18:14 +0000 Subject: [PATCH 45/70] Use correct var --- .../DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index 6830225462..ccbc3cc2d0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -215,7 +215,7 @@ function Set-TargetResource } } - if ($notFoundUsageList) + if ($notFoundGatewayList) { $notFoundGateways = $notFoundGatewayList -join ',' throw "Please create the Voice Gateway object(s) ($notFoundGateways) using `"TeamsVoiceRoute`"" From 33cb84d30e192761b5d1fbc527e51c37fd750f60 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 21:19:55 +0000 Subject: [PATCH 46/70] M365DSC doesn't support creating voice gateways yet --- .../DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index ccbc3cc2d0..a264cb6b1e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -218,7 +218,7 @@ function Set-TargetResource if ($notFoundGatewayList) { $notFoundGateways = $notFoundGatewayList -join ',' - throw "Please create the Voice Gateway object(s) ($notFoundGateways) using `"TeamsVoiceRoute`"" + throw "Please create the Voice Gateway object(s) ($notFoundGateways) using cmdlet `"New-CsOnlinePSTNGateway`"" } Write-Verbose -Message "Setting Voice Route {$Identity}" From 01d68bac1033ea8faceead3e1e48153f00b156df Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 21:20:12 +0000 Subject: [PATCH 47/70] Remove extra spaces --- .../MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 index a264cb6b1e..61bf169a38 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsVoiceRoute/MSFT_TeamsVoiceRoute.psm1 @@ -192,7 +192,7 @@ function Set-TargetResource $notFoundUsageList = @() foreach ($usage in $OnlinePstnUsages) { - if ( -not ($existingUsages -match $usage)) + if (-not ($existingUsages -match $usage)) { $notFoundUsageList += $usage } @@ -209,7 +209,7 @@ function Set-TargetResource $notFoundGatewayList = @() foreach ($gateway in $OnlinePstnGatewayList) { - if ( -not ($existingGateways -match $gateway)) + if (-not ($existingGateways -match $gateway)) { $notFoundGatewayList += $gateway } From fa5fa0134f121e1906a6de1bc856632caaf519a9 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 8 Mar 2024 21:26:33 +0000 Subject: [PATCH 48/70] Update CHANGELOG.md --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..6e513f5e07 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* TeamsVoiceRoute + * Fix policy removal and also comparison in Test-TargetResource # 1.24.228.1 From 8d7943aca8eabc877dc6881ecbcf5ac7314e03c4 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Sat, 9 Mar 2024 09:46:41 -0500 Subject: [PATCH 49/70] Initial --- .../MSFT_AADAuthenticationStrengthPolicy.psm1 | 2 +- .../Modules/M365DSCTelemetryEngine.psm1 | 37 ++++++++++++------- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 21 ++++++++++- 3 files changed, 43 insertions(+), 17 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 index 939662c622..21752f97dc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 @@ -75,7 +75,7 @@ function Get-TargetResource if (-not [System.String]::IsNullOrEmpty($Id)) { - $getValue = Get-MgBetaPolicyAuthenticationStrengthPolicy -AuthenticationStrengthPolicyId $Id + $getValue = Get-MgBetaPolicyAuthenticationStrengthPolicy -AuthenticationStrengthPolicyId $Id -ErrorAction 'SilentlyContinue' } if ($null -eq $getValue) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCTelemetryEngine.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCTelemetryEngine.psm1 index dda43e2796..15f1e908c3 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCTelemetryEngine.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCTelemetryEngine.psm1 @@ -91,59 +91,68 @@ function Add-M365DSCTelemetryEvent $Data.Remove('Principal') | Out-Null # Capture PowerShell Version Info - $Data.Add('PSMainVersion', $PSVersionTable.PSVersion.Major.ToString() + '.' + $PSVersionTable.PSVersion.Minor.ToString()) - $Data.Add('PSVersion', $PSVersionTable.PSVersion.ToString()) - $Data.Add('PSEdition', $PSVersionTable.PSEdition.ToString()) + if (-not $Data.Keys.Contains('PSMainVersion')) + { + $Data.Add('PSMainVersion', $PSVersionTable.PSVersion.Major.ToString() + '.' + $PSVersionTable.PSVersion.Minor.ToString()) + } + if (-not $Data.Keys.Contains('PSVersion')) + { + $Data.Add('PSVersion', $PSVersionTable.PSVersion.ToString()) + } + if (-not $Data.Keys.Contains('PSEdition')) + { + $Data.Add('PSEdition', $PSVersionTable.PSEdition.ToString()) + } - if ($null -ne $PSVersionTable.BuildVersion) + if ($null -ne $PSVersionTable.BuildVersion -and -not $Data.Keys.Contains('PSBuildVersion')) { $Data.Add('PSBuildVersion', $PSVersionTable.BuildVersion.ToString()) } - if ($null -ne $PSVersionTable.CLRVersion) + if ($null -ne $PSVersionTable.CLRVersion -and -not $Data.Keys.Contains('PSCLRVersion')) { $Data.Add('PSCLRVersion', $PSVersionTable.CLRVersion.ToString()) } # Capture Console/Host Information - if ($host.Name -eq 'ConsoleHost' -and $null -eq $env:WT_SESSION) + if ($host.Name -eq 'ConsoleHost' -and $null -eq $env:WT_SESSION -and -not $Data.Keys.Contains('PowerShellAgent')) { $Data.Add('PowerShellAgent', 'Console') } - elseif ($host.Name -eq 'Windows PowerShell ISE Host') + elseif ($host.Name -eq 'Windows PowerShell ISE Host' -and -not $Data.Keys.Contains('PowerShellAgent')) { $Data.Add('PowerShellAgent', 'ISE') } - elseif ($host.Name -eq 'ConsoleHost' -and $null -ne $env:WT_SESSION) + elseif ($host.Name -eq 'ConsoleHost' -and $null -ne $env:WT_SESSION -and -not $Data.Keys.Contains('PowerShellAgent')) { - $Data.Add('PowerShellAgent', 'Windows Terminal') + $Data.Add('PowerShellAgent', 'Windows Terminal' -and -not $Data.Keys.Contains('PowerShellAgent')) } elseif ($host.Name -eq 'ConsoleHost' -and $null -eq $env:WT_SESSION -and ` - $null -ne $env:BUILD_BUILDID -and $env:SYSTEM -eq 'build') + $null -ne $env:BUILD_BUILDID -and $env:SYSTEM -eq 'build' -and -not $Data.Keys.Contains('PowerShellAgent')) { $Data.Add('PowerShellAgent', 'Azure DevOPS') $Data.Add('AzureDevOPSPipelineType', 'Build') $Data.Add('AzureDevOPSAgent', $env:POWERSHELL_DISTRIBUTION_CHANNEL) } elseif ($host.Name -eq 'ConsoleHost' -and $null -eq $env:WT_SESSION -and ` - $null -ne $env:BUILD_BUILDID -and $env:SYSTEM -eq 'release') + $null -ne $env:BUILD_BUILDID -and $env:SYSTEM -eq 'release' -and -not $Data.Keys.Contains('PowerShellAgent')) { $Data.Add('PowerShellAgent', 'Azure DevOPS') $Data.Add('AzureDevOPSPipelineType', 'Release') $Data.Add('AzureDevOPSAgent', $env:POWERSHELL_DISTRIBUTION_CHANNEL) } elseif ($host.Name -eq 'Default Host' -and ` - $null -ne $env:APPSETTING_FUNCTIONS_EXTENSION_VERSION) + $null -ne $env:APPSETTING_FUNCTIONS_EXTENSION_VERSION -and -not $Data.Keys.Contains('PowerShellAgent')) { $Data.Add('PowerShellAgent', 'Azure Function') $Data.Add('AzureFunctionWorkerVersion', $env:FUNCTIONS_WORKER_RUNTIME_VERSION) } - elseif ($host.Name -eq 'CloudShell') + elseif ($host.Name -eq 'CloudShell' -and -not $Data.Keys.Contains('PowerShellAgent')) { $Data.Add('PowerShellAgent', 'Cloud Shell') } - if ($null -ne $Data.Resource) + if ($null -ne $Data.Resource -and -not $Data.Keys.Contains('Resource')) { if ($Data.Resource.StartsWith('MSFT_AAD') -or $Data.Resource.StartsWith('AAD')) { diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 1dca1435e2..0e4636ab95 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -577,6 +577,19 @@ function Test-M365DSCParameterState #endregion $returnValue = $true + $TenantName = Get-M365DSCTenantNameFromParameterSet -ParameterSet $DesiredValues + + #region Telemetry - Evaluation + $dataEvaluation = [System.Collections.Generic.Dictionary[[String], [String]]]::new() + $dataEvaluation.Add('Resource', "$Source") + $dataEvaluation.Add('Method', 'Test-TargetResource') + $dataEvaluation.Add('Tenant', $TenantName) + $ValuesToCheckData = $ValuesToCheck | Where-Object -FilterScript {$_ -ne 'Verbose'} + $dataEvaluation.Add('Parameters', $ValuesToCheckData -join "`r`n") + $dataEvaluation.Add('ParametersCount', $ValuesToCheckData.Length) + Add-M365DSCTelemetryEvent -Type 'DriftEvaluation' -Data $dataEvaluation + #endregion + $DriftedParameters = @{} $DriftObject = @{ DriftInfo = @{} @@ -941,7 +954,6 @@ function Test-M365DSCParameterState { $EventMessage = [System.Text.StringBuilder]::New() $EventMessage.Append("`r`n") | Out-Null - $TenantName = Get-M365DSCTenantNameFromParameterSet -ParameterSet $DesiredValues Write-Verbose -Message "Found Tenant Name: $TenantName" $EventMessage.Append(" `r`n") | Out-Null $EventMessage.Append(" `r`n") | Out-Null @@ -951,7 +963,6 @@ function Test-M365DSCParameterState $DriftObject.Add('Tenant', $TenantName) $driftedData.Add('Resource', $source.Split('_')[1]) $DriftObject.Add('Resource', $source.Split('_')[1]) - $driftedData.Add('Event', 'DriftedParameter') # If custom App Insights is specified, allow for the current and desired values to be captured; # ISSUE #1222 @@ -1218,6 +1229,7 @@ function Export-M365DSCConfiguration [Switch] $Validate ) + $currentStartDateTime = [System.DateTime]::Now $Global:M365DSCExportInProgress = $true $Global:MaximumFunctionCount = 32767 @@ -1395,6 +1407,11 @@ function Export-M365DSCConfiguration $Global:M365DSCExportedResourceInstancesNames = $null $Global:M365DSCExportInProgress = $false + $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() + $data.Add('Tenant', $Tenant) + $data.Add('M365DSCExportId', $currentExportID) + $timeTaken = [System.DateTime]::Now.Subtract($currentStartDateTime) + $data.Add('TotalSeconds',$timeTaken.TotalSeconds) Add-M365DSCTelemetryEvent -Type 'ExportCompleted' -Data $data } From f132489596deb577f183b6b961f4bc1afbd1a95e Mon Sep 17 00:00:00 2001 From: Bart Vermeersch Date: Mon, 11 Mar 2024 11:04:46 +0100 Subject: [PATCH 50/70] Obfuscate password in verbose logging --- CHANGELOG.md | 5 +++++ Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..116ca93824 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* Verbose logging + * Enhancement to obfuscate password from verbose logging and avoid empty lines + FIXES [#4392](https://github.com/microsoft/Microsoft365DSC/issues/4392) # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 9fa3c31b6d..edf5d6c105 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -128,7 +128,7 @@ function Convert-M365DscHashtableToString ) $values = @() - $parametersToObfuscate = @('ApplicationId', 'ApplicationSecret', 'TenantId', 'CertificateThumbprint', 'CertificatePath', 'CertificatePassword', 'Credential') + $parametersToObfuscate = @('ApplicationId', 'ApplicationSecret', 'TenantId', 'CertificateThumbprint', 'CertificatePath', 'CertificatePassword', 'Credential', 'Password') foreach ($pair in $Hashtable.GetEnumerator()) { try @@ -172,7 +172,7 @@ function Convert-M365DscHashtableToString } [array]::Sort($values) - return ($values -join "`r`n") + return ($values -join [Environment]::NewLine) } <# From 8c23b666cc3f971b4ddb4cddba7e43a56957dbda Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 11:06:23 +0000 Subject: [PATCH 51/70] Condition not required --- .../MSFT_M365DSCRuleEvaluation.psm1 | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index 41367ee930..e293ca3597 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -243,16 +243,13 @@ function Test-TargetResource $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.InputObject)`r`n" } - if (-not $result) - { - $message = [System.Text.StringBuilder]::New() - [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") - [void]$message.AppendLine("`r`nRuleDefinition:`r`n$RuleDefinition") - Add-M365DSCEvent -Message $message.ToString() ` - -EventType 'RuleEvaluation' ` - -EntryType 'Warning' ` - -EventID 1 -Source $CurrentResourceName - } + $message = [System.Text.StringBuilder]::New() + [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") + [void]$message.AppendLine("`r`nRuleDefinition:`r`n$RuleDefinition") + Add-M365DSCEvent -Message $message.ToString() ` + -EventType 'RuleEvaluation' ` + -EntryType 'Warning' ` + -EventID 1 -Source $CurrentResourceName } Write-Verbose -Message "Test-TargetResource returned $result" return $result From bb5d71a56b0838adb0836d41b112d316dcdabc7d Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 11:07:02 +0000 Subject: [PATCH 52/70] Declare var only once --- .../MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index e293ca3597..149b57f5bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -205,13 +205,13 @@ function Test-TargetResource $result = ($instances.Length - $DSCConvertedInstances.Length) -eq 0 + $message = [System.Text.StringBuilder]::New() if (-not [System.String]::IsNullOrEmpty($AfterRuleCountQuery)) { Write-Verbose -Message "Checking the After Rule Count" $afterRuleCountQueryString = "`$instances.Length $AfterRuleCountQuery" $afterRuleCountQueryBlock = [Scriptblock]::Create($afterRuleCountQueryString) $result = [Boolean](Invoke-Command -ScriptBlock $afterRuleCountQueryBlock) - $message = [System.Text.StringBuilder]::New() if ($instances.Length -eq 0) { [void]$message.AppendLine("No instances were found for the given Rule Definition.") @@ -243,7 +243,6 @@ function Test-TargetResource $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.InputObject)`r`n" } - $message = [System.Text.StringBuilder]::New() [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") [void]$message.AppendLine("`r`nRuleDefinition:`r`n$RuleDefinition") Add-M365DSCEvent -Message $message.ToString() ` From 0ee7825f24c6573b08be927addab030c7a242a4b Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 12:01:43 +0000 Subject: [PATCH 53/70] Spacing --- .../MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index 149b57f5bc..6f6199dfae 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -250,7 +250,9 @@ function Test-TargetResource -EntryType 'Warning' ` -EventID 1 -Source $CurrentResourceName } + Write-Verbose -Message "Test-TargetResource returned $result" + return $result } } From 43aa4cf77c1e342c08b31093046f1fa7e39b0df1 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 12:04:01 +0000 Subject: [PATCH 54/70] Call Add-M365DSCEvent only from one place --- .../MSFT_M365DSCRuleEvaluation.psm1 | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index 6f6199dfae..a564d74723 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -206,6 +206,9 @@ function Test-TargetResource $result = ($instances.Length - $DSCConvertedInstances.Length) -eq 0 $message = [System.Text.StringBuilder]::New() + [void]$message.AppendLine("ResourceName:`r`n$ResourceName`r`n") + [void]$message.AppendLine("RuleDefinition:`r`n$RuleDefinition`r`n") + if (-not [System.String]::IsNullOrEmpty($AfterRuleCountQuery)) { Write-Verbose -Message "Checking the After Rule Count" @@ -225,12 +228,6 @@ function Test-TargetResource } [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") - [void]$message.AppendLine("`r`nRuleDefinition:`r`n$RuleDefinition") - [void]$message.AppendLine("`r`AfterRuleCountQuery:`r`n$AfterRuleCountQuery") - Add-M365DSCEvent -Message $message.ToString() ` - -EventType 'RuleEvaluation' ` - -EntryType 'Warning' ` - -EventID 1 -Source $CurrentResourceName } } elseif (-not $result) @@ -244,11 +241,19 @@ function Test-TargetResource } [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") - [void]$message.AppendLine("`r`nRuleDefinition:`r`n$RuleDefinition") + } + + if (-not $result) + { + if (-not [System.String]::IsNullOrEmpty($AfterRuleCountQuery)) + { + [void]$message.AppendLine("AfterRuleCountQuery:`r`n$AfterRuleCountQuery") + } + Add-M365DSCEvent -Message $message.ToString() ` - -EventType 'RuleEvaluation' ` - -EntryType 'Warning' ` - -EventID 1 -Source $CurrentResourceName + -EventType 'RuleEvaluation' ` + -EntryType 'Warning' ` + -EventID 1 -Source $CurrentResourceName } Write-Verbose -Message "Test-TargetResource returned $result" From 4c53766a7d7debd8f9e71451249cfdb45a58097d Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 12:05:59 +0000 Subject: [PATCH 55/70] Check if instances found is 0 in upper condition --- .../MSFT_M365DSCRuleEvaluation.psm1 | 45 ++++++++++--------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index