From fecd9b20d96fe266b8a6218280f5dfa4c23251f0 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Mon, 23 Oct 2023 08:15:01 +0200 Subject: [PATCH 01/49] AADUser: Add support for MemberOf --- CHANGELOG.md | 3 + .../MSFT_AADUser/MSFT_AADUser.psm1 | 90 ++++++++ .../MSFT_AADUser/MSFT_AADUser.schema.mof | 1 + .../DSCResources/MSFT_AADUser/settings.json | 19 ++ .../Resources/AADUser/2-CreateNewAADUser.ps1 | 32 +++ .../Microsoft365DSC.AADUser.Tests.ps1 | 195 ++++++++++++++++++ 6 files changed, 340 insertions(+) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADUser/2-CreateNewAADUser.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e3a3f78f8..87e6ab6482 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ # UNRELEASED +* AADUser + * Add support for property MemberOf + FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) * AADAttributeSet * Initial Release. * AADAuthenticationContext diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index 875371caff..a7ee0a2413 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -28,6 +28,10 @@ function Get-TargetResource [System.String[]] $LicenseAssignment, + [Parameter()] + [System.String[]] + $MemberOf, + [Parameter()] [System.Management.Automation.PSCredential] $Password, @@ -150,6 +154,7 @@ function Get-TargetResource LastName = $null UsageLocation = $null LicenseAssignment = $null + MemberOf = $null Password = $null Credential = $Credential ApplicationId = $ApplicationId @@ -187,6 +192,9 @@ function Get-TargetResource $currentLicenseAssignment += $sku.SkuPartNumber } + # return membership of static groups only + [array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript {$_.GroupTypes -notcontains 'DynamicMembership'}).DisplayName + $userPasswordPolicyInfo = $user | Select-Object UserprincipalName, @{ N = 'PasswordNeverExpires'; E = { $_.PasswordPolicies -contains 'DisablePasswordExpiration' } } @@ -216,6 +224,7 @@ function Get-TargetResource LastName = $user.Surname UsageLocation = $user.UsageLocation LicenseAssignment = $currentLicenseAssignment + MemberOf = $currentMemberOf Password = $Password City = $user.City Country = $user.Country @@ -283,6 +292,10 @@ function Set-TargetResource [System.String[]] $LicenseAssignment, + [Parameter()] + [System.String[]] + $MemberOf, + [Parameter()] [System.Management.Automation.PSCredential] $Password, @@ -559,6 +572,79 @@ function Set-TargetResource } #endregion + #region Update MemberOf groups - if specified + if ($null -ne $MemberOf) + { + if ($null -eq $user.MemberOf) + { + # user is not currently a member of any groups, add user to groups listed in MemberOf + foreach ($memberOfGroup in $MemberOf) + { + $group = Get-MgGroup -Filter "DisplayName eq '$memberOfGroup'" -Property Id, GroupTypes + if ($null -eq $group) + { + New-M365DSCLogEntry -Message 'Error updating data:' ` + -Exception "Attempting to add a user to a group that doesn't exist" ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + throw "Group '$memberOfGroup' does not exist in tenant" + } + if ($group.GroupTypes -contains 'DynamicMembership') + { + New-M365DSCLogEntry -Message 'Error updating data:' ` + -Exception "Attempting to add a user to a dynamic group" ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + throw "Cannot add user $UserPrincipalName to group '$memberOfGroup' because it is a dynamic group" + } + New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id + } + } + else + { + # user is a member of some groups, ensure that user is only a member of groups listed in MemberOf + Compare-Object -ReferenceObject $MemberOf -DifferenceObject $user.MemberOf | ForEach-Object { + $group = Get-MgGroup -Filter "DisplayName eq '$($_.InputObject)" -Property Id, GroupTypes + if ($_.SideIndicator -eq '<=') + { + # Group in MemberOf not present in groups that user is a member of, add user to group + if ($null -eq $group) + { + New-M365DSCLogEntry -Message 'Error updating data:' ` + -Exception "Attempting to add a user to a group that doesn't exist" ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + throw "Group '$($_.InputObject)' does not exist in tenant" + } + if ($group.GroupTypes -contains 'DynamicMembership') + { + New-M365DSCLogEntry -Message 'Error updating data:' ` + -Exception "Attempting to add a user to a dynamic group" ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + throw "Cannot add user $UserPrincipalName to group '$($_.InputObject)' because it is a dynamic group" + } + New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id + } + else + { + # Group that user is a member of is not present in MemberOf, remove user from group + # (no need to test for dynamic groups as they are ignored in Get-TargetResource) + Remove-MgGroupMemberByRef -GroupId $group.Id -DirectoryObjectId $user.Id + } + } + } + } + #endregion + #region Roles if ($null -ne $Roles) { @@ -633,6 +719,10 @@ function Test-TargetResource [System.String[]] $LicenseAssignment, + [Parameter()] + [System.String[]] + $MemberOf, + [Parameter()] [System.Management.Automation.PSCredential] $Password, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof index 22f7dab03e..617f9a9a00 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof @@ -13,6 +13,7 @@ class MSFT_AADUser : OMI_BaseResource [Write, Description("The Country name of the user")] String Country; [Write, Description("The Department name of the user")] String Department; [Write, Description("The Fax Number of the user")] String Fax; + [Write, Description("The Groups that the user is a direct member of")] String MemberOf[]; [Write, Description("The Mobile Phone Number of the user")] String MobilePhone; [Write, Description("The Office Name of the user")] String Office; [Write, Description("Specifies whether the user password expires periodically. Default value is false")] Boolean PasswordNeverExpires; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json index 3ed664ca4c..193babc59d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json @@ -16,6 +16,12 @@ }, { "name": "User.Read.All" + }, + { + "name": "Group.Read.All" + }, + { + "name": "GroupMember.Read.All" } ], "update": [ @@ -31,9 +37,22 @@ { "name": "User.Read.All" }, + { + "name": "Group.Read.All" + }, + { + "name": "GroupMember.Read.All" + }, { "name": "User.ReadWrite.All" + }, + { + "name": "Group.ReadWrite.All" + }, + { + "name": "GroupMember.ReadWrite.All" } + ] }, "application": { diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-CreateNewAADUser.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-CreateNewAADUser.ps1 new file mode 100644 index 0000000000..3455c2a095 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-CreateNewAADUser.ps1 @@ -0,0 +1,32 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $credsGlobalAdmin + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUser 'ConfigureJohnSMith' + { + UserPrincipalName = "John.Smith@O365DSC1.onmicrosoft.com" + FirstName = "John" + LastName = "Smith" + DisplayName = "John J. Smith" + City = "Gatineau" + Country = "Canada" + Office = "Ottawa - Queen" + MemberOf = @('Group-M365-Standard-License', 'Group-PowerBI-Pro-License') + UsageLocation = "US" + Ensure = "Present" + Credential = $credsGlobalAdmin + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 index 8494d972ba..605218e087 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 @@ -31,12 +31,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return 'Credentials' } + Mock -CommandName Get-MgUser -MockWith { + } + Mock -CommandName Update-MgUser -MockWith { } + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleAssignment -MockWith { return @() } + Mock -CommandName Get-MgUserMemberOfAsGroup -MockWith { + } + + Mock -CommandName New-MgGroupMember -MockWith { + } + + Mock -CommandName Remove-MgGroupMemberByRef -MockWith { + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -181,7 +194,189 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Set-TargetResource @testParams } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + Context -Name 'When the user already exists but is not a member of a specified group' -Fixture { + BeforeAll { + $testParams = @{ + UserPrincipalName = 'JohnSmith@contoso.onmicrosoft.com' + DisplayName = 'John Smith' + FirstName = 'John' + LastName = 'Smith' + UsageLocation = 'US' + MemberOf = 'TestGroup' + Password = $Credential + PasswordNeverExpires = $false + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgUser -MockWith { + return @{ + UserPrincipalName = 'JohnSmith@contoso.onmicrosoft.com' + DisplayName = 'John Smith' + GivenName = 'John' + Surname = 'Smith' + UsageLocation = 'US' + PasswordPolicies = 'NONE' + } + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + DisplayName = 'TestGroup' + Id = '12345-12345-12345-12345-98765' + MailNickName = 'TestGroup' + Description = '<...>' + GroupTypes = @() + } + } + } + + It 'Should return present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should add the user to the group in the Set Method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'New-MgGroupMember' -Exactly 1 + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + Context -Name 'When the user already exists and is a member of a group that is not specified' -Fixture { + BeforeAll { + $testParams = @{ + UserPrincipalName = 'JohnSmith@contoso.onmicrosoft.com' + DisplayName = 'John Smith' + FirstName = 'John' + LastName = 'Smith' + UsageLocation = 'US' + #MemberOf = 'TestGroup' + Password = $Credential + PasswordNeverExpires = $false + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgUser -MockWith { + return @{ + UserPrincipalName = 'JohnSmith@contoso.onmicrosoft.com' + DisplayName = 'John Smith' + GivenName = 'John' + Surname = 'Smith' + UsageLocation = 'US' + PasswordPolicies = 'NONE' + } + } + + Mock -CommandName Get-MgUserMemberOfAsGroup -MockWith { + return @( + [pscustomobject]@{ + DisplayName = 'TestGroup' + Id = '12345-12345-12345-12345-12345' + MailNickName = 'TestGroup' + Description = '<...>' + GroupTypes = @() + }, + [pscustomobject]@{ + DisplayName = 'DynamicGroup' + Id = '12345-12345-12345-12345-54321' + MailNickName = 'DynGroup' + Description = '<...>' + GroupTypes = @('DynamicMembership') + } + ) + } + } + + It 'Should return present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should NOT remove the user from the group in the Set Method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgGroupMemberByRef' -Exactly 0 + } + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'When the user already exists, is a member of a different group than specified' -Fixture { + BeforeAll { + $testParams = @{ + UserPrincipalName = 'JohnSmith@contoso.onmicrosoft.com' + DisplayName = 'John Smith' + FirstName = 'John' + LastName = 'Smith' + UsageLocation = 'US' + MemberOf = 'TestGroup' + Password = $Credential + PasswordNeverExpires = $false + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgUser -MockWith { + return @{ + UserPrincipalName = 'JohnSmith@contoso.onmicrosoft.com' + DisplayName = 'John Smith' + GivenName = 'John' + Surname = 'Smith' + UsageLocation = 'US' + PasswordPolicies = 'NONE' + } + } + + Mock -CommandName Get-MgUserMemberOfAsGroup -MockWith { + return @( + [pscustomobject]@{ + DisplayName = 'DifferentGroup' + Id = '12345-12345-12345-12345-12345' + MailNickName = 'DiffGroup' + Description = '<...>' + GroupTypes = @() + }, + [pscustomobject]@{ + DisplayName = 'DynamicGroup' + Id = '12345-12345-12345-12345-54321' + MailNickName = 'DynGroup' + Description = '<...>' + GroupTypes = @()'DynamicMembership') + } + ) + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + DisplayName = 'TestGroup' + Id = '12345-12345-12345-12345-98765' + MailNickName = 'TestGroup' + Description = '<...>' + GroupTypes = @() + } + } + } + + It 'Should return present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should remove the user from existing group-membership and add the user to the group in the testParams' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgGroupMemberByRef' -Exactly 1 + Should -Invoke -CommandName 'New-MgGroupMember' -Exactly 1 + } + + It 'Should return false from the Test method' { Test-TargetResource @testParams | Should -Be $false } } From a5e096638af9442ac494396e6bbb9179209a165a Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Mon, 23 Oct 2023 12:02:34 +0200 Subject: [PATCH 02/49] AADUSer: Fix error in unit-test --- Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 index 605218e087..662941ccb1 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUser.Tests.ps1 @@ -350,7 +350,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '12345-12345-12345-12345-54321' MailNickName = 'DynGroup' Description = '<...>' - GroupTypes = @()'DynamicMembership') + GroupTypes = @('DynamicMembership') } ) } From f64519cb7864a96eac8050e8fe91258bd6aa3a5f Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Thu, 26 Oct 2023 09:20:54 +0200 Subject: [PATCH 03/49] AADUser - updated readme (also AADGroup) --- Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 ++ Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 1 + 2 files changed, 3 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 28a135d581..583de8fe86 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,3 +3,5 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. +It is also possible to ensure that the group has one or more members. Be aware that this can create a conflict if member-users are also configured with MemberOf. See AADUser. + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index be2738ebc3..67f8b1d3f2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -3,3 +3,4 @@ ## Description This resource allows users to create Azure AD Users and assign them licenses. +It is also possible to add the Azure AD user to one or more groups. Be aware that this can create a conflict if corresponding groups are also configured with Members. See AADGroup From b4d696f71fd5154c036d7deeb6e9724eef024056 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Thu, 26 Oct 2023 09:25:45 +0200 Subject: [PATCH 04/49] AADUser: Updated changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 525820e807..04a17c7939 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ * AADUser * Add support for property MemberOf FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) + +# 1.23.1025.1 + +* AADApplication + * Changes to how permissions drifts are logged. + FIXES [#3830](https://github.com/microsoft/Microsoft365DSC/issues/3830) * AADAttributeSet * Initial Release. * AADAuthenticationContext From b39e157e5711d6b8583dcf933ccf77bb17ef68f0 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 08:30:52 +0200 Subject: [PATCH 05/49] AADUser: Updated changelog --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 525820e807..288685b0f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,16 @@ * AADUser * Add support for property MemberOf FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) + +# 1.23.1025.1 +* AADEntitlementManagementAccessPackageAssignmentPolicy + * Fixes an issue where reviewers were not properly exported +* M365DSCDRGUTIL + * Fixes an issue with Get-M365DSCDRGComplexTypeToHashtable where Beta cmdlet were not recognized for recursive calls + FIXES [#3448](https://github.com/microsoft/Microsoft365DSC/issues/3448) +* AADApplication + * Changes to how permissions drifts are logged. + FIXES [#3830](https://github.com/microsoft/Microsoft365DSC/issues/3830) * AADAttributeSet * Initial Release. * AADAuthenticationContext From e9e302b4255cb1d2c10c0099c8a1db333d8138c9 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 14:30:55 +0200 Subject: [PATCH 06/49] AADUser - updated readme (also AADGroup) --- Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 ++ Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 1 + 2 files changed, 3 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 28a135d581..583de8fe86 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,3 +3,5 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. +It is also possible to ensure that the group has one or more members. Be aware that this can create a conflict if member-users are also configured with MemberOf. See AADUser. + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index be2738ebc3..67f8b1d3f2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -3,3 +3,4 @@ ## Description This resource allows users to create Azure AD Users and assign them licenses. +It is also possible to add the Azure AD user to one or more groups. Be aware that this can create a conflict if corresponding groups are also configured with Members. See AADGroup From 3664edf5606116f6f08361b4604d03d5be14b90b Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 14:42:29 +0200 Subject: [PATCH 07/49] Revert "AADUser - updated readme (also AADGroup)" This reverts commit e9e302b4255cb1d2c10c0099c8a1db333d8138c9. --- Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 -- Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 1 - 2 files changed, 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 583de8fe86..28a135d581 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,5 +3,3 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. -It is also possible to ensure that the group has one or more members. Be aware that this can create a conflict if member-users are also configured with MemberOf. See AADUser. - diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index 67f8b1d3f2..be2738ebc3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -3,4 +3,3 @@ ## Description This resource allows users to create Azure AD Users and assign them licenses. -It is also possible to add the Azure AD user to one or more groups. Be aware that this can create a conflict if corresponding groups are also configured with Members. See AADGroup From 3b71394dc1f811a354fc30d8b79d0a26209f7b25 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Thu, 26 Oct 2023 09:25:45 +0200 Subject: [PATCH 08/49] AADUser: Updated changelog --- CHANGELOG.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 288685b0f0..27fd67e6bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,11 +7,6 @@ FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) # 1.23.1025.1 -* AADEntitlementManagementAccessPackageAssignmentPolicy - * Fixes an issue where reviewers were not properly exported -* M365DSCDRGUTIL - * Fixes an issue with Get-M365DSCDRGComplexTypeToHashtable where Beta cmdlet were not recognized for recursive calls - FIXES [#3448](https://github.com/microsoft/Microsoft365DSC/issues/3448) * AADApplication * Changes to how permissions drifts are logged. FIXES [#3830](https://github.com/microsoft/Microsoft365DSC/issues/3830) From cb0f3a0583ce7303b20d84c62d63ea19a8b12498 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 14:42:29 +0200 Subject: [PATCH 09/49] Revert "AADUser - updated readme (also AADGroup)" This reverts commit e9e302b4255cb1d2c10c0099c8a1db333d8138c9. --- CHANGELOG.md | 5 +++++ Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 -- Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 1 - 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27fd67e6bb..288685b0f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) # 1.23.1025.1 +* AADEntitlementManagementAccessPackageAssignmentPolicy + * Fixes an issue where reviewers were not properly exported +* M365DSCDRGUTIL + * Fixes an issue with Get-M365DSCDRGComplexTypeToHashtable where Beta cmdlet were not recognized for recursive calls + FIXES [#3448](https://github.com/microsoft/Microsoft365DSC/issues/3448) * AADApplication * Changes to how permissions drifts are logged. FIXES [#3830](https://github.com/microsoft/Microsoft365DSC/issues/3830) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 583de8fe86..28a135d581 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,5 +3,3 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. -It is also possible to ensure that the group has one or more members. Be aware that this can create a conflict if member-users are also configured with MemberOf. See AADUser. - diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index 67f8b1d3f2..be2738ebc3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -3,4 +3,3 @@ ## Description This resource allows users to create Azure AD Users and assign them licenses. -It is also possible to add the Azure AD user to one or more groups. Be aware that this can create a conflict if corresponding groups are also configured with Members. See AADGroup From be2b2c350a2f639b8869ede97b6c1e45b6aff3bf Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 14:30:55 +0200 Subject: [PATCH 10/49] AADUser - updated readme (also AADGroup) --- Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 ++ Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 1 + 2 files changed, 3 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 28a135d581..583de8fe86 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,3 +3,5 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. +It is also possible to ensure that the group has one or more members. Be aware that this can create a conflict if member-users are also configured with MemberOf. See AADUser. + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index be2738ebc3..67f8b1d3f2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -3,3 +3,4 @@ ## Description This resource allows users to create Azure AD Users and assign them licenses. +It is also possible to add the Azure AD user to one or more groups. Be aware that this can create a conflict if corresponding groups are also configured with Members. See AADGroup From cc615a34f53895411033dde373cabe6da9298797 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Thu, 26 Oct 2023 09:25:45 +0200 Subject: [PATCH 11/49] AADUser: Updated changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 288685b0f0..5c523d1d7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * M365DSCDRGUTIL * Fixes an issue with Get-M365DSCDRGComplexTypeToHashtable where Beta cmdlet were not recognized for recursive calls FIXES [#3448](https://github.com/microsoft/Microsoft365DSC/issues/3448) + * AADApplication * Changes to how permissions drifts are logged. FIXES [#3830](https://github.com/microsoft/Microsoft365DSC/issues/3830) From ee4031ee3bbedb24a996436360802a331819abf4 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 14:42:29 +0200 Subject: [PATCH 12/49] Revert "AADUser - updated readme (also AADGroup)" This reverts commit e9e302b4255cb1d2c10c0099c8a1db333d8138c9. --- Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 -- Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 1 - 2 files changed, 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 583de8fe86..28a135d581 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,5 +3,3 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. -It is also possible to ensure that the group has one or more members. Be aware that this can create a conflict if member-users are also configured with MemberOf. See AADUser. - diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index 67f8b1d3f2..be2738ebc3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -3,4 +3,3 @@ ## Description This resource allows users to create Azure AD Users and assign them licenses. -It is also possible to add the Azure AD user to one or more groups. Be aware that this can create a conflict if corresponding groups are also configured with Members. See AADGroup From 8c36e1aa3b2d777d3258234e7aa8275d81019b79 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 15:07:30 +0200 Subject: [PATCH 13/49] AADUser - updated changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93a773633d..b899252c04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED +* AADUser + * Add support for property MemberOf + FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) + + # 1.23.1025.1 * AADEntitlementManagementAccessPackageAssignmentPolicy From 767112fd4b97d3947c4e2b3908fdd26756f9644a Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 27 Oct 2023 15:15:40 +0200 Subject: [PATCH 14/49] AADUser/AADGroup update readme --- Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md | 2 ++ Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md index 28a135d581..7e78b779cd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md @@ -3,3 +3,5 @@ ## Description This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. + +If using with AADUser, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADUser diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md index be2738ebc3..ad15217d09 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md @@ -2,4 +2,6 @@ ## Description -This resource allows users to create Azure AD Users and assign them licenses. +This resource allows users to create Azure AD Users and assign them licenses, roles and/or groups. + +If using with AADGroup, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADGroup From ab248423a673147098bb422c82dcd06b7afdb315 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Thu, 2 Nov 2023 10:32:57 +0100 Subject: [PATCH 15/49] Revert "AADUser - updated changelog" This reverts commit 8c36e1aa3b2d777d3258234e7aa8275d81019b79. --- CHANGELOG.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b899252c04..93a773633d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,5 @@ # Change log for Microsoft365DSC -# UNRELEASED -* AADUser - * Add support for property MemberOf - FIXES [#3820](https://github.com/microsoft/Microsoft365DSC/issues/3820) - - # 1.23.1025.1 * AADEntitlementManagementAccessPackageAssignmentPolicy From 3bc9bf6638ca88c9be1f4b61ea2583965ae9bdb7 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Tue, 14 Nov 2023 12:46:19 +0000 Subject: [PATCH 16/49] Remove Id from PSBoundParameters in Test-TargetResource --- CHANGELOG.md | 7 +++++++ ...tionDeliveryOptimizationPolicyWindows10.psm1 | 17 +++-------------- ...hMonitoringConfigurationPolicyWindows10.psm1 | 17 +++-------------- ...rationIdentityProtectionPolicyWindows10.psm1 | 17 +++-------------- ...lotDeploymentProfileAzureADHybridJoined.psm1 | 17 +++-------------- ...AutopilotDeploymentProfileAzureADJoined.psm1 | 17 +++-------------- 6 files changed, 22 insertions(+), 70 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58044b324e..b4a1552332 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ # UNRELEASED +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, + IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, + IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, + IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, + IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Removed Id parameter from PSBoundParameters in Test-TargetResource + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) * IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 * fix an issue where the firewall settings were not populate correctly FIXES [#3851](https://github.com/microsoft/Microsoft365DSC/issues/3851) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 index 1817103ffd..940dee9e16 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 @@ -459,15 +459,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -690,6 +682,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -722,11 +716,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 index da66296a19..7189bbe0eb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 @@ -262,15 +262,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -439,6 +431,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -470,11 +464,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 index 57dcd9e22b..5b59f195e9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 @@ -369,15 +369,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -588,6 +580,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -620,11 +614,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 index 6d91c14937..cbd9138eef 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 @@ -330,15 +330,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -524,6 +516,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -555,11 +549,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 index 7c2b6f6f06..72d7a42b3c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 @@ -321,15 +321,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -511,6 +503,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -542,11 +536,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" From c87b12c745208d1660d6912e84c699ba540c5a1f Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 16 Nov 2023 13:02:10 +0000 Subject: [PATCH 17/49] Also fix IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 --- CHANGELOG.md | 24 +++++++++---------- ...tionEndpointProtectionPolicyWindows10.psm1 | 18 +++----------- 2 files changed, 14 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d5a303ea1..7dfa9dde9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,16 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, + IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, + IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, + IntuneDeviceConfigurationEndpointProtectionPolicyWindows10, + IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, + IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) + # 1.23.1115.1 * AADApplication @@ -15,19 +26,6 @@ # 1.23.1108.3 -<<<<<<< HEAD -* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, - IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, - IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, - IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, - IntuneWindowsAutopilotDeploymentProfileAzureADJoined - * Removed Id parameter from PSBoundParameters in Test-TargetResource - FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) -* IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 - * fix an issue where the firewall settings were not populate correctly - FIXES [#3851](https://github.com/microsoft/Microsoft365DSC/issues/3851) -======= ->>>>>>> 433af4dd57c69d0b3466b352664643dc453f4d78 * AADRoleEligibilityScheduleRequest * Fixed incorrect subclass MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrenceRange for range property diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index 491a5099f6..b4a8758c1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -3685,15 +3685,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -4810,6 +4802,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -4842,12 +4836,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Id') | Out-Null - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" From e225c0648142ab7a90570256fdbe0e2e03a40550 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 16 Nov 2023 14:06:27 +0000 Subject: [PATCH 18/49] Fix IntuneDeviceEnrollmentStatusPageWindows10 --- CHANGELOG.md | 1 + ...tuneDeviceEnrollmentStatusPageWindows10.psm1 | 17 +++-------------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b39a3cac0d..f76e6d3d65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, IntuneDeviceConfigurationEndpointProtectionPolicyWindows10, + IntuneDeviceEnrollmentStatusPageWindows10, IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 6dd891fbc7..7eacad1b0e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -334,15 +334,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -560,6 +552,8 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Enrollment Configuration for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -591,11 +585,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" From a2b5e647f6f1c9d874915f33582a7ff04ba4c9fd Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 16 Nov 2023 21:43:34 +0000 Subject: [PATCH 19/49] Use proper embedded instance on export --- ...countProtectionLocalAdministratorPasswordSolutionPolicy.psm1 | 2 +- ...T_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 | 2 +- .../MSFT_IntuneAccountProtectionPolicy.psm1 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index 46e68cd9be..e11c53a62e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -752,7 +752,7 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 321a85bd6d..45b20bc95d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -624,7 +624,7 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionPolicyAssignments if ($complexTypeStringResult) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index 250d5c47f4..bfa93b3e2a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -795,7 +795,7 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionPolicyAssignments if ($complexTypeStringResult) { From e902b60f4417cd7ca831916ce62ba6932f03e65d Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 16 Nov 2023 21:45:39 +0000 Subject: [PATCH 20/49] Add groupDisplayName to Assignments --- ...nistratorPasswordSolutionPolicy.schema.mof | 57 +++++++++--------- ...nLocalUserGroupMembershipPolicy.schema.mof | Bin 8226 -> 8456 bytes ...T_IntuneAccountProtectionPolicy.schema.mof | Bin 12746 -> 12976 bytes 3 files changed, 29 insertions(+), 28 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof index 82b0d86c8c..c12ec5a624 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof @@ -1,37 +1,38 @@ [ClassVersion("1.0.0.0")] class MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments { - [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; - [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; - [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; - [Write, Description("The group Id that is the target of the assignment.")] String groupId; - [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; }; [ClassVersion("1.0.0.0"), FriendlyName("IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy")] class MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy : OMI_BaseResource { - [Key, Description("Identity of the account protection local administrator password solution policy.")] String Identity; - [Required, Description("Display name of the account protection local administrator password solution policy.")] String DisplayName; - [Write, Description("Description of the account protection local administrator password solution policy.")] String Description; - [Write, Description("Assignments of the account protection local administrator password solution policy."), EmbeddedInstance("MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments")] String Assignments[]; - [Write, Description("Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] UInt32 BackupDirectory; - [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 PasswordAgeDays_AAD; - [Write, Description("Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365")] UInt32 PasswordAgeDays; - [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account.")] Boolean PasswordExpirationProtectionEnabled; - [Write, Description("Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12")] UInt32 AdEncryptedPasswordHistorySize; - [Write, Description("Configures whether the password is encrypted before being stored in Active Directory.")] Boolean AdPasswordEncryptionEnabled; - [Write, Description("Configures the name or SID of a user or group that can decrypt the password stored in Active Directory.")] String AdPasswordEncryptionPrincipal; - [Write, Description("Configures the name of the managed local administrator account.")] String AdministratorAccountName; - [Write, Description("Configures the password complexity of the managed local administrator account. 1 - Large letters, 2 - Large + small letters, 3 - Large + small letters + numbers, 4 - Large + small letters + numbers + special characters"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] UInt32 PasswordComplexity; - [Write, Description("Configures the length of the password of the managed local administrator account. Minimum - 8, Maximum - 64")] UInt32 PasswordLength; - [Write, Description("Specifies the actions to take upon expiration of the configured grace period. 1 - Reset password, 3 - Reset password and log off, 5 - Reset password and restart"), ValueMap{"1", "3", "5"}, Values{"1", "3", "5"}] UInt32 PostAuthenticationActions; - [Write, Description("Specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. Minimum - 0, Maximum - 24")] UInt32 PostAuthenticationResetDelay; - [Write, Description("Present ensures the policy exists, absent ensures it is removed"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; - [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; - [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com")] String TenantId; - [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; - [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; - [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Key, Description("Identity of the account protection local administrator password solution policy.")] String Identity; + [Required, Description("Display name of the account protection local administrator password solution policy.")] String DisplayName; + [Write, Description("Description of the account protection local administrator password solution policy.")] String Description; + [Write, Description("Assignments of the account protection local administrator password solution policy."), EmbeddedInstance("MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments")] String Assignments[]; + [Write, Description("Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] UInt32 BackupDirectory; + [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 PasswordAgeDays_AAD; + [Write, Description("Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365")] UInt32 PasswordAgeDays; + [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account.")] Boolean PasswordExpirationProtectionEnabled; + [Write, Description("Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12")] UInt32 AdEncryptedPasswordHistorySize; + [Write, Description("Configures whether the password is encrypted before being stored in Active Directory.")] Boolean AdPasswordEncryptionEnabled; + [Write, Description("Configures the name or SID of a user or group that can decrypt the password stored in Active Directory.")] String AdPasswordEncryptionPrincipal; + [Write, Description("Configures the name of the managed local administrator account.")] String AdministratorAccountName; + [Write, Description("Configures the password complexity of the managed local administrator account. 1 - Large letters, 2 - Large + small letters, 3 - Large + small letters + numbers, 4 - Large + small letters + numbers + special characters"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] UInt32 PasswordComplexity; + [Write, Description("Configures the length of the password of the managed local administrator account. Minimum - 8, Maximum - 64")] UInt32 PasswordLength; + [Write, Description("Specifies the actions to take upon expiration of the configured grace period. 1 - Reset password, 3 - Reset password and log off, 5 - Reset password and restart"), ValueMap{"1", "3", "5"}, Values{"1", "3", "5"}] UInt32 PostAuthenticationActions; + [Write, Description("Specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. Minimum - 0, Maximum - 24")] UInt32 PostAuthenticationResetDelay; + [Write, Description("Present ensures the policy exists, absent ensures it is removed"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; }; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof index 4b093ec012f0b12809d662d6c31e85d609f4dbc2..92fa66799573f9cd3560c34479d0d5a4af730bae 100644 GIT binary patch delta 64 zcmZ4F(BZV<5T|lFLlHwhLn%W6g93vKLncEpkd?!b$WRI7`vK`(hSbS|oVk-Xi1 Date: Thu, 16 Nov 2023 21:48:19 +0000 Subject: [PATCH 21/49] Update CHANGELOG --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74bdc00ea9..53735fb786 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy, + IntuneAccountProtectionLocalUserGroupMembershipPolicy, + IntuneAccountProtectionPolicy, + * Fixes export if Assignments is set on existing policies + FIXES [3913](https://github.com/microsoft/Microsoft365DSC/issues/3913) + * Add groupDisplayName to Assignments embedded instance + # 1.23.1115.1 * AADApplication From 003c331ce9c6b3af8758f8b52de95bdd08724a80 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 16 Nov 2023 21:51:48 +0000 Subject: [PATCH 22/49] Actually use the correct embedded instance --- ...countProtectionLocalAdministratorPasswordSolutionPolicy.psm1 | 2 +- ...T_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index e11c53a62e..2a848f4f42 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -752,7 +752,7 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 45b20bc95d..25d0b7f044 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -624,7 +624,7 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments if ($complexTypeStringResult) { From 05d8ff19fbb71181b5dfbcb3c267152bbe3fbfe1 Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Tue, 21 Nov 2023 09:23:43 +0100 Subject: [PATCH 23/49] Export AADRoleSetting with Filter and Sort --- CHANGELOG.md | 3 +++ .../MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 | 3 ++- .../Microsoft365DSC.AADRoleSetting.Tests.ps1 | 9 +++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74bdc00ea9..f4d6847ddf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Change log for Microsoft365DSC +* AADRoleSetting + * Export sorted by DisplayName for better comparison + * Enable Filter property to be used on export # 1.23.1115.1 * AADApplication diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 index 4353dd8ce8..117d2e66d8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1 @@ -1283,6 +1283,7 @@ function Test-TargetResource [Switch] $ManagedIdentity ) + $Script:ExportMode = $false #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -1379,7 +1380,7 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-MgBetaRoleManagementDirectoryRoleDefinition -ErrorAction Stop + [array] $Script:exportedInstances = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter $Filter -Sort DisplayName -ErrorAction Stop $i = 1 $dscContent = '' Write-Host "`r`n" -NoNewline diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 index 31cb22bf3e..5b68626cd5 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleSetting.Tests.ps1 @@ -660,6 +660,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should reverse engineer resource from the export method' { $result = Export-TargetResource @testParams + Should -Invoke -Scope It -CommandName 'Get-MgBetaRoleManagementDirectoryRoleDefinition' -ParameterFilter { $Filter -eq '' -and $Sort -eq 'DisplayName' } -Times 1 + $result | Should -Not -BeNullOrEmpty + } + + It 'Should reverse engineer resource from the export method with a filter' { + $testParams.Filter = "displayName eq 'Role1'" + + $result = Export-TargetResource @testParams + Should -Invoke -Scope It -CommandName 'Get-MgBetaRoleManagementDirectoryRoleDefinition' -ParameterFilter { $Filter -eq "displayName eq 'Role1'" -and $Sort -eq 'DisplayName' } -Times 1 $result | Should -Not -BeNullOrEmpty } } From c6cb32a7bb1c4551ff3f8a952556e2630262d7ef Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Tue, 21 Nov 2023 09:29:25 +0100 Subject: [PATCH 24/49] Update ChangeLog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4d6847ddf..50d046dd3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ * AADRoleSetting * Export sorted by DisplayName for better comparison * Enable Filter property to be used on export + FIXES [#3919](https://github.com/microsoft/Microsoft365DSC/issues/3919) # 1.23.1115.1 * AADApplication From 083619d2b31b930e1243057bb8f3b44c6eed8ca9 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 23 Nov 2023 00:44:00 +0000 Subject: [PATCH 25/49] merge --- CHANGELOG.md | 22 +++++++++++++++++++ ...onDeliveryOptimizationPolicyWindows10.psm1 | 17 +++----------- ...tionEndpointProtectionPolicyWindows10.psm1 | 18 +++------------ ...onitoringConfigurationPolicyWindows10.psm1 | 17 +++----------- ...tionIdentityProtectionPolicyWindows10.psm1 | 17 +++----------- ...neDeviceEnrollmentStatusPageWindows10.psm1 | 17 +++----------- ...tDeploymentProfileAzureADHybridJoined.psm1 | 17 +++----------- ...topilotDeploymentProfileAzureADJoined.psm1 | 17 +++----------- 8 files changed, 43 insertions(+), 99 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49699752e2..5c93685310 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,17 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, + IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, + IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, + IntuneDeviceConfigurationEndpointProtectionPolicyWindows10, + IntuneDeviceEnrollmentStatusPageWindows10, + IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, + IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) + # 1.23.1122.1 * SPOSharingSettings @@ -22,6 +34,16 @@ * Fixes an issue where we are not able to set the settings of a CAS Mailbox Plan by specifying the Identity without the GUID in the name. FIXES [#3900](https://github.com/microsoft/Microsoft365DSC/issues/3900) +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, + IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, + IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, + IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, + IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Removed Id parameter from PSBoundParameters in Test-TargetResource + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) +* IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 + * Fixes an issue where the firewall settings were not populate correctly + FIXES [#3851](https://github.com/microsoft/Microsoft365DSC/issues/3851) # 1.23.1108.3 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 index 1817103ffd..940dee9e16 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 @@ -459,15 +459,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -690,6 +682,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -722,11 +716,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index 491a5099f6..b4a8758c1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -3685,15 +3685,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -4810,6 +4802,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -4842,12 +4836,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Id') | Out-Null - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 index da66296a19..7189bbe0eb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 @@ -262,15 +262,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -439,6 +431,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -470,11 +464,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 index 57dcd9e22b..5b59f195e9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 @@ -369,15 +369,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -588,6 +580,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -620,11 +614,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 6dd891fbc7..7eacad1b0e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -334,15 +334,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -560,6 +552,8 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Enrollment Configuration for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -591,11 +585,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 index 6d91c14937..cbd9138eef 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 @@ -330,15 +330,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -524,6 +516,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -555,11 +549,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 index 7c2b6f6f06..72d7a42b3c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 @@ -321,15 +321,7 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('Verbose') | Out-Null + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -511,6 +503,8 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { @@ -542,11 +536,6 @@ function Test-TargetResource } } - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" From a3771d32e982cd02b3bc87ea127ea1e0ad75522e Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Thu, 23 Nov 2023 00:50:47 +0000 Subject: [PATCH 26/49] Update CHANGELOG.md --- CHANGELOG.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c93685310..c823d811f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,16 +34,6 @@ * Fixes an issue where we are not able to set the settings of a CAS Mailbox Plan by specifying the Identity without the GUID in the name. FIXES [#3900](https://github.com/microsoft/Microsoft365DSC/issues/3900) -* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, - IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, - IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, - IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, - IntuneWindowsAutopilotDeploymentProfileAzureADJoined - * Removed Id parameter from PSBoundParameters in Test-TargetResource - FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) -* IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 - * Fixes an issue where the firewall settings were not populate correctly - FIXES [#3851](https://github.com/microsoft/Microsoft365DSC/issues/3851) # 1.23.1108.3 From 1bc28e6e3b9187f92742f16557d7b831e25352e1 Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Thu, 23 Nov 2023 08:38:43 +0100 Subject: [PATCH 27/49] update Change log with new line --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50d046dd3a..057cb76816 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Export sorted by DisplayName for better comparison * Enable Filter property to be used on export FIXES [#3919](https://github.com/microsoft/Microsoft365DSC/issues/3919) + # 1.23.1115.1 * AADApplication From a4348d0d73423c3dfd9df557217196b2e2657aef Mon Sep 17 00:00:00 2001 From: Philippe Kernevez Date: Thu, 23 Nov 2023 14:57:47 +0100 Subject: [PATCH 28/49] Remove hardcoded repository name --- Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 698ce0e874..673407432a 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4063,8 +4063,8 @@ function Test-M365DSCModuleValidity $InformationPreference = 'Continue' - # validate only one installation of the module is present (and it's the latest version available from the psgallery) - $latestVersion = (Find-Module -Name 'Microsoft365DSC' -Repository 'PSGallery' -Includes 'DSCResource').Version + # validate only one installation of the module is present (and it's the latest version available) + $latestVersion = (Find-Module -Name 'Microsoft365DSC' -Includes 'DSCResource').Version $localVersion = (Get-Module -Name 'Microsoft365DSC').Version if ($latestVersion -gt $localVersion) From ac1f4e7288db89dc3fc145cc5d75a1338fcf2ab6 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Fri, 24 Nov 2023 19:34:31 +0000 Subject: [PATCH 29/49] update Intune assignment logic --- CHANGELOG.md | 18 ++ ...uneDeviceConfigurationPolicyWindows10.psm1 | 163 +++++++----------- ...tDeploymentProfileAzureADHybridJoined.psm1 | 74 ++++---- ...topilotDeploymentProfileAzureADJoined.psm1 | 114 ++++++++---- ...ForBusinessRingUpdateProfileWindows10.psm1 | 95 ++++++---- .../Modules/M365DSCDRGUtil.psm1 | 114 +++++++++++- 6 files changed, 384 insertions(+), 194 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49699752e2..18a5382958 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,23 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* M365DSCDRGUtil + * Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) +* IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) +* IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) +* IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) +* IntuneDeviceConfigurationPolicyWindows10 + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + # 1.23.1122.1 * SPOSharingSettings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 index 87a99ab274..548682d17b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 @@ -1976,35 +1976,13 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + + $rawAssignments = @() + $rawAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id -All $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if($null -ne $rawAssignments -and $rawAssignments.count -gt 0) { - $DataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - $GroupId = $assignmentEntry.Target.AdditionalProperties.groupId - $GroupDisplayName = $null - - if ($DataType -eq "#microsoft.graph.groupAssignmentTarget" -or ` - $DataType -eq "#microsoft.graph.exclusionGroupAssignmentTarget") { - $Group = Get-MgGroup -GroupId $GroupId -ErrorAction SilentlyContinue - if ($Group.Count -eq 1) - { - $GroupDisplayName = $Group.DisplayName - $GroupId = $null - } - } - - $assignmentValue = @{ - dataType = $DataType - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $GroupId - groupDisplayName = $GroupDisplayName - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $rawAssignments } $results.Add('Assignments', $assignmentResult) @@ -3300,17 +3278,17 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10GeneralConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - + #endregion + #region new Intune assignment management if ($policy.id) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceConfigurations' + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) + { + New-MgBetaDeviceManagementDeviceConfigurationAssignment ` + -DeviceConfigurationId $policy.id ` + -BodyParameter $assignment + } } #endregion } @@ -3337,74 +3315,34 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) + #endregion + #region new Intune assignment management + $currentAssignments = @() + $currentAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $currentInstance.id + + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) { - if ($Assignment.dataType -eq "#microsoft.graph.groupAssignmentTarget" -or ` - $Assignment.dataType -eq "#microsoft.graph.exclusionGroupAssignmentTarget") + if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) { - if (![string]::IsNullOrEmpty($Assignment.groupId)) - { - $Group = Get-MgGroup -GroupId $Assignment.groupId -ErrorAction SilentlyContinue - $GroupId = $Assignment.groupId - } - else - { - $Group = $null - $GroupId = "null" - } - - if ($Group.Count -eq 0) - { - $Message = "Could not find assignment group with id {0}, trying with display name" -f $GroupId - Write-Verbose -Message $Message - - if (![string]::IsNullOrEmpty($Assignment.groupDisplayName)) - { - $Message = "Checking for the assignment group '{0}'" -f $Assignment.groupDisplayName - Write-Verbose -Message $Message - - $Filter = "displayName eq '{0}'" -f $Assignment.groupDisplayName - $Group = Get-MgGroup -Filter $Filter -ErrorAction SilentlyContinue - if ($Group.Count -eq 1) - { - $Message = "Found assignment group '{0}' with id '{1}'" -f $Group.DisplayName, $Group.Id - Write-Verbose -Message $Message - - $Assignment.groupId = $Group.Id - } - else - { - if ([string]::IsNullOrEmpty($Assignment.groupId)) - { - $Message = "Could not find assignment group, skipping" - continue - } - - $Message = "Could not find assignment group '{0}', instead use group with id '{1}'" -f $Assignment.groupDisplayName, $Assignment.groupId - Write-Verbose -Message $Message - } - } - else - { - $Message = "Could not find assignment group, skipping" - Write-Verbose -Message $Message - continue - } - } + New-MgBetaDeviceManagementDeviceConfigurationAssignment ` + -DeviceConfigurationId $currentInstance.id ` + -BodyParameter $assignment } - - $assignmentHash = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - if (![string]::IsNullOrEmpty($Assignment.groupDisplayName)) + else { - $assignmentHash.Remove("groupDisplayName") | Out-Null + $currentAssignments = $currentAssignments | Where-Object { -not ($_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type') } + } + } + if($currentAssignments.count -gt 0) + { + foreach ($assignment in $currentAssignments) + { + Remove-MgBetaDeviceManagementDeviceConfigurationAssignment ` + -DeviceConfigurationId $currentInstance.Id ` + -DeviceConfigurationAssignmentId $assignment.Id } - $assignmentsHash += $assignmentHash } - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentInstance.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceConfigurations' #endregion } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') @@ -4690,11 +4628,34 @@ function Test-TargetResource -Source ($source) ` -Target ($target) - if (-Not $testResult) + if( $key -eq "Assignments") { - $testResult = $false - break + $testResult = $source.count -eq $target.count + if (-Not $testResult) { break } + foreach ($assignment in $source) + { + if ($assignment.dataType -like '*GroupAssignmentTarget') + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) + #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key + if (-not $testResult) + { + $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) + } + if (-not $testResult -and $groupNotFound) + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) + } + } + else + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) + } + if (-Not $testResult) { break } + } + if (-Not $testResult) { break } } + if (-Not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 index 6d91c14937..0e77a3a018 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 @@ -197,20 +197,12 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $Id + $rawAssignments = @() + $rawAssignments = Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $Id -All $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if($null -ne $rawAssignments -and $rawAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $rawAssignments -IncludeDeviceFilter $false } $results.Add('Assignments', $assignmentResult) @@ -360,17 +352,14 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.activeDirectoryWindowsAutopilotDeploymentProfile") $policy = New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - - if ($policy.id) + #endregion + #region new Intune assignment management + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/windowsAutopilotDeploymentProfiles' + New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $policy.id ` + -BodyParameter $assignment } #endregion } @@ -397,20 +386,46 @@ function Set-TargetResource Update-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile ` -WindowsAutopilotDeploymentProfileId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) + #endregion + #region new Intune assignment management + $currentAssignments = @() + $currentAssignments += Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $currentInstance.id + + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) + { + New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $currentInstance.id ` + -BodyParameter $assignment + } + else + { + $currentAssignments = $currentAssignments | Where-Object { -not($_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type') } + } + } + if($currentAssignments.count -gt 0) + { + foreach ($assignment in $currentAssignments) + { + Remove-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $currentInstance.Id ` + -WindowsAutopilotDeploymentProfileAssignmentId $assignment.Id + } } - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentInstance.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/windowsAutopilotDeploymentProfiles' #endregion } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Removing the Intune Windows Autopilot Deployment Profile Azure AD Hybrid Joined with Id {$($currentInstance.Id)}" + $currentAssignments = Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $currentInstance.Id -All + foreach ($assignment in $currentAssignments) + { + Remove-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $currentInstance.Id ` + -WindowsAutopilotDeploymentProfileAssignmentId $assignment.Id + } #region resource generator code Remove-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile -WindowsAutopilotDeploymentProfileId $currentInstance.Id #endregion @@ -555,6 +570,7 @@ function Test-TargetResource } } + $ValuesToCheck.Remove('Id') | Out-Null $ValuesToCheck.Remove('Credential') | Out-Null $ValuesToCheck.Remove('ApplicationId') | Out-Null $ValuesToCheck.Remove('TenantId') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 index 7c2b6f6f06..f793202203 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 @@ -126,6 +126,12 @@ function Get-TargetResource Write-Verbose -Message "Could not find an Intune Windows Autopilot Deployment Profile Azure AD Joined with DisplayName {$DisplayName}" return $nullResult } + + if($getValue -is [Array]) + { + Throw "The DisplayName {$DisplayName} returned multiple policies, make sure DisplayName is unique." + } + $Id = $getValue.Id Write-Verbose -Message "An Intune Windows Autopilot Deployment Profile Azure AD Joined with Id {$Id} and DisplayName {$DisplayName} was found." @@ -192,20 +198,13 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $Id + + $rawAssignments = @() + $rawAssignments = Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $Id -All $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if($null -ne $rawAssignments -and $rawAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $rawAssignments -IncludeDeviceFilter $false } $results.Add('Assignments', $assignmentResult) @@ -351,17 +350,15 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile") $policy = New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + #endregion - if ($policy.id) + #region new Intune assignment management + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/windowsAutopilotDeploymentProfiles' + New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $policy.id ` + -BodyParameter $assignment } #endregion } @@ -388,20 +385,47 @@ function Set-TargetResource Update-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile ` -WindowsAutopilotDeploymentProfileId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) + #endregion + + #region new Intune assignment management + $currentAssignments = @() + $currentAssignments += Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $currentInstance.id + + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) + { + if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) + { + New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $currentInstance.id ` + -BodyParameter $assignment + } + else + { + $currentAssignments = $currentAssignments | Where-Object { -not($_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type') } + } + } + if($currentAssignments.count -gt 0) { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + foreach ($assignment in $currentAssignments) + { + Remove-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $currentInstance.Id ` + -WindowsAutopilotDeploymentProfileAssignmentId $assignment.Id + } } - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentInstance.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/windowsAutopilotDeploymentProfiles' #endregion } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Removing the Intune Windows Autopilot Deployment Profile Azure AD Joined with Id {$($currentInstance.Id)}" + $currentAssignments = Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $currentInstance.Id -All + foreach ($assignment in $currentAssignments) + { + Remove-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` + -WindowsAutopilotDeploymentProfileId $currentInstance.Id ` + -WindowsAutopilotDeploymentProfileAssignmentId $assignment.Id + } #region resource generator code Remove-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile -WindowsAutopilotDeploymentProfileId $currentInstance.Id #endregion @@ -532,16 +556,40 @@ function Test-TargetResource -Source ($source) ` -Target ($target) - if (-Not $testResult) - { - $testResult = $false - break - } + if( $key -eq "Assignments") + { + $testResult = $source.count -eq $target.count + if (-Not $testResult) { break } + foreach ($assignment in $source) + { + if ($assignment.dataType -like '*GroupAssignmentTarget') + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) + #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key + if (-not $testResult) + { + $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) + } + if (-not $testResult -and $groupNotFound) + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) + } + } + else + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) + } + if (-Not $testResult) { break } + } + if (-Not $testResult) { break } + } + if (-Not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null } } + $ValuesToCheck.Remove('Id') | Out-Null $ValuesToCheck.Remove('Credential') | Out-Null $ValuesToCheck.Remove('ApplicationId') | Out-Null $ValuesToCheck.Remove('TenantId') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 index 66b6399e03..1f822399b4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 @@ -411,23 +411,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + + $rawAssignments = @() + $rawAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id -All $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if($null -ne $rawAssignments -and $rawAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $rawAssignments } $results.Add('Assignments', $assignmentResult) - return [System.Collections.Hashtable] $results } catch @@ -683,17 +675,14 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsUpdateForBusinessConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash=@() - foreach($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - - if ($policy.id) + #endregion + #region new Intune assignment management + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceConfigurations' + New-MgBetaDeviceManagementDeviceConfigurationAssignmentAssignment ` + -DeviceConfigurationAssignmentId $policy.id ` + -BodyParameter $assignment } #endregion } @@ -720,11 +709,34 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.id ` -BodyParameter $UpdateParameters + #endregion + #region new Intune assignment management + $currentAssignments = @() + $currentAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $currentInstance.id - $assignmentsHash = @() - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceConfigurations' + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + foreach ($assignment in $intuneAssignments) + { + if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) + { + New-MgBetaDeviceManagementDeviceConfigurationAssignment ` + -DeviceConfigurationId $currentInstance.id ` + -BodyParameter $assignment + } + else + { + $currentAssignments = $currentAssignments | Where-Object { -not($_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type') } + } + } + if($currentAssignments.count -gt 0) + { + foreach ($assignment in $currentAssignments) + { + Remove-MgBetaDeviceManagementDeviceConfigurationAssignment ` + -DeviceConfigurationId $currentInstance.Id ` + -DeviceConfigurationAssignmentId $assignment.Id + } + } #endregion } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') @@ -971,11 +983,34 @@ function Test-TargetResource -Source ($source) ` -Target ($target) - if (-Not $testResult) + if( $key -eq "Assignments") { - $testResult = $false - break + $testResult = $source.count -eq $target.count + if (-Not $testResult) { break } + foreach ($assignment in $source) + { + if ($assignment.dataType -like '*GroupAssignmentTarget') + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) + #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key + if (-not $testResult) + { + $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) + } + if (-not $testResult -and $groupNotFound) + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) + } + } + else + { + $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) + } + if (-Not $testResult) { break } + } + if (-Not $testResult) { break } } + if (-Not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 90f4d660e6..7830f34ae8 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1109,7 +1109,119 @@ function Update-IntuneSettingCatalogPolicy return $null } } +function ConvertFrom-IntunePolicyAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable[]])] + param ( + [Parameter(Mandatory = $true)] + [Array] + $Assignments, + [Parameter()] + [System.Boolean] + $IncludeDeviceFilter = $true + ) + + $assignmentResult = @() + foreach ($assignment in $Assignments) + { + $hashAssignment = @{} + $dataType = $assignment.Target.AdditionalProperties."@odata.type" + $groupId = $assignment.Target.AdditionalProperties.groupId + + $hashAssignment.add('dataType',$dataType) + if (-not [string]::IsNullOrEmpty($groupId)) + { + $hashAssignment.add('groupId', $groupId) + + $group = Get-MgGroup -GroupId ($groupId) -ErrorAction SilentlyContinue + if ($null -ne $group) + { + $hashAssignment.add('groupDisplayName', $group.DisplayName) + } + } + if ($IncludeDeviceFilter) + { + if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterType) + { + $hashAssignment.add('deviceAndAppManagementAssignmentFilterType', $assignment.Target.DeviceAndAppManagementAssignmentFilterType.ToString()) + } + if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterId) + { + $hashAssignment.add('deviceAndAppManagementAssignmentFilterId', $assignment.Target.DeviceAndAppManagementAssignmentFilterId) + } + } + + $assignmentResult += $hashAssignment + } + + return $assignmentResult +} + +function ConvertTo-IntunePolicyAssignment +{ + [CmdletBinding()] + [OutputType([Hashtable[]])] + param ( + [Parameter(Mandatory = $true)] + $Assignments, + [Parameter()] + [System.Boolean] + $IncludeDeviceFilter = $true + ) + + $assignmentResult = @() + foreach ($assignment in $Assignments) + { + $target = @{"@odata.type" = $assignment.dataType} + if ($IncludeDeviceFilter) + { + if ($null -ne $assignment.DeviceAndAppManagementAssignmentFilterId) + { + $target.add('deviceAndAppManagementAssignmentFilterId', $assignment.DeviceAndAppManagementAssignmentFilterId) + } + if ($null -ne $assignment.DeviceAndAppManagementAssignmentFilterType) + { + $target.add('deviceAndAppManagementAssignmentFilterType',$assignment.DeviceAndAppManagementAssignmentFilterType) + } + } + if ($assignment.dataType -like '*GroupAssignmentTarget') + { + $group = Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue + if ($null -eq $group) + { + $group = Get-MgGroup -Filter "DisplayName eq '$($assignment.groupDisplayName)'" -ErrorAction SilentlyContinue + if ($null -eq $group) + { + $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it could not be found in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." + write-verbose -Message $message + $target = $null + } + if ($group -and $group.count -gt 1) + { + $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it is not unique in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." + write-verbose -Message $message + $group = $null + $target = $null + } + } + #Skipping assignment if group not found from either groupId or groupDisplayName + if ($null -ne $group) + { + $target.add('groupId',$group.Id) + } + } + if ($target) + { + $assignmentResult += @{Target = $target} + } + } + + return $assignmentResult +} function Update-DeviceConfigurationPolicyAssignment { [CmdletBinding()] @@ -1160,7 +1272,7 @@ function Update-DeviceConfigurationPolicyAssignment $deviceManagementPolicyAssignments += @{'target' = $formattedTarget} } $body = @{'assignments' = $deviceManagementPolicyAssignments} | ConvertTo-Json -Depth 20 - #write-verbose -Message $body + write-verbose -Message $body Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop } catch From 09cad267c5984a41bb2d1a04b0310911a012021f Mon Sep 17 00:00:00 2001 From: William-francillette Date: Fri, 24 Nov 2023 20:08:45 +0000 Subject: [PATCH 30/49] fix IntuneDeviceEnrollmentStatusPageWindows10 --- CHANGELOG.md | 3 +++ ...neDeviceEnrollmentStatusPageWindows10.psm1 | 25 ++++++++----------- .../Modules/M365DSCDRGUtil.psm1 | 2 +- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18a5382958..08c2ec0045 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,9 @@ * IntuneDeviceConfigurationPolicyWindows10 * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* IntuneDeviceEnrollmentStatusPageWindows10 + * Fixed assignments using API call + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) # 1.23.1122.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 6dd891fbc7..863e0321f2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -377,13 +377,11 @@ function Set-TargetResource $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EnrollmentCompletionPageConfiguration') $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -BodyParameter $CreateParameters - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' + $intuneAssignments = @() + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $body = @{'enrollmentConfigurationAssignments' = $intuneAssignments} | ConvertTo-Json -Depth 100 + $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($policy.Id)/assign" + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop Update-DeviceEnrollmentConfigurationPriority ` -DeviceEnrollmentConfigurationId $policy.id ` @@ -414,14 +412,11 @@ function Set-TargetResource if ($currentInstance.Id -notlike '*_DefaultWindows10EnrollmentCompletionPageConfiguration') { - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' + $intuneAssignments = @() + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $body = @{'enrollmentConfigurationAssignments' = $intuneAssignments} | ConvertTo-Json -Depth 100 + $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($currentInstance.Id)/assign" + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop Update-DeviceEnrollmentConfigurationPriority ` -DeviceEnrollmentConfigurationId $currentInstance.id ` diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 7830f34ae8..0875317580 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1216,7 +1216,7 @@ function ConvertTo-IntunePolicyAssignment if ($target) { - $assignmentResult += @{Target = $target} + $assignmentResult += @{target = $target} } } From 19f1cf94343aec4b734719abd2378f8b44890e93 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 24 Nov 2023 15:33:22 -0500 Subject: [PATCH 31/49] Updated MSCloudLoginAssistant --- CHANGELOG.md | 5 ++++ .../MSFT_PlannerTask/MSFT_PlannerTask.psm1 | 27 ------------------- .../Dependencies/Manifest.psd1 | 2 +- 3 files changed, 6 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49699752e2..ba28184de1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* DEPENDENCIES + * Updated MSCloudLoginAssistant to version 1.1.0. + # 1.23.1122.1 * SPOSharingSettings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 index 907ba0a07f..7fbb09e0b0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 @@ -920,33 +920,6 @@ function Convert-M365DSCPlannerTaskChecklistToCIMArray return $StringContent } -function Get-M365DSCPlannerPlansFromGroup -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable[]])] - Param( - [Parameter(Mandatory = $true)] - [System.String] - $GroupId, - - [Parameter(Mandatory = $true)] - [System.Management.Automation.PSCredential] - $Credential - ) - $results = @() - $uri = "https://graph.microsoft.com/v1.0/groups/$GroupId/planner/plans" - $taskResponse = Invoke-MSCloudLoginMicrosoftGraphAPI -CloudCredential $Credential ` - -Uri $uri ` - -Method Get - foreach ($plan in $taskResponse.value) - { - $results += @{ - Id = $plan.id - Title = $plan.title - } - } - return $results -} function Get-M365DSCPlannerTasksFromPlan { diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 42daf3978e..717fb5f80e 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -86,7 +86,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.0.121" + RequiredVersion = "1.1.0" }, @{ ModuleName = 'PnP.PowerShell' From bff6b1c7c8be424845f9f99c7896feafedea84ea Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 27 Nov 2023 10:51:19 -0500 Subject: [PATCH 32/49] Updated Microsoft.Graph to Version 2.10.0 --- CHANGELOG.md | 5 +++ .../Dependencies/Manifest.psd1 | 34 +++++++++---------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49699752e2..743458082b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* DEPENDENCIES + * Updated Microsoft.Graph to version 2.10.0. + # 1.23.1122.1 * SPOSharingSettings diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 42daf3978e..65702e24a9 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -10,71 +10,71 @@ }, @{ ModuleName = 'Microsoft.Graph.Applications' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Authentication' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Devices.CorporateManagement' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Administration' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.Governance' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.SignIns' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Reports' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Teams' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.DeviceManagement.Administration' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DirectoryObjects' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Groups' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Planner' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Users' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.Graph.Users.Actions' - RequiredVersion = '2.9.1' + RequiredVersion = '2.10.0' }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' From 119b8024f48e7c14a1acf3a93a54dea73c942b50 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Mon, 27 Nov 2023 19:48:54 +0000 Subject: [PATCH 33/49] fix IntuneAntivirusPolicyWindows10SettingCatalog --- CHANGELOG.md | 3 ++ ...ntivirusPolicyWindows10SettingCatalog.psm1 | 44 +++++++++++++++++-- 2 files changed, 44 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbca59ee92..8514205238 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ # UNRELEASED +* IntuneAntivirusPolicyWindows10SettingCatalog + * Skipped settingValueTemplateReference and settingInstanceTemplateReference for severethreats, highseveritythreats, moderateseveritythreats, lowseveritythreats as per API requirements observed in the Intune portal + FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818) * DEPENDENCIES * Updated Microsoft.Graph to version 2.10.0. * Updated MSCloudLoginAssistant to version 1.1.0. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index 6f371209c3..0c383ef33f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -1590,7 +1590,7 @@ function New-IntuneDeviceConfigurationPolicy 'settings' = $Settings } $body = $policy | ConvertTo-Json -Depth 20 - Write-Verbose -Message $body + #Write-Verbose -Message $body Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop } @@ -1602,6 +1602,7 @@ function New-IntuneDeviceConfigurationPolicy -TenantId $TenantId ` -Credential $Credential + #write-verbose ($_ | out-string) return $null } } @@ -1819,6 +1820,11 @@ function Format-M365DSCIntuneSettingCatalogPolicySettings $setting.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') $includeValueReference = $true + $includeSettingInstanceReference = $true + $doNotIncludesettingInstanceReferenceKeys = @( + 'highseveritythreats' + 'lowseveritythreats' + ) $noValueReferenceKeys = @( 'excludedpaths' 'excludedprocesses' @@ -1828,9 +1834,14 @@ function Format-M365DSCIntuneSettingCatalogPolicySettings { $includeValueReference = $false } + if ($originalKey -in $doNotIncludesettingInstanceReferenceKeys) + { + $includeSettingInstanceReference = $false + } $myFormattedSetting = Format-M365DSCParamsToSettingInstance -DSCParams @{$settingKey = $DSCParams."$originalKey" } ` -TemplateSetting $templateSetting ` - -IncludeSettingValueTemplateId $includeValueReference + -IncludeSettingValueTemplateId $includeValueReference ` + -IncludeSettingInstanceTemplateId $includeSettingInstanceReference $setting.add('settingInstance', $myFormattedSetting) $settings += $setting @@ -1871,9 +1882,36 @@ function Format-M365DSCIntuneSettingCatalogPolicySettings -FilterScript { $_.settingDefinitionId -like "*$key" } if ($templateValue) { + $includeValueReference = $true + $includeSettingInstanceReference = $true + $doNotIncludesettingInstanceReferenceKeys = @( + 'highseveritythreats' + 'lowseveritythreats' + 'moderateseveritythreats' + 'severethreats' + ) + $noValueReferenceKeys = @( + 'excludedpaths' + 'excludedprocesses' + 'excludedextensions' + 'highseveritythreats' + 'lowseveritythreats' + 'moderateseveritythreats' + 'severethreats' + ) + if ($key -in $noValueReferenceKeys) + { + $includeValueReference = $false + } + if ($key -in $doNotIncludesettingInstanceReferenceKeys) + { + $includeSettingInstanceReference = $false + } $groupSettingCollectionValueChild = Format-M365DSCParamsToSettingInstance ` -DSCParams @{$key = $DSCParams."$key" } ` - -TemplateSetting $templateValue + -TemplateSetting $templateValue ` + -IncludeSettingValueTemplateId $includeValueReference ` + -IncludeSettingInstanceTemplateId $includeSettingInstanceReference $groupSettingCollectionValueChildren += $groupSettingCollectionValueChild } From c822cb73f7c7fd173babefe695653e8bc9157d12 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Tue, 28 Nov 2023 09:23:34 +0000 Subject: [PATCH 34/49] fix unit test --- ...FT_IntuneDeviceConfigurationPolicyWindows10.psm1 | 12 ++++++++++-- ...T_IntuneDeviceEnrollmentStatusPageWindows10.psm1 | 10 ++++++++-- ...topilotDeploymentProfileAzureADHybridJoined.psm1 | 13 ++++++++++--- ...dowsAutopilotDeploymentProfileAzureADJoined.psm1 | 12 ++++++++++-- ...UpdateForBusinessRingUpdateProfileWindows10.psm1 | 12 ++++++++++-- Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 | 2 +- 6 files changed, 49 insertions(+), 12 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 index 548682d17b..97f2ac3cf9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 @@ -3282,7 +3282,11 @@ function Set-TargetResource #region new Intune assignment management if ($policy.id) { - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { New-MgBetaDeviceManagementDeviceConfigurationAssignment ` @@ -3320,7 +3324,11 @@ function Set-TargetResource $currentAssignments = @() $currentAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $currentInstance.id - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 863e0321f2..114d4497af 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -378,7 +378,10 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -BodyParameter $CreateParameters $intuneAssignments = @() - $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } $body = @{'enrollmentConfigurationAssignments' = $intuneAssignments} | ConvertTo-Json -Depth 100 $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($policy.Id)/assign" Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop @@ -413,7 +416,10 @@ function Set-TargetResource if ($currentInstance.Id -notlike '*_DefaultWindows10EnrollmentCompletionPageConfiguration') { $intuneAssignments = @() - $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } $body = @{'enrollmentConfigurationAssignments' = $intuneAssignments} | ConvertTo-Json -Depth 100 $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($currentInstance.Id)/assign" Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 index 0e77a3a018..4d470dca8b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 @@ -354,7 +354,11 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile -BodyParameter $CreateParameters #endregion #region new Intune assignment management - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` @@ -390,8 +394,11 @@ function Set-TargetResource #region new Intune assignment management $currentAssignments = @() $currentAssignments += Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $currentInstance.id - - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 index f793202203..c2e37ac03f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 @@ -353,7 +353,11 @@ function Set-TargetResource #endregion #region new Intune assignment management - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { New-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment ` @@ -391,7 +395,11 @@ function Set-TargetResource $currentAssignments = @() $currentAssignments += Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment -WindowsAutopilotDeploymentProfileId $currentInstance.id - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 index 1f822399b4..b7820142cc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 @@ -677,7 +677,11 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters #endregion #region new Intune assignment management - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { New-MgBetaDeviceManagementDeviceConfigurationAssignmentAssignment ` @@ -714,7 +718,11 @@ function Set-TargetResource $currentAssignments = @() $currentAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $currentInstance.id - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $Assignments + $intuneAssignments = @() + if($null -ne $Assignments -and $Assignments.count -gt 0) + { + $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments + } foreach ($assignment in $intuneAssignments) { if ( $null -eq ($currentAssignments | Where-Object { $_.Target.AdditionalProperties.groupId -eq $assignment.Target.groupId -and $_.Target.AdditionalProperties."@odata.type" -eq $assignment.Target.'@odata.type' })) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 0875317580..307b4280a5 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1272,7 +1272,7 @@ function Update-DeviceConfigurationPolicyAssignment $deviceManagementPolicyAssignments += @{'target' = $formattedTarget} } $body = @{'assignments' = $deviceManagementPolicyAssignments} | ConvertTo-Json -Depth 20 - write-verbose -Message $body + #write-verbose -Message $body Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop } catch From f18abeb5699ca7fb1026cfb4974f5d2161d192f6 Mon Sep 17 00:00:00 2001 From: William-francillette Date: Tue, 28 Nov 2023 10:22:48 +0000 Subject: [PATCH 35/49] fix policy removal --- .../MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index 0c383ef33f..cd9aacadb5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -910,8 +910,8 @@ function Set-TargetResource } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Removing Endpoint Protection Policy {$currentPolicy.DisplayName}" - Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity + Write-Verbose -Message "Removing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity } } From 8299846da42e49af89ca88253740d5319ecc749f Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 28 Nov 2023 12:14:49 +0000 Subject: [PATCH 36/49] Updated Resources and Cmdlet documentation pages --- ...eAccountProtectionLocalAdministratorPasswordSolutionPolicy.md | 1 + .../IntuneAccountProtectionLocalUserGroupMembershipPolicy.md | 1 + docs/docs/resources/intune/IntuneAccountProtectionPolicy.md | 1 + 3 files changed, 3 insertions(+) diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md index 7160360ba9..a09adf9fb5 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md @@ -38,6 +38,7 @@ | **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | | **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | | **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | | **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 0c51678e2e..66f885fa15 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -27,6 +27,7 @@ | **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | | **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | | **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | | **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | ### MSFT_IntuneAccountProtectionLocalUserGroupCollection diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md index 60fca3ae0e..d9299c7cbf 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md @@ -41,6 +41,7 @@ | **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | | **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | | **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | | **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | From 5825616c7420f7ae0cbff13b1c6a28f0264e6f15 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 28 Nov 2023 08:02:25 -0500 Subject: [PATCH 37/49] Updated DSCParser to 1.4.0.1 --- CHANGELOG.md | 1 + Modules/Microsoft365DSC/Dependencies/Manifest.psd1 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fba20b8d3b..3a18d2f1e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ FIXES [3913](https://github.com/microsoft/Microsoft365DSC/issues/3913) * Add groupDisplayName to Assignments embedded instance * DEPENDENCIES + * Updated DSCParser to version 1.4.0.1. * Updated Microsoft.Graph to version 2.10.0. * Updated MSCloudLoginAssistant to version 1.1.0. diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 3452140bf4..13a06f6b2e 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -2,7 +2,7 @@ Dependencies = @( @{ ModuleName = 'DSCParser' - RequiredVersion = '1.4.0.0' + RequiredVersion = '1.4.0.1' }, @{ ModuleName = 'ExchangeOnlineManagement' From f01850d0c6f0174d45765a724942ecf765d06fea Mon Sep 17 00:00:00 2001 From: Philippe Kernevez Date: Tue, 14 Nov 2023 14:21:19 +0100 Subject: [PATCH 38/49] Application Ids are strings not objects --- CHANGELOG.md | 3 +++ .../MSFT_TeamsComplianceRecordingPolicy.psm1 | 2 +- .../1-TeamsComplianceRecordingPolicy-Example.ps1 | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a18d2f1e6..ebc1598681 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,6 +74,9 @@ * Added a QA check to test if all used subclasses actually exist in the MOF schema. * DEPENDENCIES * Updated Microsoft. Graph dependencies to version 2.9.0. +* TeamsTeam + * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] + FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) # 1.23.1108.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 index 14e0c8c493..896913588e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 @@ -81,7 +81,7 @@ function Get-TargetResource } $recordApplicationIds = @() foreach ($app in $recordingApplications) { - $recordApplicationIds += @{Id=$app.Id} + $recordApplicationIds += $app.Id } Write-Verbose -Message "Found an instance with Identity {$Identity}" diff --git a/Modules/Microsoft365DSC/Examples/Resources/TeamsComplianceRecordingPolicy/1-TeamsComplianceRecordingPolicy-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/TeamsComplianceRecordingPolicy/1-TeamsComplianceRecordingPolicy-Example.ps1 index 0e67e0222e..2c979de26e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/TeamsComplianceRecordingPolicy/1-TeamsComplianceRecordingPolicy-Example.