Merge pull request #4177 from microsoft/Dev

Release 1.24.117.1

CHANGELOG.md

@@ -1,5 +1,34 @@
 # Change log for Microsoft365DSC
 
+# 1.24.117.1
+
+* AADAdministrativeUnit
+  * Used generic Graph API URL from MSCloudLoginConnectionProfile.
+* AADApplication
+  * Ignore Permissions in tests if not passed. Preventing null comparison errors.
+* AADAttributeSet
+  * Removed the ability to specify a value of Absent for the Ensure property.
+* AADConditionalAccessPolicy
+  * Fixes an error where the ApplicationEnforcedRestrictionsIsEnabled parameter
+    was always set to false in scenarios where it should have been null.
+* AADAuthenticationMethodPolicy
+  * Removed the ability to specify a value of Absent for the Ensure property.
+* AADAuthenticationMethodPolicyX509
+  * Fix the way we returned an empty rule set from the Get method. This caused
+    the Test-TargetResource method to return true even when instances matched.
+* AADRoleSetting
+  * Removed the ability to specify a value of Absent for the Ensure property.
+* EXOAntiPhishPolicy
+  * Add support for HonorDmarcPolicy parameter
+    FIXES [[#4138](https://github.com/microsoft/Microsoft365DSC/issues/4138)]
+* IntuneDeviceConfigurationPolicyMacOS
+  * Fix CIM instances comparison in Test-TargetResource and export
+    CompliantAppsList with the correct type
+    FIXES [#4144](https://github.com/microsoft/Microsoft365DSC/issues/4144)
+* DEPENDENCIES
+  * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.178.
+  * Updated MSCloudLoginAssistant to version 1.1.7.
+
 # 1.24.110.1
 
 * AADAdministrativeUnit
@@ -9,11 +38,11 @@
 * AADConditionalAccessPolicy
   * Added support for application filters in the conditions.
   * Implement Fix #3885. Manage Exclude Application.
-    FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)]
+    FIXES [#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)
 * EXOHostedContentFilterPolicy
   * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders,
     BlockSenderDomains if desired state is empty but current state is not empty.
-    FIXES[#4124](https://github.com/microsoft/Microsoft365DSC/issues/4124)
+    FIXES [#4124](https://github.com/microsoft/Microsoft365DSC/issues/4124)
 * EXOMailContact
   * Added support for Custom Attributes and Extension Custom Attributes.
 * IntuneDeviceConfigurationPolicyMacOS

Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1

@@ -195,7 +195,8 @@ function Get-TargetResource
                 foreach ($auMember in $auMembers)
                 {
                     $member = @{}
-                    $memberObject = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/directoryobjects/$($auMember.Id)"
+                    $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryobjects/$($auMember.Id)"
+                    $memberObject = Invoke-MgGraphRequest -Uri $url
                     if ($memberObject.'@odata.type' -match 'user')
                     {
                         $member.Add('Identity', $memberObject.UserPrincipalName)
@@ -239,7 +240,8 @@ function Get-TargetResource
                     }
                 }
                 Write-Verbose -Message "AU {$DisplayName} verify RoleMemberInfo.Id {$($auScopedRoleMember.RoleMemberInfo.Id)}"
-                $memberObject = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/directoryobjects/$($auScopedRoleMember.RoleMemberInfo.Id)"
+                $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryobjects/$($auScopedRoleMember.RoleMemberInfo.Id)"
+                $memberObject = Invoke-MgGraphRequest -Uri $url
                 Write-Verbose -Message "AU {$DisplayName} @odata.Type={$($memberObject.'@odata.type')}"
                 if (($memberObject.'@odata.type') -match 'user')
                 {
@@ -564,7 +566,8 @@ function Set-TargetResource
             {
                 Write-Verbose -Message "Adding new dynamic member {$($member.Id)}"
                 $memberBodyParam = @{
-                    '@odata.id' = "https://graph.microsoft.com/v1.0/$($member.Type)/$($member.Id)"
+                    $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/$($member.Type)/$($member.Id)"
+                    '@odata.id' = $url
                 }
 
                 New-MgBetaDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $policy.Id -BodyParameter $memberBodyParam
@@ -661,7 +664,8 @@ function Set-TargetResource
                         Write-Verbose -Message "AdministrativeUnit {$DisplayName} Adding member {$($diff.Identity)}, type {$($diff.Type)}"
 
                         $memberBodyParam = @{
-                            '@odata.id' = "https://graph.microsoft.com/v1.0/$memberType/$($memberObject.Id)"
+                            $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/$memberType/$($memberObject.Id)"
+                            '@odata.id' = $url
                         }
                         New-MgBetaDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId ($currentInstance.Id) -BodyParameter $memberBodyParam | Out-Null
                     }
@@ -789,9 +793,11 @@ function Set-TargetResource
     elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
     {
         Write-Verbose -Message "Removing AU {$DisplayName}"
-        #region resource generator code
-        Remove-MgBetaDirectoryAdministrativeUnit -AdministrativeUnitId $currentInstance.Id
-        #endregion
+        # Workaround since Remove-MgBetaDirectoryAdministrativeUnit is not working with 2.11.1
+        # https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2529
+        $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/administrativeUnits/$($currentInstance.Id)"
+        Invoke-MgGraphRequest -Method DELETE -Uri $url | Out-Null
+        #Remove-MgBetaDirectoryAdministrativeUnit -AdministrativeUnitId $currentInstance.Id
     }
 }
 

Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1

@@ -767,7 +767,7 @@ function Test-TargetResource
 
     $CurrentValues = Get-TargetResource @PSBoundParameters
 
-    if ($CurrentValues.Permissions.Length -gt 0 -and $null -ne $CurrentValues.Permissions.Name)
+    if ($CurrentValues.Permissions.Length -gt 0 -and $null -ne $CurrentValues.Permissions.Name -and $Permissions.Name.Length -gt 0)
     {
         $permissionsDiff = Compare-Object -ReferenceObject ($CurrentValues.Permissions.Name) -DifferenceObject ($Permissions.Name)
         $driftedParams = @{}

Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.psm1

@@ -19,7 +19,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('Absent', 'Present')]
+        [ValidateSet('Present')]
         $Ensure = 'Present',
 
         [Parameter()]
@@ -127,7 +127,7 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('Absent', 'Present')]
+        [ValidateSet('Present')]
         $Ensure = 'Present',
 
         [Parameter()]
@@ -182,11 +182,6 @@ function Set-TargetResource
         $BoundParameters.Remove('Id') | Out-Null
         Update-MgBetaDirectoryAttributeSet @BoundParameters | Out-Null
     }
-    elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
-    {
-        Write-Verbose -Message "Removing the Attribute Set with Id {$($currentInstance.Id)}"
-        Remove-MgBetaDirectoryAttributeSet -AttributeSetId $Id | Out-Null
-    }
 }
 
 function Test-TargetResource
@@ -210,7 +205,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('Absent', 'Present')]
+        [ValidateSet('Present')]
         $Ensure = 'Present',
 
         [Parameter()]

Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.schema.mof

@@ -4,7 +4,7 @@ class MSFT_AADAttributeSet : OMI_BaseResource
     [Key, Description("Identifier for the attribute set that is unique within a tenant. Can be up to 32 characters long and include Unicode characters. Cannot contain spaces or special characters. Cannot be changed later. Case insensitive")] String Id;
     [Write, Description("Identifier for the attribute set that is unique within a tenant. Can be up to 32 characters long and include Unicode characters. Cannot contain spaces or special characters. Cannot be changed later. Case insensitive")] String Description;
     [Write, Description("Maximum number of custom security attributes that can be defined in this attribute set. Default value is null. If not specified, the administrator can add up to the maximum of 500 active attributes per tenant. Can be changed later.")] UInt32 MaxAttributesPerSet;
-    [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
+    [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure;
     [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
     [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;

Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicy/MSFT_AADAuthenticationMethodPolicy.psm1

@@ -41,7 +41,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('Absent', 'Present')]
+        [ValidateSet('Present')]
         $Ensure = 'Present',
 
         [Parameter()]
@@ -91,7 +91,10 @@ function Get-TargetResource
 
         $getValue = $null
         #region resource generator code
-        $getValue = Get-MgBetaPolicyAuthenticationMethodPolicy -ErrorAction SilentlyContinue
+        if (-not [System.String]::IsNullOrEmpty($Id))
+        {
+            $getValue = Get-MgBetaPolicyAuthenticationMethodPolicy -ErrorAction SilentlyContinue
+        }
 
         if ($null -eq $getValue)
         {
@@ -290,7 +293,7 @@ function Set-TargetResource
         #endregion
         [Parameter()]
         [System.String]
-        [ValidateSet('Absent', 'Present')]
+        [ValidateSet('Present')]
         $Ensure = 'Present',
 
         [Parameter()]
@@ -361,13 +364,6 @@ function Set-TargetResource
         Update-MgBetaPolicyAuthenticationMethodPolicy -BodyParameter $UpdateParameters
         #endregion
     }
-    elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
-    {
-        Write-Verbose -Message "Removing the Azure AD Authentication Method Policy with Id {$($currentInstance.Id)}"
-        #region resource generator code
-        Remove-MgBetaPolicyAuthenticationMethodPolicy
-        #endregion
-    }
 }
 
 function Test-TargetResource
@@ -412,7 +408,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('Absent', 'Present')]
+        [ValidateSet('Present')]
         $Ensure = 'Present',
 
         [Parameter()]

Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicy/MSFT_AADAuthenticationMethodPolicy.schema.mof

@@ -55,7 +55,7 @@ class MSFT_AADAuthenticationMethodPolicy : OMI_BaseResource
     [Write, Description("Enforce registration at sign-in time. This property can be used to remind users to set up targeted authentication methods."), EmbeddedInstance("MSFT_MicrosoftGraphregistrationEnforcement")] String RegistrationEnforcement;
     [Write, Description("Prompt users with their most-preferred credential for multifactor authentication."), EmbeddedInstance("MSFT_MicrosoftGraphsystemCredentialPreferences")] String SystemCredentialPreferences;
     [Write, Description("The unique identifier for an entity. Read-only.")] String Id;
-    [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
+    [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure;
     [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
     [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;

Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyAuthenticator/MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1

@@ -507,7 +507,10 @@ function Set-TargetResource
         $UpdateParameters = ([Hashtable]$BoundParameters).clone()
         $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters
 
+
         $UpdateParameters.Remove('Id') | Out-Null
+
+        Write-Verbose -Message "Flag1"
         # replace group Displayname with group id
         if ($UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.id -and `
             $UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and
@@ -518,6 +521,8 @@ function Set-TargetResource
             $groupid = (Get-MgGroup -Filter $Filter).id.ToString()
             $UpdateParameters.featureSettings.companionAppAllowedState.includeTarget.foreach('id',$groupid)
         }
+
+        Write-Verbose -Message "Flag2"
         if ($UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.id -and `
             $UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and
             $UpdateParameters.featureSettings.ContainsKey('companionAppAllowedState'))
@@ -527,6 +532,7 @@ function Set-TargetResource
             $groupid = (Get-MgGroup -Filter $Filter).id.ToString()
             $UpdateParameters.featureSettings.companionAppAllowedState.excludeTarget.foreach('id',$groupid)
         }
+        Write-Verbose -Message "Flag3"
         if ($UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.id -and `
             $UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and
             $UpdateParameters.featureSettings.ContainsKey('displayAppInformationRequiredState'))
@@ -536,6 +542,7 @@ function Set-TargetResource
             $groupid = (Get-MgGroup -Filter $Filter).id.ToString()
             $UpdateParameters.featureSettings.displayAppInformationRequiredState.includeTarget.foreach('id',$groupid)
         }
+        Write-Verbose -Message "Flag4"
         if ($UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.id -and `
             $UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and
             $UpdateParameters.featureSettings.ContainsKey('displayAppInformationRequiredState'))
@@ -545,6 +552,7 @@ function Set-TargetResource
             $groupid = (Get-MgGroup -Filter $Filter).id.ToString()
             $UpdateParameters.featureSettings.displayAppInformationRequiredState.excludeTarget.foreach('id',$groupid)
         }
+        Write-Verbose -Message "Flag5"
         if ($UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.id -and `
             $UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and
             $UpdateParameters.featureSettings.ContainsKey('displayLocationInformationRequiredState'))
@@ -554,6 +562,7 @@ function Set-TargetResource
             $groupid = (Get-MgGroup -Filter $Filter).id.ToString()
             $UpdateParameters.featureSettings.displayLocationInformationRequiredState.includeTarget.foreach('id',$groupid)
         }
+        Write-Verbose -Message "Flag6"
         if ($UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.id -and `
             $UpdateParameters.featureSettings.displayLocationInformationRequiredState.excludeTarget.id -notmatch '00000000-0000-0000-0000-000000000000|all_users' -and
             $UpdateParameters.featureSettings.ContainsKey('displayLocationInformationRequiredState'))
@@ -565,41 +574,40 @@ function Set-TargetResource
         }
 
         # DEPRECATED
+        Write-Verbose -Message "Flag7"
         if ($UpdateParameters.featureSettings.ContainsKey('NumberMatchingRequiredState'))
         {
             Write-Verbose -Message "The NumberMatchingRequiredState feature is deprecated and will be ignored. Please remove it from your configuration."
             $UpdateParameters.featureSettings.Remove('NumberMatchingRequiredState')
         }
 
+        Write-Verbose -Message "Flag8"
         $keys = (([Hashtable]$UpdateParameters).clone()).Keys
         foreach ($key in $keys)
         {
             if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*')
             {
+                Write-Verbose -Message "Flag9a"
                 $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key
+                Write-Verbose -Message "Flag9b"
             }
-            if ($key -eq 'IncludeTargets')
-            {
-                $i = 0
-                foreach ($entry in $UpdateParameters.$key)
-                {
-                    if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users')
-                    {
-                        $Filter = "Displayname eq '$($entry.id)'" | Out-String
-                        $UpdateParameters.$key[$i].foreach('id', (Get-MgGroup -Filter $Filter).id.ToString())
-                    }
-                    $i++
-                }
-            }
-            if ($key -eq 'ExcludeTargets')
+            if ($key -eq 'IncludeTargets' -or $key -eq 'ExcludeTargets')
             {
                 $i = 0
                 foreach ($entry in $UpdateParameters.$key)
                 {
                     if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users')
                     {
                         $Filter = "Displayname eq '$($entry.id)'" | Out-String
-                        $UpdateParameters.$key[$i].foreach('id', (Get-MgGroup -Filter $Filter).id.ToString())
+                        $group = Get-MgGroup -Filter $Filter
+                        if ($null -ne $group)
+                        {
+                            $UpdateParameters.$key[$i].foreach('id', $group.id.ToString())
+                        }
+                        else
+                        {
+                            Write-Verbose -Message "Couldn't find group with DisplayName {$($entry.id)}"
+                        }
                     }
                     $i++
                 }