a564d74723..b3e2793e14 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -209,39 +209,42 @@ function Test-TargetResource [void]$message.AppendLine("ResourceName:`r`n$ResourceName`r`n") [void]$message.AppendLine("RuleDefinition:`r`n$RuleDefinition`r`n") - if (-not [System.String]::IsNullOrEmpty($AfterRuleCountQuery)) + if ($instances.Length -eq 0) { - Write-Verbose -Message "Checking the After Rule Count" - $afterRuleCountQueryString = "`$instances.Length $AfterRuleCountQuery" - $afterRuleCountQueryBlock = [Scriptblock]::Create($afterRuleCountQueryString) - $result = [Boolean](Invoke-Command -ScriptBlock $afterRuleCountQueryBlock) - if ($instances.Length -eq 0) + [void]$message.AppendLine("No instances were found for the given Rule Definition.") + } + else + { + if (-not [System.String]::IsNullOrEmpty($AfterRuleCountQuery)) { - [void]$message.AppendLine("No instances were found for the given Rule Definition.") + Write-Verbose -Message "Checking the After Rule Count" + $afterRuleCountQueryString = "`$instances.Length $AfterRuleCountQuery" + $afterRuleCountQueryBlock = [Scriptblock]::Create($afterRuleCountQueryString) + $result = [Boolean](Invoke-Command -ScriptBlock $afterRuleCountQueryBlock) + if (-not $result) + { + $invalidInstancesLogNames = '' + foreach ($invalidInstance in $instances) + { + $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.ResourceInstanceName)`r`n" + } + + [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") + } } elseif (-not $result) { + $invalidInstances = Compare-Object -ReferenceObject $DSCConvertedInstances.ResourceInstanceName -DifferenceObject $instances.ResourceInstanceName + # Log drifts for each invalid instances found. $invalidInstancesLogNames = '' - foreach ($invalidInstance in $instances) + foreach ($invalidInstance in $invalidInstances) { - $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.ResourceInstanceName)`r`n" + $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.InputObject)`r`n" } [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") } } - elseif (-not $result) - { - $invalidInstances = Compare-Object -ReferenceObject $DSCConvertedInstances.ResourceInstanceName -DifferenceObject $instances.ResourceInstanceName - # Log drifts for each invalid instances found. - $invalidInstancesLogNames = '' - foreach ($invalidInstance in $invalidInstances) - { - $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.InputObject)`r`n" - } - - [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") - } if (-not $result) { From f14466788884c6ad9999cdbba23ca351ff4ec170 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 12:08:54 +0000 Subject: [PATCH 56/70] Use same logic for showing invalid instances for both conditions --- .../MSFT_M365DSCRuleEvaluation.psm1 | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index b3e2793e14..7cdd17c777 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -223,23 +223,22 @@ function Test-TargetResource $result = [Boolean](Invoke-Command -ScriptBlock $afterRuleCountQueryBlock) if (-not $result) { - $invalidInstancesLogNames = '' - foreach ($invalidInstance in $instances) - { - $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.ResourceInstanceName)`r`n" - } - - [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") + $invalidInstances = $instances.ResourceInstanceName } } - elseif (-not $result) + else { $invalidInstances = Compare-Object -ReferenceObject $DSCConvertedInstances.ResourceInstanceName -DifferenceObject $instances.ResourceInstanceName + $invalidInstances = $invalidInstances.InputObject + } + + if (-not $result) + { # Log drifts for each invalid instances found. $invalidInstancesLogNames = '' foreach ($invalidInstance in $invalidInstances) { - $invalidInstancesLogNames += "[$ResourceName]$($invalidInstance.InputObject)`r`n" + $invalidInstancesLogNames += "[$ResourceName]$invalidInstance`r`n" } [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") From 658ae3054cde52219c97675813030e9aa702b648 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 12:24:52 +0000 Subject: [PATCH 57/70] Show different messages since it's different conditions --- .../MSFT_M365DSCRuleEvaluation.psm1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index 7cdd17c777..732ce5594e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -224,12 +224,17 @@ function Test-TargetResource if (-not $result) { $invalidInstances = $instances.ResourceInstanceName + + [void]$message.AppendLine("AfterRuleCountQuery:`r`n$AfterRuleCountQuery`r`n") + $MessagePrefix = "The following resource instance(s) matched a rule validation, but did not meet the AfterRuleCountQuery:`r`n" } } else { $invalidInstances = Compare-Object -ReferenceObject $DSCConvertedInstances.ResourceInstanceName -DifferenceObject $instances.ResourceInstanceName $invalidInstances = $invalidInstances.InputObject + + $MessagePrefix = "The following resource instance(s) failed a rule validation:`r`n" } if (-not $result) @@ -241,17 +246,12 @@ function Test-TargetResource $invalidInstancesLogNames += "[$ResourceName]$invalidInstance`r`n" } - [void]$message.AppendLine("The following resource instance(s) failed a rule validation:`r`n$invalidInstancesLogNames") + [void]$message.AppendLine("$MessagePrefix$invalidInstancesLogNames") } } if (-not $result) { - if (-not [System.String]::IsNullOrEmpty($AfterRuleCountQuery)) - { - [void]$message.AppendLine("AfterRuleCountQuery:`r`n$AfterRuleCountQuery") - } - Add-M365DSCEvent -Message $message.ToString() ` -EventType 'RuleEvaluation' ` -EntryType 'Warning' ` From 52a62564bf2dae5dfc13f0e79c77117e46297b11 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 11 Mar 2024 12:32:09 +0000 Subject: [PATCH 58/70] Update CHANGELOG.md --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..5a4b5350f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* M365DSCRuleEvaluation + * Fix issue when it didn't find any matching resources and it tried to make a + comparison # 1.24.228.1 From d34e63ec0d9d217a19efc6d1d4c7edffa217acc8 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 11 Mar 2024 13:32:34 -0400 Subject: [PATCH 59/70] Update PublishGitHubPages.yml --- .github/workflows/PublishGitHubPages.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/PublishGitHubPages.yml b/.github/workflows/PublishGitHubPages.yml index bf85a3d7be..5db8507be7 100644 --- a/.github/workflows/PublishGitHubPages.yml +++ b/.github/workflows/PublishGitHubPages.yml @@ -38,6 +38,10 @@ jobs: needs: GenerateResource runs-on: ubuntu-latest + permissions: + contents: write + pages: write + # Only when run from the main repo if: github.repository == 'microsoft/Microsoft365DSC' From b396ea886810934dedcd3b53bafb8c6a93eb9cf5 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 12 Mar 2024 11:10:33 +0000 Subject: [PATCH 60/70] Updated Resources and Cmdlet documentation pages --- .../docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md index 13ccd59634..77ddc22059 100644 --- a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md +++ b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md @@ -86,6 +86,6 @@ This function does not generate any output. -------------------------- EXAMPLE 4 -------------------------- -`Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList $(Get-M365DSCAllResources) -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` +`Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` From 2a0c71e16c51ae0fa5d63f154bed1273493df6ca Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 12 Mar 2024 11:16:56 +0000 Subject: [PATCH 61/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/office365/O365OrgSettings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/docs/resources/office365/O365OrgSettings.md b/docs/docs/resources/office365/O365OrgSettings.md index 6f462f9560..4f3ddf2b1f 100644 --- a/docs/docs/resources/office365/O365OrgSettings.md +++ b/docs/docs/resources/office365/O365OrgSettings.md @@ -53,21 +53,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - Application.Read.All, ReportSettings.Read.All, OrgSettings-Forms.Read.All, OrgSettings-Todo.