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/TeamsComplianceRecordingPolicy/1-TeamsComplianceRecordingPolicy-Example.ps1 @@ -16,7 +16,7 @@ Configuration Example { TeamsComplianceRecordingPolicy 'Example' { - ComplianceRecordingApplications = @(); + ComplianceRecordingApplications = @('qwertzuio-abcd-abcd-abcd-qwertzuio'); Credential = $Credscredential; DisableComplianceRecordingAudioNotificationForCalls = $False; Enabled = $False; From 7f31077a10050509707ca1c0f711f90f6267a5f6 Mon Sep 17 00:00:00 2001 From: Philippe Kernevez Date: Thu, 16 Nov 2023 08:10:42 +0100 Subject: [PATCH 39/49] Fix tests --- ...crosoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 index 6ea4b41bd0..a9b3c2da36 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 @@ -63,7 +63,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Description = 'FakeStringValue' Enabled = $True DisableComplianceRecordingAudioNotificationForCalls = $True - ComplianceRecordingApplications = @(@{Id="123456"}) + ComplianceRecordingApplications = @("123456") Identity = 'FakeStringValue' Ensure = 'Present' Credential = $Credential @@ -95,7 +95,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Description = 'FakeStringValue' Enabled = $True DisableComplianceRecordingAudioNotificationForCalls = $True - ComplianceRecordingApplications = @(@{Id='123456'}) + ComplianceRecordingApplications = @('123456') Identity = 'FakeStringValue' Ensure = 'Absent' Credential = $Credential @@ -147,7 +147,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Description = 'FakeStringValue' Enabled = $True DisableComplianceRecordingAudioNotificationForCalls = $True - ComplianceRecordingApplications = @(@{Id='123456'}) + ComplianceRecordingApplications = @('123456') Identity = 'FakeStringValue' Ensure = 'Present' Credential = $Credential @@ -184,7 +184,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Description = 'FakeStringValue' Enabled = $True DisableComplianceRecordingAudioNotificationForCalls = $True - ComplianceRecordingApplications = @{Id='123456'} + ComplianceRecordingApplications = @('123456') Identity = 'FakeStringValue' Ensure = 'Present' Credential = $Credential From d4cc1dee11cc4611c4fc16ebdda76d5e0bd5aede Mon Sep 17 00:00:00 2001 From: Philippe Kernevez Date: Thu, 16 Nov 2023 11:01:29 +0100 Subject: [PATCH 40/49] Fix 2nd part --- .../Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 index a9b3c2da36..beeb3ecff5 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsComplianceRecordingPolicy.Tests.ps1 @@ -124,7 +124,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Result = (Get-TargetResource @testParams) $Result.Ensure | Should -Be 'Present' $Result.ComplianceRecordingApplications.Length | Should -Be 1 - $Result.ComplianceRecordingApplications[0].Id | Should -Be '123456' + $Result.ComplianceRecordingApplications[0] | Should -Be '123456' Should -Invoke -CommandName Get-CsTeamsComplianceRecordingPolicy -Exactly 1 Should -Invoke -CommandName Get-CsTeamsComplianceRecordingApplication -ParameterFilter {$Filter -eq 'FakeStringValue/*'} -Exactly 1 From 20d115887165d2d16869343dd31804e7542638e4 Mon Sep 17 00:00:00 2001 From: Philippe Kernevez Date: Tue, 28 Nov 2023 20:24:15 +0100 Subject: [PATCH 41/49] Fix merge --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebc1598681..c29bf9e032 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,9 @@ * Updated DSCParser to version 1.4.0.1. * Updated Microsoft.Graph to version 2.10.0. * Updated MSCloudLoginAssistant to version 1.1.0. +* TeamsTeam + * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] + FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) # 1.23.1122.1 @@ -74,9 +77,6 @@ * Added a QA check to test if all used subclasses actually exist in the MOF schema. * DEPENDENCIES * Updated Microsoft. Graph dependencies to version 2.9.0. -* TeamsTeam - * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] - FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) # 1.23.1108.1 From 1559a96bbda293878b226dfc744cfb95277e85ec Mon Sep 17 00:00:00 2001 From: William-francillette Date: Wed, 29 Nov 2023 09:45:13 +0000 Subject: [PATCH 42/49] restrict policy scope in export - fix3955 --- .../MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index cd9aacadb5..76d31bcbf7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -1418,11 +1418,12 @@ function Export-TargetResource try { $templateFamily = 'endpointSecurityAntivirus' + $templateReferences = "d948ff9b-99cb-4ee0-8012-1fbc09685377_1", "e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1", "45fea5e9-280d-4da1-9792-fb5736da0ca9_1","804339ad-1553-4478-a742-138fb5807418_1" [array]$policies = Get-MgBetaDeviceManagementConfigurationPolicy ` -ErrorAction Stop ` -All:$true ` -Filter $Filter - $policies = $policies | Where-Object -FilterScript { $_.TemplateReference.TemplateFamily -eq $templateFamily } + $policies = $policies | Where-Object -FilterScript { $_.TemplateReference.TemplateFamily -eq $templateFamily -and $_.TemplateReference.TemplateId -in $templateReferences } if ($policies.Length -eq 0) { From 0bf094c5a7d8e2c41e258ea1a97ca4d872a310e6 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 12:28:19 +0000 Subject: [PATCH 43/49] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/teams/TeamsComplianceRecordingPolicy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/resources/teams/TeamsComplianceRecordingPolicy.md b/docs/docs/resources/teams/TeamsComplianceRecordingPolicy.md index 49ba97567f..26161a2add 100644 --- a/docs/docs/resources/teams/TeamsComplianceRecordingPolicy.md +++ b/docs/docs/resources/teams/TeamsComplianceRecordingPolicy.md @@ -68,7 +68,7 @@ Configuration Example { TeamsComplianceRecordingPolicy 'Example' { - ComplianceRecordingApplications = @(); + ComplianceRecordingApplications = @('qwertzuio-abcd-abcd-abcd-qwertzuio'); Credential = $Credscredential; DisableComplianceRecordingAudioNotificationForCalls = $False; Enabled = $False; From ba925630002515e4d5f654fbc8ab28eafe77054c Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 12:38:11 +0000 Subject: [PATCH 44/49] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADGroup.md | 2 ++ docs/docs/resources/azure-ad/AADUser.md | 44 ++++++++++++++++++++++-- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADGroup.md b/docs/docs/resources/azure-ad/AADGroup.md index 29ab0daae0..b0e0de8461 100644 --- a/docs/docs/resources/azure-ad/AADGroup.md +++ b/docs/docs/resources/azure-ad/AADGroup.md @@ -41,6 +41,8 @@ This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups. +If using with AADUser, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADUser + ## Permissions ### Microsoft Graph diff --git a/docs/docs/resources/azure-ad/AADUser.md b/docs/docs/resources/azure-ad/AADUser.md index b33fe966cd..3bad6dfaf6 100644 --- a/docs/docs/resources/azure-ad/AADUser.md +++ b/docs/docs/resources/azure-ad/AADUser.md @@ -16,6 +16,7 @@ | **Country** | Write | String | The Country name of the user | | | **Department** | Write | String | The Department name of the user | | | **Fax** | Write | String | The Fax Number of the user | | +| **MemberOf** | Write | StringArray[] | The Groups that the user is a direct member of | | | **MobilePhone** | Write | String | The Mobile Phone Number of the user | | | **Office** | Write | String | The Office Name of the user | | | **PasswordNeverExpires** | Write | Boolean | Specifies whether the user password expires periodically. Default value is false | | @@ -37,7 +38,9 @@ ## Description -This resource allows users to create Azure AD Users and assign them licenses. +This resource allows users to create Azure AD Users and assign them licenses, roles and/or groups. + +If using with AADGroup, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADGroup ## Permissions @@ -49,11 +52,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - RoleManagement.Read.Directory, User.Read.All + - RoleManagement.Read.Directory, User.Read.All, Group.Read.All, GroupMember.Read.All - **Update** - - Organization.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, User.Read.All, User.ReadWrite.All + - Organization.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, User.Read.All, Group.Read.All, GroupMember.Read.All, User.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All #### Application permissions @@ -102,3 +105,38 @@ Configuration Example } ``` +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $credsGlobalAdmin + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUser 'ConfigureJohnSMith' + { + UserPrincipalName = "John.Smith@O365DSC1.onmicrosoft.com" + FirstName = "John" + LastName = "Smith" + DisplayName = "John J. Smith" + City = "Gatineau" + Country = "Canada" + Office = "Ottawa - Queen" + MemberOf = @('Group-M365-Standard-License', 'Group-PowerBI-Pro-License') + UsageLocation = "US" + Ensure = "Present" + Credential = $credsGlobalAdmin + } + } +} +``` + From ccabc5458c43fe1c22571f8aeae609ae5bc99cd0 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 12:14:23 -0500 Subject: [PATCH 45/49] Various Fixes --- CHANGELOG.md | 47 ++-- .../MSFT_AADAttributeSet.psm1 | 12 +- .../MSFT_AADAttributeSet/settings.json | 4 +- ...SFT_AADRoleEligibilityScheduleRequest.psm1 | 34 ++- .../MSFT_IntuneDeviceCleanupRule.psm1 | 3 +- .../MSFT_IntunePolicySets.psm1 | 20 +- .../MSFT_M365DSCRuleEvaluation.psm1 | 1 + .../Modules/M365DSCReverse.psm1 | 36 ++- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 212 +++++++++--------- 9 files changed, 219 insertions(+), 150 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 830057e90c..df0ce3685e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,14 +2,18 @@ # UNRELEASED -* IntuneAntivirusPolicyWindows10SettingCatalog - * Skipped settingValueTemplateReference and settingInstanceTemplateReference for severethreats, highseveritythreats, moderateseveritythreats, lowseveritythreats as per API requirements observed in the Intune portal - FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818) - FIXES [#3955](https://github.com/microsoft/Microsoft365DSC/issues/3955) * AADRoleSetting * Export sorted by DisplayName for better comparison * Enable Filter property to be used on export FIXES [#3919](https://github.com/microsoft/Microsoft365DSC/issues/3919) +* AADUser + * Added the MemberOf Property. +* IntuneAntivirusPolicyWindows10SettingCatalog + * Skipped settingValueTemplateReference and settingInstanceTemplateReference + for severethreats, highseveritythreats, moderateseveritythreats, + lowseveritythreats as per API requirements observed in the Intune portal. + FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818) + FIXES [#3955](https://github.com/microsoft/Microsoft365DSC/issues/3955) * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy, IntuneAccountProtectionLocalUserGroupMembershipPolicy, IntuneAccountProtectionPolicy, @@ -24,36 +28,37 @@ IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource - FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) -* DEPENDENCIES - * Updated DSCParser to version 1.4.0.1. - * Updated Microsoft.Graph to version 2.10.0. - * Updated MSCloudLoginAssistant to version 1.1.0. -* TeamsTeam - * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] - FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) -* M365DSCDRGUtil - * Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment - FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) * IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * IntuneDeviceEnrollmentStatusPageWindows10 * Fixed assignments using API call - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment - FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) * IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment - FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) * IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment * IntuneDeviceConfigurationPolicyWindows10 - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * IntuneDeviceEnrollmentStatusPageWindows10 * Fixed assignments using API call - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* TeamsTeam + * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] + FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) +* DEPENDENCIES + * Updated DSCParser to version 1.4.0.1. + * Updated Microsoft.Graph to version 2.10.0. + * Updated MSCloudLoginAssistant to version 1.1.0. +* MISC + * M365DSCDRGUtil + * Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) # 1.23.1122.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.psm1 index 47173e12ac..e7f4611617 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.psm1 @@ -363,13 +363,19 @@ function Export-TargetResource } catch { - Write-Host $Global:M365DSCEmojiRedX - - New-M365DSCLogEntry -Message 'Error during Export:' ` + if ($_.ErrorDetails.Message -like "*Insufficient privileges*") + { + Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) Insufficient permissions or license to export Attribute Sets." + } + else + { + Write-Host $Global:M365DSCEmojiRedX + New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential + } return '' } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/settings.json index 9d211172e0..227706211e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/settings.json @@ -3,10 +3,10 @@ "description": "Represents a group of related custom security attribute definitions.", "roles": { "read": [ - "Security Reader" + "Attribute Definition Reader" ], "update": [ - "Authentication Policy Administrator" + "Attribute Definition Administrator" ] }, "permissions": { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index 75a152c5a8..6e1e50dcaa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -188,6 +188,14 @@ } if ($null -eq $schedule -or $null -eq $request) { + if ($null -eq $schedule) + { + Write-Verbose -Message "Could not retrieve the schedule for {$($request.PrincipalId)} & RoleDefinitionId {$RoleDefinitionId}" + } + if ($null -eq $request) + { + Write-Verbose -Message "Could not request the schedule for {$RoleDefinition}" + } return $nullResult } @@ -211,6 +219,7 @@ if ($null -eq $PrincipalInstance) { + Write-Verbose -Message "Couldn't retrieve Principal {$($request.PrincipalId)}" return $nullResult } @@ -298,7 +307,7 @@ } catch { - Write-Verbose "Verbose: $($_.ErrorDetails.Message)" + Write-Verbose "Error: $($_.ErrorDetails.Message)" New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` @@ -814,15 +823,20 @@ function Export-TargetResource } catch { - Write-Verbose -Message "Exception: $($_.Exception.Message)" - - Write-Host $Global:M365DSCEmojiRedX - - New-M365DSCLogEntry -Message 'Error during Export:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential + if ($_.ErrorDetails.Message -like "*The tenant needs an AAD Premium*") + { + Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) Tenant does not meet license requirement to extract this component." + } + else + { + Write-Verbose -Message "Exception: $($_.Exception.Message)" + Write-Host $Global:M365DSCEmojiRedX + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } return '' } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCleanupRule/MSFT_IntuneDeviceCleanupRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCleanupRule/MSFT_IntuneDeviceCleanupRule.psm1 index f60d059e3f..a37c05d228 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCleanupRule/MSFT_IntuneDeviceCleanupRule.