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-DynamicsVoice.Read.All + - Application.Read.All, ReportSettings.Read.All, OrgSettings-Microsoft365Install.Read.All, OrgSettings-Forms.Read.All, OrgSettings-Todo.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-DynamicsVoice.Read.All - **Update** - - Application.ReadWrite.All, ReportSettings.ReadWrite.All, OrgSettings-Forms.ReadWrite.All, OrgSettings-Todo.ReadWrite.All, OrgSettings-DynamicsVoice.ReadWrite.All, OrgSettings-AppsAndServices.Read.All + - Application.ReadWrite.All, ReportSettings.ReadWrite.All, OrgSettings-Microsoft365Install.ReadWrite.All, OrgSettings-Forms.ReadWrite.All, OrgSettings-Todo.ReadWrite.All, OrgSettings-DynamicsVoice.ReadWrite.All, OrgSettings-AppsAndServices.Read.All #### Application permissions - **Read** - - Application.Read.All, ReportSettings.Read.All, OrgSettings-Forms.Read.All, OrgSettings-Todo.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-DynamicsVoice.Read.All, Tasks.Read.All + - Application.Read.All, ReportSettings.Read.All, OrgSettings-Microsoft365Install.Read.All, OrgSettings-Forms.Read.All, OrgSettings-Todo.Read.All, OrgSettings-AppsAndServices.Read.All, OrgSettings-DynamicsVoice.Read.All, Tasks.Read.All - **Update** - - Application.ReadWrite.All, ReportSettings.ReadWrite.All, 83f7232f-763c-47b2-a097-e35d2cbe1da5, OrgSettings-Forms.ReadWrite.All, OrgSettings-Todo.ReadWrite.All, OrgSettings-AppsAndServices.ReadWrite.All, OrgSettings-DynamicsVoice.ReadWrite.All, Tasks.ReadWrite.All + - Application.ReadWrite.All, ReportSettings.ReadWrite.All, OrgSettings-Microsoft365Install.ReadWrite.All, OrgSettings-Forms.ReadWrite.All, OrgSettings-Todo.ReadWrite.All, OrgSettings-AppsAndServices.ReadWrite.All, OrgSettings-DynamicsVoice.ReadWrite.All, Tasks.ReadWrite.All ## Examples From 6612bd01712dca8f042f3bebd914cc4f1efeec58 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 12 Mar 2024 11:52:54 +0000 Subject: [PATCH 62/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADRoleSetting.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/docs/resources/azure-ad/AADRoleSetting.md b/docs/docs/resources/azure-ad/AADRoleSetting.md index efe34daf60..30afa353ad 100644 --- a/docs/docs/resources/azure-ad/AADRoleSetting.md +++ b/docs/docs/resources/azure-ad/AADRoleSetting.md @@ -44,6 +44,9 @@ | **EligibleAssignmentAssigneeNotificationDefaultRecipient** | Write | Boolean | Send notifications when eligible members activate this role: Notification to activated user (requestor), default recipient (True/False) | | | **EligibleAssignmentAssigneeNotificationAdditionalRecipient** | Write | StringArray[] | Send notifications when eligible members activate this role: Notification to activated user (requestor), additional recipient (UPN) | | | **EligibleAssignmentAssigneeNotificationOnlyCritical** | Write | Boolean | Send notifications when eligible members activate this role: Notification to activated user (requestor), only critical Email (True/False) | | +| **AuthenticationContextRequired** | Write | Boolean | Authorization context is required (True/False) | | +| **AuthenticationContextName** | Write | String | Descriptive name of associated authorization context | | +| **AuthenticationContextId** | Write | String | Authorization context id | | | **Ensure** | Write | String | Specify if the Azure AD role setting should exist or not. | `Present` | | **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | From 60d52169dbb0a87da7b70bd143d676a37b26b131 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 12 Mar 2024 12:16:04 +0000 Subject: [PATCH 63/70] Updated Resources and Cmdlet documentation pages --- .../IntuneDeviceConfigurationScepCertificatePolicyWindows10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md index 588eb97993..4528947998 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md @@ -19,6 +19,7 @@ | **RenewalThresholdPercentage** | Write | UInt32 | Certificate renewal threshold percentage. Valid values 1 to 99 | | | **SubjectAlternativeNameType** | Write | String | Certificate Subject Alternative Name Type. Possible values are: none, emailAddress, userPrincipalName, customAzureADAttribute, domainNameService, universalResourceIdentifier. | `none`, `emailAddress`, `userPrincipalName`, `customAzureADAttribute`, `domainNameService`, `universalResourceIdentifier` | | **SubjectNameFormat** | Write | String | Certificate Subject Name Format. Possible values are: commonName, commonNameIncludingEmail, commonNameAsEmail, custom, commonNameAsIMEI, commonNameAsSerialNumber, commonNameAsAadDeviceId, commonNameAsIntuneDeviceId, commonNameAsDurableDeviceId. | `commonName`, `commonNameIncludingEmail`, `commonNameAsEmail`, `custom`, `commonNameAsIMEI`, `commonNameAsSerialNumber`, `commonNameAsAadDeviceId`, `commonNameAsIntuneDeviceId`, `commonNameAsDurableDeviceId` | +| **RootCertificateDisplayName** | Write | String | Trusted Root Certificate DisplayName | | | **RootCertificateId** | Write | String | Trusted Root Certificate Id | | | **Description** | Write | String | Admin provided description of the Device Configuration. | | | **DisplayName** | Key | String | Admin provided name of the device configuration. | | From 7f401f31e0767fba135bcba7d4eb801be4790045 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 12 Mar 2024 08:41:12 -0400 Subject: [PATCH 64/70] Updated Dependencies --- CHANGELOG.md | 6 +++ ...SFT_AADRoleEligibilityScheduleRequest.psm1 | 7 ++-- .../Dependencies/Manifest.psd1 | 38 +++++++++---------- 3 files changed, 28 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cef4b5fcd..95b46df0cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* DEPENDENCIES + * Updated DSCParser to version 1.4.0.4. + * Updated Microsoft.Graph to version 2.15.0. + * Updated MicrosoftTeams to version 6.0.0. # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index c5266516d2..ecd106f47e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -154,16 +154,15 @@ else { Write-Verbose -Message "Getting Role Eligibility by PrincipalId and RoleDefinitionId" + Write-Verbose -Message "Retrieving principal {$Principal} of type {$PrincipalType}" if ($PrincipalType -eq 'User') { - Write-Verbose -Message "Retrieving principal {$Principal} of type {$PrincipalType}" $PrincipalIdValue = Get-MgUser -Filter "UserPrincipalName eq '$Principal'" -ErrorAction SilentlyContinue $PrincipalTypeValue = 'User' } if ($null -eq $PrincipalIdValue -or $PrincipalType -eq 'Group') { - Write-Verbose -Message "Retrieving principal {$Principal} of type {$PrincipalType}" $PrincipalIdValue = Get-MgGroup -Filter "DisplayName eq '$Principal'" -ErrorAction SilentlyContinue $PrincipalTypeValue = 'Group' } @@ -817,10 +816,10 @@ function Export-TargetResource } foreach ($request in $Script:exportedInstances) { - $displayedKey = $request.Id + $RoleDefinitionId = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $request.RoleDefinitionId + $displayedKey = $RoleDefinitionId.DisplayName + " - " + $request.PrincipalId Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline - $RoleDefinitionId = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $request.RoleDefinitionId $params = @{ Id = $request.Id Principal = $request.PrincipalId diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 7183bc25aa..4c14b55f3f 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -2,7 +2,7 @@ Dependencies = @( @{ ModuleName = 'DSCParser' - RequiredVersion = '1.4.0.2' + RequiredVersion = '1.4.0.4' }, @{ ModuleName = 'ExchangeOnlineManagement' @@ -10,71 +10,71 @@ }, @{ ModuleName = 'Microsoft.Graph.Applications' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Authentication' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Devices.CorporateManagement' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Administration' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.Governance' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.SignIns' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Reports' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Teams' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.DeviceManagement.Administration' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DirectoryObjects' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Groups' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Planner' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Users' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.Graph.Users.Actions' - RequiredVersion = '2.14.1' + RequiredVersion = '2.15.0' }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' @@ -82,7 +82,7 @@ }, @{ ModuleName = 'MicrosoftTeams' - RequiredVersion = '5.9.0' + RequiredVersion = '6.0.0' }, @{ ModuleName = "MSCloudLoginAssistant" From fb0e3881e95d98ecfbede5594ad0388f7cc0dea4 Mon Sep 17 00:00:00 2001 From: mario Date: Wed, 13 Mar 2024 12:27:27 +0100 Subject: [PATCH 65/70] Add support for IntraOrgFilterState --- CHANGELOG.md | 3 +++ .../MSFT_EXOHostedContentFilterPolicy.psm1 | 16 ++++++++++++++++ .../MSFT_EXOHostedContentFilterPolicy.schema.mof | 1 + 3 files changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cae6e9c4a..e23650eda8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ # UNRELEASED +* EXOHostedContentFilterPolicy + * Add support for IntraOrgFilterState parameter + FIXES [#4424](https://github.com/microsoft/Microsoft365DSC/issues/4424) * EXOHostedContentFilterRule * Fixed issue in case of different names of filter rule and filter policy FIXES [#4401](https://github.com/microsoft/Microsoft365DSC/issues/4401) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 index 90c58d92c2..2e1f5f4a5f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.psm1 @@ -99,6 +99,11 @@ function Get-TargetResource [System.Boolean] $InlineSafetyTipsEnabled = $true, + [Parameter()] + [ValidateSet('Default', 'HighConfidencePhish', 'Phish', 'HighConfidenceSpam', 'Spam', 'Disabled')] + [System.String] + $IntraOrgFilterState = 'Default', + [Parameter()] [ValidateSet('Off', 'On', 'Test')] [System.String] @@ -356,6 +361,7 @@ function Get-TargetResource HighConfidenceSpamAction = $HostedContentFilterPolicy.HighConfidenceSpamAction HighConfidenceSpamQuarantineTag = $HostedContentFilterPolicy.HighConfidenceSpamQuarantineTag InlineSafetyTipsEnabled = $HostedContentFilterPolicy.InlineSafetyTipsEnabled + IntraOrgFilterState = $HostedContentFilterPolicy.IntraOrgFilterState IncreaseScoreWithBizOrInfoUrls = $HostedContentFilterPolicy.IncreaseScoreWithBizOrInfoUrls IncreaseScoreWithImageLinks = $HostedContentFilterPolicy.IncreaseScoreWithImageLinks IncreaseScoreWithNumericIps = $HostedContentFilterPolicy.IncreaseScoreWithNumericIps @@ -517,6 +523,11 @@ function Set-TargetResource [System.Boolean] $InlineSafetyTipsEnabled = $true, + [Parameter()] + [ValidateSet('Default', 'HighConfidencePhish', 'Phish', 'HighConfidenceSpam', 'Spam', 'Disabled')] + [System.String] + $IntraOrgFilterState = 'Default', + [Parameter()] [ValidateSet('Off', 'On', 'Test')] [System.String] @@ -857,6 +868,11 @@ function Test-TargetResource [System.Boolean] $InlineSafetyTipsEnabled = $true, + [Parameter()] + [ValidateSet('Default', 'HighConfidencePhish', 'Phish', 'HighConfidenceSpam', 'Spam', 'Disabled')] + [System.String] + $IntraOrgFilterState = 'Default', + [Parameter()] [ValidateSet('Off', 'On', 'Test')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.schema.mof index 6bf606d1ac..65ae9c3bc5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOHostedContentFilterPolicy/MSFT_EXOHostedContentFilterPolicy.schema.mof @@ -27,6 +27,7 @@ class MSFT_EXOHostedContentFilterPolicy : OMI_BaseResource [Write, Description("The IncreaseScoreWithNumericIps parameter increases the spam score of messages that contain links to IP addresses. Valid values for this parameter are Off, On or Test. The default value is Off."), ValueMap{"Off","On","Test"}, Values{"Off","On","Test"}] String IncreaseScoreWithNumericIps; [Write, Description("The IncreaseScoreWithRedirectToOtherPort parameter increases the spam score of messages that contain links that redirect to other TCP ports. Valid values for this parameter are Off, On or Test. The default value is Off."), ValueMap{"Off","On","Test"}, Values{"Off","On","Test"}] String IncreaseScoreWithRedirectToOtherPort; [Write, Description("The InlineSafetyTipsEnabled parameter specifies whether to enable or disable safety tips that are shown to recipients in messages. The default is $true")] Boolean InlineSafetyTipsEnabled; + [Write, Description("The IntraOrgFilterState parameter specifies whether to enable anti-spam filtering for messages sent between internal users (users in the same organization)."), ValueMap{"Default","HighConfidencePhish","Phish","HighConfidenceSpam","Spam","Disabled"}, Values{"Default","HighConfidencePhish","Phish","HighConfidenceSpam","Spam","Disabled"}] String IntraOrgFilterState; [Write, Description("The LanguageBlockList parameter specifies the languages to block when messages are blocked based on their language. Valid input for this parameter is a supported ISO 639-1 lowercase two-letter language code. You can specify multiple values separated by commas. This parameter is only use when the EnableRegionBlockList parameter is set to $true.")] String LanguageBlockList[]; [Write, Description("The MakeDefault parameter makes the specified content filter policy the default content filter policy. The default value is $false")] Boolean MakeDefault; [Write, Description("The MarkAsSpamBulkMail parameter classifies the message as spam when the message is identified as a bulk email message. Valid values for this parameter are Off, On or Test. The default value is On."), ValueMap{"Off","On","Test"}, Values{"Off","On","Test"}] String MarkAsSpamBulkMail; From b516006b9134c501906845f8b0519a5755f29c28 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 13 Mar 2024 07:57:05 -0400 Subject: [PATCH 66/70] Release 1.24.313.1 --- ...thenticationMethodPolicyAuthenticator.psm1 | 54 ++++++++++++++++--- .../MSFT_AADAuthenticationStrengthPolicy.psm1 | 2 +- 2 files changed, 49 insertions(+), 7 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 index dc55e471df..53804e091d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 @@ -105,7 +105,14 @@ function Get-TargetResource } else { - $complexExcludeTarget.Add('Id', 'all_users') + if ($getValue.additionalProperties.featureSettings.companionAppAllowedState.excludeTarget.id -eq '00000000-0000-0000-0000-000000000000') + { + $complexExcludeTarget.Add('Id', '00000000-0000-0000-0000-000000000000') + } + else + { + $complexExcludeTarget.Add('Id', 'all_users') + } } if ($null -ne $getValue.additionalProperties.featureSettings.companionAppAllowedState.excludeTarget.targetType) { @@ -124,7 +131,14 @@ function Get-TargetResource } else { - $complexIncludeTarget.Add('Id', 'all_users') + if ($getValue.additionalProperties.featureSettings.companionAppAllowedState.includeTarget.id -eq '00000000-0000-0000-0000-000000000000') + { + $complexIncludeTarget.Add('Id', '00000000-0000-0000-0000-000000000000') + } + else + { + $complexIncludeTarget.Add('Id', 'all_users') + } } if ($null -ne $getValue.additionalProperties.featureSettings.companionAppAllowedState.includeTarget.targetType) { @@ -154,7 +168,14 @@ function Get-TargetResource } else { - $complexExcludeTarget.Add('Id', 'all_users') + if ($getValue.additionalProperties.featureSettings.displayAppInformationRequiredState.excludeTarget.id -eq '00000000-0000-0000-0000-000000000000') + { + $complexExcludeTarget.Add('Id', '00000000-0000-0000-0000-000000000000') + } + else + { + $complexExcludeTarget.Add('Id', 'all_users') + } } if ($null -ne $getValue.additionalProperties.featureSettings.displayAppInformationRequiredState.excludeTarget.targetType) { @@ -173,7 +194,14 @@ function Get-TargetResource } else { - $complexIncludeTarget.Add('Id', 'all_users') + if ($getValue.additionalProperties.featureSettings.displayAppInformationRequiredState.includeTarget.id -eq '00000000-0000-0000-0000-000000000000') + { + $complexIncludeTarget.Add('Id', '00000000-0000-0000-0000-000000000000') + } + else + { + $complexIncludeTarget.Add('Id', 'all_users') + } } if ($null -ne $getValue.additionalProperties.featureSettings.displayAppInformationRequiredState.includeTarget.targetType) { @@ -202,7 +230,14 @@ function Get-TargetResource } else { - $complexExcludeTarget.Add('Id', 'all_users') + if ($getValue.additionalProperties.featureSettings.displayLocationInformationRequiredState.excludeTarget.id -eq '00000000-0000-0000-0000-000000000000') + { + $complexExcludeTarget.Add('Id', '00000000-0000-0000-0000-000000000000') + } + else + { + $complexExcludeTarget.Add('Id', 'all_users') + } } if ($null -ne $getValue.additionalProperties.featureSettings.displayLocationInformationRequiredState.excludeTarget.targetType) { @@ -221,7 +256,14 @@ function Get-TargetResource } else { - $complexIncludeTarget.Add('Id', 'all_users') + if ($getValue.additionalProperties.featureSettings.displayLocationInformationRequiredState.includeTarget.id -eq '00000000-0000-0000-0000-000000000000') + { + $complexIncludeTarget.Add('Id', '00000000-0000-0000-0000-000000000000') + } + else + { + $complexIncludeTarget.Add('Id', 'all_users') + } } if ($null -ne $getValue.additionalProperties.featureSettings.displayLocationInformationRequiredState.includeTarget.targetType) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 index 21752f97dc..6dbc8dc0aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationStrengthPolicy/MSFT_AADAuthenticationStrengthPolicy.psm1 @@ -279,7 +279,7 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { Write-Verbose -Message "Test-TargetResource returned $false" From 442f9c5d79e5f3324b16f3e4820dca07f538df31 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 13 Mar 2024 11:58:47 +0000 Subject: [PATCH 67/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/exchange/EXOHostedContentFilterPolicy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/exchange/EXOHostedContentFilterPolicy.md b/docs/docs/resources/exchange/EXOHostedContentFilterPolicy.md index 5602e6275a..7d6b16263d 100644 --- a/docs/docs/resources/exchange/EXOHostedContentFilterPolicy.md +++ b/docs/docs/resources/exchange/EXOHostedContentFilterPolicy.md @@ -30,6 +30,7 @@ | **IncreaseScoreWithNumericIps** | Write | String | The IncreaseScoreWithNumericIps parameter increases the spam score of messages that contain links to IP addresses. Valid values for this parameter are Off, On or Test. The default value is Off. | `Off`, `On`, `Test` | | **IncreaseScoreWithRedirectToOtherPort** | Write | String | The IncreaseScoreWithRedirectToOtherPort parameter increases the spam score of messages that contain links that redirect to other TCP ports. Valid values for this parameter are Off, On or Test. The default value is Off. | `Off`, `On`, `Test` | | **InlineSafetyTipsEnabled** | Write | Boolean | The InlineSafetyTipsEnabled parameter specifies whether to enable or disable safety tips that are shown to recipients in messages. The default is $true | | +| **IntraOrgFilterState** | Write | String | The IntraOrgFilterState parameter specifies whether to enable anti-spam filtering for messages sent between internal users (users in the same organization). | `Default`, `HighConfidencePhish`, `Phish`, `HighConfidenceSpam`, `Spam`, `Disabled` | | **LanguageBlockList** | Write | StringArray[] | The LanguageBlockList parameter specifies the languages to block when messages are blocked based on their language. Valid input for this parameter is a supported ISO 639-1 lowercase two-letter language code. You can specify multiple values separated by commas. This parameter is only use when the EnableRegionBlockList parameter is set to $true. | | | **MakeDefault** | Write | Boolean | The MakeDefault parameter makes the specified content filter policy the default content filter policy. The default value is $false | | | **MarkAsSpamBulkMail** | Write | String | The MarkAsSpamBulkMail parameter classifies the message as spam when the message is identified as a bulk email message. Valid values for this parameter are Off, On or Test. The default value is On. | `Off`, `On`, `Test` | From cea4c8c85d5f502315a9c4becd24323da8cb2954 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 13 Mar 2024 12:12:42 +0000 Subject: [PATCH 68/70] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md | 4 ++-- ...untProtectionLocalAdministratorPasswordSolutionPolicy.md | 4 ++-- ...IntuneAccountProtectionLocalUserGroupMembershipPolicy.md | 4 ++-- docs/docs/resources/intune/IntuneAccountProtectionPolicy.md | 4 ++-- .../intune/IntuneAntivirusPolicyWindows10SettingCatalog.md | 4 ++-- docs/docs/resources/intune/IntuneAppConfigurationPolicy.md | 4 ++-- .../resources/intune/IntuneAppProtectionPolicyAndroid.md | 4 ++-- docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md | 4 ++-- .../intune/IntuneApplicationControlPolicyWindows10.md | 4 ++-- .../resources/intune/IntuneDeviceCompliancePolicyAndroid.md | 4 ++-- .../IntuneDeviceCompliancePolicyAndroidDeviceOwner.md | 4 ++-- .../IntuneDeviceCompliancePolicyAndroidWorkProfile.md | 4 ++-- .../resources/intune/IntuneDeviceCompliancePolicyMacOS.md | 4 ++-- .../intune/IntuneDeviceCompliancePolicyWindows10.md | 4 ++-- .../resources/intune/IntuneDeviceCompliancePolicyiOs.md | 4 ++-- ...iceConfigurationAdministrativeTemplatePolicyWindows10.md | 4 ++-- .../IntuneDeviceConfigurationCustomPolicyWindows10.md | 4 ++-- ...igurationDefenderForEndpointOnboardingPolicyWindows10.md | 4 ++-- ...eviceConfigurationDeliveryOptimizationPolicyWindows10.md | 4 ++-- .../IntuneDeviceConfigurationDomainJoinPolicyWindows10.md | 4 ++-- .../IntuneDeviceConfigurationEmailProfilePolicyWindows10.md | 4 ++-- ...eDeviceConfigurationEndpointProtectionPolicyWindows10.md | 6 +++--- 22 files changed, 45 insertions(+), 45 deletions(-) diff --git a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md index 110a8d8a55..c7eada96a7 100644 --- a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md @@ -65,7 +65,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -75,7 +75,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md index c95b46240f..916b8c2bcf 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md @@ -56,7 +56,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -66,7 +66,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 0cc155a6f4..4762601536 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -57,7 +57,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -67,7 +67,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md index 734b5707f4..0da2d2635b 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md @@ -60,7 +60,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -70,7 +70,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md index 58611cefa6..fdcb52315a 100644 --- a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md @@ -108,7 +108,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -118,7 +118,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md index cecb30f398..768db0b853 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md @@ -54,7 +54,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** @@ -64,7 +64,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md index 1bd6403d24..ebed57cee4 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md @@ -71,7 +71,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** @@ -81,7 +81,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md index 91cffef9fd..4d7708c2d5 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md @@ -79,7 +79,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** @@ -89,7 +89,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md index e9b8c3333c..11f6676040 100644 --- a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md @@ -46,7 +46,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -56,7 +56,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md index 5ad64b0623..016cd3c430 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md @@ -235,7 +235,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -245,7 +245,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md index 6639f5147b..be44207bc5 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md @@ -178,7 +178,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -188,7 +188,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md index db1bebb3d3..fa2e66ff84 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md @@ -187,7 +187,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -197,7 +197,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md index e54ef4d18d..c5856ad7b0 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md @@ -144,7 +144,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -154,7 +154,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md index a0ff478721..2952f9867a 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md @@ -260,7 +260,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -270,7 +270,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md index 1a3989f003..ea4e04c881 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md @@ -73,7 +73,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -83,7 +83,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md index 3e0599dccb..4b60c39fc5 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md @@ -101,7 +101,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -111,7 +111,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md index 957bb3d5ec..6aa23feb50 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md index 8880217e62..12c462115a 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md @@ -51,7 +51,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md index fea31193a5..a59df1517e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md @@ -107,7 +107,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -117,7 +117,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md index e1cd64f7bc..34170019b1 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md @@ -49,7 +49,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -59,7 +59,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md index 542b349a78..6f1d983d22 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md @@ -57,7 +57,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -67,7 +67,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md index 5d205336f4..1da20cb128 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md @@ -361,7 +361,7 @@ | **DisplayName** | Write | String | The display name of the rule. Does not need to be unique. | | | **EdgeTraversal** | Write | String | Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. Possible values are: notConfigured, blocked, allowed. | `notConfigured`, `blocked`, `allowed` | | **FilePath** | Write | String | The full file path of an app that's affected by the firewall rule. | | -| **InterfaceTypes** | Write | String | The interface types of the rule. Possible values are: notConfigured, remoteAccess, wireless, lan. | `notConfigured`, `remoteAccess`, `wireless`, `lan` | +| **InterfaceTypes** | Write | StringArray[] | The interface types of the rule. Possible values are: notConfigured, remoteAccess, wireless, lan. | `notConfigured`, `remoteAccess`, `wireless`, `lan` | | **LocalAddressRanges** | Write | StringArray[] | List of local addresses covered by the rule. Default is any address. Valid tokens include:'' indicates any local address. If present, this must be the only token included.A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.A valid IPv6 address.An IPv4 address range in the format of 'start address - end address' with no spaces included.An IPv6 address range in the format of 'start address - end address' with no spaces included. | | | **LocalPortRanges** | Write | StringArray[] | List of local port ranges. For example, '100-120', '200', '300-320'. If not specified, the default is All. | | | **LocalUserAuthorizations** | Write | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. | | @@ -407,7 +407,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** @@ -417,7 +417,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** From 5b94d3e4c99a6625999e04b20b62513f758ef572 Mon Sep 17 00:00:00 2001 From: mario Date: Wed, 13 Mar 2024 13:45:03 +0100 Subject: [PATCH 69/70] Update regex --- CHANGELOG.md | 3 +++ .../MSFT_EXOAcceptedDomain/MSFT_EXOAcceptedDomain.psm1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 211adf8399..306871a4d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ FIXES [#4394](https://github.com/microsoft/Microsoft365DSC/issues/4394) * Fixed issue where group owners were removed from existing groups when unspecified in the config FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390) +* EXOAcceptedDomain + * Update regular expression to support domains with digits + FIXES [#4446](https://github.com/microsoft/Microsoft365DSC/issues/4446) * EXOHostedContentFilterPolicy * Add support for IntraOrgFilterState parameter FIXES [#4424](https://github.com/microsoft/Microsoft365DSC/issues/4424) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOAcceptedDomain/MSFT_EXOAcceptedDomain.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOAcceptedDomain/MSFT_EXOAcceptedDomain.psm1 index a5a1401f1e..de086bd70f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOAcceptedDomain/MSFT_EXOAcceptedDomain.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOAcceptedDomain/MSFT_EXOAcceptedDomain.psm1 @@ -5,7 +5,7 @@ function Get-TargetResource param ( [Parameter(Mandatory = $true)] - [ValidatePattern( '(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(? Date: Wed, 13 Mar 2024 10:23:48 -0400 Subject: [PATCH 70/70] Updates --- CHANGELOG.md | 69 +++++--- Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 174 ++++++++++++------- 2 files changed, 157 insertions(+), 86 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 306871a4d7..791b70e566 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.24.313.1 * AADGroup * Fixed issue when filtering groups by display name @@ -20,46 +20,67 @@ * Fixed issue with TargetSharingEpr FIXES [#4381](https://github.com/microsoft/Microsoft365DSC/issues/4381) * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneAccountProtectionLocalUserGroupMembershipPolicy - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneAccountProtectionPolicy - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneAntivirusPolicyWindows10SettingCatalog - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneAppConfigurationPolicy - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneApplicationControlPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneASRRulesPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceCompliancePolicyAndroid - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceCompliancePolicyAndroidDeviceOwner - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceCompliancePolicyAndroidWorkProfile - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceCompliancePolicyiOs - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceCompliancePolicyMacOS - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceCompliancePolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationCustomPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationDomainJoinPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationEmailProfilePolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource * IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 - * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource - * Fixed an issue with the parameter InterfaceTypes from firewallrules defined as a string instead of string[] + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * Fixed an issue with the parameter InterfaceTypes from firewallrules defined + as a string instead of string[] * IntuneDeviceConfigurationPKCSCertificatePolicyWindows10 * Add property RootCertificateDisplayName in order to support assigning root certificates by display name since their Ids in a blueprint might be from a @@ -90,8 +111,8 @@ * MISC * Enhancement to obfuscate password from verbose logging and avoid empty lines FIXES [#4392](https://github.com/microsoft/Microsoft365DSC/issues/4392) - * Fix example in documentation for Update-M365DSCAzureAdApplication - * Added support for groupDisplayName to all devices and all users groups + * Fix example in documentation for Update-M365DSCAzureAdApplication + * Added support for groupDisplayName to all devices and all users groups # 1.24.228.1 diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index 1c4aa91e5d..ae229df4a9 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-02-28 +# Generated on: 2024-03-13 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.228.1' + ModuleVersion = '1.24.313.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -140,67 +140,117 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADApplication - * Show current values of resource in Test-TargetResource - * AADAuthorizationPolicy - * Show current values of resource in Test-TargetResource - * AADConditionalAccessPolicy - * Improved verbose logging to show that items are being skipped. - * Show current values of resource in Test-TargetResource - * AADExternalIdentityPolicy - * Show current values of resource in Test-TargetResource - * AADGroup - * Fixed issue with single quotes in the display name. - FIXES [#4358](https://github.com/microsoft/Microsoft365DSC/issues/4358) - * Show current values of resource in Test-TargetResource - * AADGroupLifecyclePolicy - * Show current values of resource in Test-TargetResource - * AADGroupsNamingPolicy - * Show current values of resource in Test-TargetResource - * AADGroupsSettings - * Show current values of resource in Test-TargetResource - * AADNamedLocationPolicy - * Show current values of resource in Test-TargetResource - * AADRoleDefinition - * Show current values of resource in Test-TargetResource - * AADRoleSetting - * Show current values of resource in Test-TargetResource - * AADSecurityDefaults - * Show current values of resource in Test-TargetResource - * AADServicePrincipal - * Show current values of resource in Test-TargetResource - * AADTenantDetails - * Show current values of resource in Test-TargetResource - * AADTokenLifetimePolicy - * Show current values of resource in Test-TargetResource - * EXOActiveSyncDeviceAccessRule - * Remove extra property GUID that is stopping EXO integration tests from - running - * IntuneDeviceConfigurationScepCertificatePolicyWindows10 - * Fixes an issue where the keyUsage property format was not correctly handled - * IntuneExploitProtectionPolicyWindows10SettingCatalog - * Fix update and removal of resource when Identity is from another tenant - FIXES [#3962](https://github.com/microsoft/Microsoft365DSC/issues/3962) - * SPOAccessControlSettings - * Added support for the ConditionalAccessPolicy parameter based on the PNP Module - * Teams resources - * Updated required application permissions to support [Application Based Authentication](https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication) - * TeamsCallQueue - * Reduce the number of Calls for Export using new cache pattern - FIXES [[#4191](https://github.com/microsoft/Microsoft365DSC/issues/4192)] - * TeamsGuestMeetingConfiguration - * Added the missing parameter AllowTranscription. - FIXES [#4363](https://github.com/microsoft/Microsoft365DSC/issues/4363) - * TeamsTeam - * Corrected Parameters for Graph Commands when creating a new Team - FIXES [#4383](https://github.com/microsoft/Microsoft365DSC/issues/4383) + ReleaseNotes = '* AADGroup + * Fixed issue when filtering groups by display name + FIXES [#4394](https://github.com/microsoft/Microsoft365DSC/issues/4394) + * Fixed issue where group owners were removed from existing groups when unspecified in the config + FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390) + * EXOAcceptedDomain + * Update regular expression to support domains with digits + FIXES [#4446](https://github.com/microsoft/Microsoft365DSC/issues/4446) + * EXOHostedContentFilterPolicy + * Add support for IntraOrgFilterState parameter + FIXES [#4424](https://github.com/microsoft/Microsoft365DSC/issues/4424) + * EXOHostedContentFilterRule + * Fixed issue in case of different names of filter rule and filter policy + FIXES [#4401](https://github.com/microsoft/Microsoft365DSC/issues/4401) + * EXOIntraOrganizationConnector + * Fixed issue with TargetSharingEpr + FIXES [#4381](https://github.com/microsoft/Microsoft365DSC/issues/4381) + * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneAccountProtectionPolicy + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneAntivirusPolicyWindows10SettingCatalog + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneAppConfigurationPolicy + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneApplicationControlPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneASRRulesPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceCompliancePolicyAndroid + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceCompliancePolicyAndroidDeviceOwner + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceCompliancePolicyAndroidWorkProfile + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceCompliancePolicyiOs + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceCompliancePolicyMacOS + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceCompliancePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationCustomPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationDomainJoinPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationEmailProfilePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from + Get-TargetResource + * Fixed an issue with the parameter InterfaceTypes from firewallrules defined + as a string instead of string[] + * IntuneDeviceConfigurationPKCSCertificatePolicyWindows10 + * Add property RootCertificateDisplayName in order to support assigning root + certificates by display name since their Ids in a blueprint might be from a + different source tenant + FIXES [#3965](https://github.com/microsoft/Microsoft365DSC/issues/3965) + * IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator + * Fixed policy assignment retrieval when Id is from other tenant, bogus or + null + FIXES [#3970](https://github.com/microsoft/Microsoft365DSC/issues/3970) + * IntuneDeviceConfigurationPolicyAndroidOpenSourceProject + * Fixed policy assignment retrieval when Id is from other tenant, bogus or + null + FIXES [#3971](https://github.com/microsoft/Microsoft365DSC/issues/3971) + * Fixed compare logic for CIM instances in Test-TargetResource + * M365DSCRuleEvaluation + * Fix issue when it didnt find any matching resources and it tried to make a + comparison + * O365OrgSettings + * Add read permission for extracting M365 apps installation settings instead + of extracting them only with read/write permissions + FIXES [#4418](https://github.com/microsoft/Microsoft365DSC/issues/4418) + * TeamsVoiceRoute + * Fix policy removal and also comparison in Test-TargetResource + * DEPENDENCIES + * Updated DSCParser to version 1.4.0.4. + * Updated Microsoft.Graph to version 2.15.0. + * Updated MicrosoftTeams to version 6.0.0. * MISC - * M365DSCDRGUtil - Add new parameter for customizable assignment identifier - * M365DSCUtil - Change heuristics on how to find the mandatory key of the resources to - include them as part of the ResourceInstanceName during their export - FIXES [#4333](https://github.com/microsoft/Microsoft365DSC/issues/4333)' + * Enhancement to obfuscate password from verbose logging and avoid empty lines + FIXES [#4392](https://github.com/microsoft/Microsoft365DSC/issues/4392) + * Fix example in documentation for Update-M365DSCAzureAdApplication + * Added support for groupDisplayName to all devices and all users groups' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false