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCleanupRule/MSFT_IntuneDeviceCleanupRule.psm1 @@ -376,7 +376,8 @@ function Export-TargetResource } catch { - if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*") + if ($_.Exception -like "*401*" -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or + $_.Exception -like "* Unauthorized*") { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 index adcdbc45b6..e33eab8210 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 @@ -656,13 +656,21 @@ function Export-TargetResource } catch { - Write-Host $Global:M365DSCEmojiRedX + if ($_.Exception -like "*401*" -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or + $_.Exception -like "* Unauthorized*") + { + Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." + } + else + { + Write-Host $Global:M365DSCEmojiRedX - New-M365DSCLogEntry -Message 'Error during Export:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } return '' } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index 793817f0af..01a227e082 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -289,6 +289,7 @@ function Export-TargetResource [Switch] $ManagedIdentity ) + Write-Host "`r`n" -NoNewline return $null } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 index 7c3d9e9d6d..f9e589b770 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 @@ -146,6 +146,13 @@ function Start-M365DSCConfigurationExtract Write-Host -Object '- Credentials' $AuthMethods += 'Credentials' } + if ($null -ne $Credential -and ` + [System.String]::IsNullOrEmpty($ApplicationId) -and ` + -not [System.String]::IsNullOrEmpty($TenantId)) + { + Write-Host -Object '- Credentials with Tenant Id' + $AuthMethods += 'CredentialsWithTenantId' + } if ($null -ne $Credential -and ` -not [System.String]::IsNullOrEmpty($ApplicationId)) { @@ -232,7 +239,7 @@ function Start-M365DSCConfigurationExtract Write-Host '[WARNING]' -NoNewline -ForegroundColor Yellow Write-Host ' Based on the provided Authentication parameters, the following resources cannot be extracted: ' -ForegroundColor Gray - Write-Host "$resourcesNotSupported" -ForegroundColor Gray + Write-Host "$($resourcesNotSupported -join ',')" -ForegroundColor Gray # If all selected resources are not valid based on the authentication method used, simply return. if ($ComponentsToSkip.Length -eq $selectedResources.Length) @@ -409,7 +416,7 @@ function Start-M365DSCConfigurationExtract -Value $ApplicationSecret ` -Description 'Azure AD Application Secret for Authentication' } - { $_ -in 'Credentials', 'CredentialsWithApplicationId' } + { $_ -in 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId' } { if ($newline) { @@ -485,9 +492,15 @@ function Start-M365DSCConfigurationExtract if ((($Components -and ($Components -contains $resourceName)) -or $AllComponents -or ` (-not $Components -and $null -eq $Workloads)) -and ` ($ComponentsSpecified -or ($ComponentsToSkip -notcontains $resourceName)) -and ` - $resourcesNotSupported -notcontains $resourceName) + $resourcesNotSupported -notcontains $resourceName -and ` + -not $resourceName.StartsWith("M365DSC")) { - $ResourcesToExport += $ResourceName + $authMethod = $allSupportedResourcesWithMostSecureAuthMethod | Where-Object -FilterScript {$_.Resource -eq $ResourceName} + $resourceInfo = @{ + Name = $ResourceName + AuthenticationMethod = $authMethod.AuthMethod + } + $ResourcesToExport += $resourceInfo $ResourcesPath += $ResourceModule } } @@ -506,9 +519,9 @@ function Start-M365DSCConfigurationExtract } foreach ($Workload in $WorkloadsToConnectTo) { - Write-Host "Connecting to {$Workload}..." -NoNewline + Write-Host "Connecting to {$($Workload.Name)}..." -NoNewline $ConnectionParams = @{ - Workload = $Workload + Workload = $Workload.Name ApplicationId = $ApplicationId ApplicationSecret = $ApplicationSecret TenantId = $TenantId @@ -519,6 +532,12 @@ function Start-M365DSCConfigurationExtract Identity = $ManagedIdentity.IsPresent } + if ($workload.AuthenticationMethod -eq 'Credentials') + { + $ConnectionParams.Remove('TenantId') | Out-Null + $ConnectionParams.Remove('ApplicationId') | Out-Null + } + try { Connect-M365Tenant @ConnectionParams | Out-Null @@ -570,6 +589,11 @@ function Start-M365DSCConfigurationExtract } $parameters.Add('Credential', $Credential) } + 'CredentialsWithTenantId' + { + $parameters.Add('Credential', $Credential) + $parameters.Add('TenantId', $TenantId) + } 'ManagedIdentity' { $parameters.Add('ManagedIdentity', $ManagedIdentity) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 673407432a..acd30fb124 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1216,14 +1216,6 @@ function Export-M365DSCConfiguration return } - if ($PSBoundParameters.ContainsKey('ApplicationId') -eq $false -and ` - $ManagedIdentity.IsPresent -eq $false -and ` - $PSBoundParameters.ContainsKey('TenantId') -eq $true) - { - Write-Host -Object '[ERROR] You have to specify ApplicationId when you specify TenantId' -ForegroundColor Red - return - } - if ($PSBoundParameters.ContainsKey('ApplicationId') -eq $true -and ` $PSBoundParameters.ContainsKey('TenantId') -eq $true -and ` ($PSBoundParameters.ContainsKey('CertificateThumbprint') -eq $false -and ` @@ -1712,14 +1704,13 @@ function New-M365DSCConnection # Case both authentication methods are attempted if ($null -ne $InboundParameters.Credential -and ` - (-not [System.String]::IsNullOrEmpty($InboundParameters.TenantId) -or ` - -not [System.String]::IsNullOrEmpty($InboundParameters.CertificateThumbprint))) + -not [System.String]::IsNullOrEmpty($InboundParameters.CertificateThumbprint)) { $message = 'Both Authentication methods are attempted' Write-Verbose -Message $message $data.Add('Event', 'Error') $data.Add('Exception', $message) - $errorText = "You can't specify both the Credential and one of {TenantId, CertificateThumbprint}" + $errorText = "You can't specify both the Credential and CertificateThumbprint" $data.Add('CustomMessage', $errorText) Add-M365DSCTelemetryEvent -Type 'Error' -Data $data throw $errorText @@ -1865,22 +1856,8 @@ function New-M365DSCConnection } #endregion - # Case both authentication methods are attempted - if ($null -ne $InboundParameters.Credential -and ` - (-not [System.String]::IsNullOrEmpty($InboundParameters.TenantId) -or ` - -not [System.String]::IsNullOrEmpty($InboundParameters.CertificateThumbprint))) - { - $message = 'Both Authentication methods are attempted' - Write-Verbose -Message $message - $data.Add('Event', 'Error') - $data.Add('Exception', $message) - $errorText = "You can't specify both the Credential and one of {TenantId, CertificateThumbprint}" - $data.Add('CustomMessage', $errorText) - Add-M365DSCTelemetryEvent -Type 'Error' -Data $data - throw $errorText - } # Case no authentication method is specified - elseif ($null -eq $InboundParameters.Credential -and ` + if ($null -eq $InboundParameters.Credential -and ` [System.String]::IsNullOrEmpty($InboundParameters.ApplicationId) -and ` [System.String]::IsNullOrEmpty($InboundParameters.TenantId) -and ` [System.String]::IsNullOrEmpty($InboundParameters.CertificateThumbprint)) @@ -1895,58 +1872,14 @@ function New-M365DSCConnection Add-M365DSCTelemetryEvent -Type 'Error' -Data $data throw $errorText } - # Case only Credential is specified - elseif ($null -ne $InboundParameters.Credential -and ` - [System.String]::IsNullOrEmpty($InboundParameters.ApplicationId) -and ` - [System.String]::IsNullOrEmpty($InboundParameters.TenantId) -and ` - [System.String]::IsNullOrEmpty($InboundParameters.CertificateThumbprint)) + else { - Write-Verbose -Message 'Credential was specified. Connecting via User Principal' - if ([System.String]::IsNullOrEmpty($Url)) - { - Connect-M365Tenant -Workload $Platform ` - -Credential $InboundParameters.Credential ` - -SkipModuleReload $Global:CurrentModeIsExport - } - else - { - Connect-M365Tenant -Workload $Platform ` - -Credential $InboundParameters.Credential ` - -ConnectionUrl $Url ` - -SkipModuleReload $Global:CurrentModeIsExport - } - - $data.Add('ConnectionType', 'Credential') - try - { - $tenantId = $InboundParameters.Credential.Username.Split('@')[1] - $data.Add('Tenant', $tenantId) - } - catch - { - Write-Verbose -Message $_ - } + $data.Add('ConnectionType', 'ServicePrincipalWithPath') + $data.Add('Tenant', $InboundParameters.TenantId) Add-M365DSCTelemetryEvent -Data $data -Type 'Connection' - return 'Credentials' - } - # Case only the ApplicationID and Credentials parameters are specified - elseif ($null -ne $InboundParameters.Credential -and ` - -not [System.String]::IsNullOrEmpty($InboundParameters.ApplicationId)) - { - Connect-M365Tenant -Workload $Workload ` - -ApplicationId $InboundParameters.ApplicationId ` - -TenantId $InboundParameters.TenantId ` - -CertificatePassword $InboundParameters.CertificatePassword.Password ` - -CertificatePath $InboundParameters.CertificatePath ` - -Url $Url ` - -SkipModuleReload $Global:CurrentModeIsExport + return 'ServicePrincipalWithPath' } - $data.Add('ConnectionType', 'ServicePrincipalWithPath') - $data.Add('Tenant', $InboundParameters.TenantId) - Add-M365DSCTelemetryEvent -Data $data -Type 'Connection' - - return 'ServicePrincipalWithPath' } # Case only the ApplicationSecret, TenantId and ApplicationID are specified elseif ($null -eq $InboundParameters.Credential -and ` @@ -2000,6 +1933,17 @@ function New-M365DSCConnection Add-M365DSCTelemetryEvent -Data $data -Type 'Connection' return 'ServicePrincipalWithThumbprint' } + # Case only the TenantId and Credentials parameters are specified + elseif ($null -ne $InboundParameters.Credential -and ` + -not [System.String]::IsNullOrEmpty($InboundParameters.TenantId)) + { + Connect-M365Tenant -Workload $Workload ` + -TenantId $InboundParameters.TenantId ` + -Credential $InboundParameters.Credential ` + -Url $Url ` + -SkipModuleReload $Global:CurrentModeIsExport + return "CredentialsWithTenantId" + } # Case only Managed Identity and TenantId are specified elseif ($InboundParameters.ManagedIdentity -and ` -not [System.String]::IsNullOrEmpty($InboundParameters.TenantId)) @@ -3062,7 +3006,7 @@ function Update-M365DSCExportAuthenticationResults ( [Parameter(Mandatory = $true)] [System.String] - [ValidateSet('ServicePrincipalWithThumbprint', 'ServicePrincipalWithSecret', 'ServicePrincipalWithPath', 'CredentialsWithApplicationId', 'Credentials', 'ManagedIdentity')] + [ValidateSet('ServicePrincipalWithThumbprint', 'ServicePrincipalWithSecret', 'ServicePrincipalWithPath', 'CredentialsWithTenantId', 'CredentialsWithApplicationId', 'Credentials', 'ManagedIdentity')] $ConnectionMode, [Parameter(Mandatory = $true)] @@ -3102,6 +3046,30 @@ function Update-M365DSCExportAuthenticationResults $Results.Remove('CertificatePassword') | Out-Null } } + elseif ($ConnectionMode -eq 'CredentialsWithTenantId') + { + $Results.Credential = Resolve-Credentials -UserName 'credential' + if ($Results.ContainsKey('ApplicationId')) + { + $Results.Remove('ApplicationId') | Out-Null + } + if ($Results.ContainsKey('ApplicationSecret')) + { + $Results.Remove('ApplicationSecret') | Out-Null + } + if ($Results.ContainsKey('CertificateThumbprint')) + { + $Results.Remove('CertificateThumbprint') | Out-Null + } + if ($Results.ContainsKey('CertificatePath')) + { + $Results.Remove('CertificatePath') | Out-Null + } + if ($Results.ContainsKey('CertificatePassword')) + { + $Results.Remove('CertificatePassword') | Out-Null + } + } else { if ($Results.ContainsKey('Credential') -and $ConnectionMode -ne 'CredentialsWithApplicationId') @@ -3225,7 +3193,7 @@ function Get-M365DSCExportContentForResource [Parameter(Mandatory = $true)] [System.String] - [ValidateSet('ServicePrincipalWithThumbprint', 'ServicePrincipalWithSecret', 'ServicePrincipalWithPath', 'CredentialsWithApplicationId', 'Credentials', 'ManagedIdentity')] + [ValidateSet('ServicePrincipalWithThumbprint', 'ServicePrincipalWithSecret', 'ServicePrincipalWithPath', 'CredentialsWithTenantId', 'CredentialsWithApplicationId', 'Credentials', 'ManagedIdentity')] $ConnectionMode, [Parameter(Mandatory = $true)] @@ -3470,7 +3438,7 @@ function Get-M365DSCComponentsWithMostSecureAuthenticationType ( [Parameter()] [System.String[]] - [ValidateSet('ApplicationWithSecret', 'CertificateThumbprint', 'CertificatePath', 'Credentials', 'CredentialsWithApplicationId', 'ManagedIdentity')] + [ValidateSet('ApplicationWithSecret', 'CertificateThumbprint', 'CertificatePath', 'Credentials', 'CredentialsWithTenantId', 'CredentialsWithApplicationId', 'ManagedIdentity')] $AuthenticationMethod, [Parameter()] @@ -3522,6 +3490,18 @@ function Get-M365DSCComponentsWithMostSecureAuthenticationType AuthMethod = 'ApplicationSecret' } } + # Case - Resource supports CredentialWithTenantId + elseif ($AuthenticationMethod.Contains('CredentialsWithTenantId') -and ` + $parameters.Contains('Credential') -and $parameters.Contains('TenantId') -and ` + -not $resource.Name.StartsWith('MSFT_SPO') -and ` + -not $resource.Name.StartsWith('MSFT_OD') -and ` + -not $resource.Name.StartsWith('MSFT_PP')) + { + $Components += @{ + Resource = $resource.Name -replace 'MSFT_', '' -replace '.psm1', '' + AuthMethod = 'CredentialsWithTenantId' + } + } # Case - Resource supports Credential using CredentialsWithApplicationId elseif ($AuthenticationMethod.Contains('CredentialsWithApplicationId') -and ` $parameters.Contains('Credential')) @@ -3628,89 +3608,119 @@ Public function Get-M365DSCWorkloadsListFromResourceNames { [CmdletBinding()] - [OutputType([System.Boolean])] + [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true, Position = 1)] - [String[]] + [System.Array] $ResourceNames ) [Array] $workloads = @() foreach ($resource in $ResourceNames) { - switch ($resource.Substring(0, 2).ToUpper()) + switch ($resource.Name.Substring(0, 2).ToUpper()) { 'AA' { - if (-not $workloads.Contains('MicrosoftGraph')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('MicrosoftGraph')) { - $workloads += 'MicrosoftGraph' + $workloads += @{ + Name = 'MicrosoftGraph' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'EX' { - if (-not $workloads.Contains('ExchangeOnline')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('ExchangeOnline')) { - $workloads += 'ExchangeOnline' + $workloads += @{ + Name = 'ExchangeOnline' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'In' { - if (-not $workloads.Contains('MicrosoftGraph')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('MicrosoftGraph')) { - $workloads += 'MicrosoftGraph' + $workloads += @{ + Name = 'MicrosoftGraph' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'O3' { - if (-not $workloads.Contains('MicrosoftGraph') -and $resource -eq 'O365Group') + if (-not $workloads.Name -or -not $workloads.Name.Contains('MicrosoftGraph') -and $resource -eq 'O365Group') { - $workloads += 'MicrosoftGraph' + $workloads += @{ + Name = 'MicrosoftGraph' + AuthenticationMethod = $resource.AuthenticationMethod + } } - elseif (-not $workloads.Contains('ExchangeOnline')) + elseif (-not $workloads.Name -or -not $workloads.Name.Contains('ExchangeOnline')) { - $workloads += 'ExchangeOnline' + $workloads += @{ + Name = 'ExchangeOnline' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'OD' { - if (-not $workloads.Contains('PnP')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('PnP')) { - $workloads += 'PnP' + $workloads += @{ + Name = 'PnP' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'Pl' { - if (-not $workloads.Contains('MicrosoftGraph')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('MicrosoftGraph')) { - $workloads += 'MicrosoftGraph' + $workloads += @{ + Name = 'MicrosoftGraph' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'SP' { - if (-not $workloads.Contains('PnP')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('PnP')) { - $workloads += 'PnP' + $workloads += @{ + Name = 'PnP' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'SC' { - if (-not $workloads.Contains('SecurityComplianceCenter')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('SecurityComplianceCenter')) { - $workloads += 'SecurityComplianceCenter' + $workloads += @{ + Name = 'SecurityComplianceCenter' + AuthenticationMethod = $resource.AuthenticationMethod + } } } 'Te' { - if (-not $workloads.Contains('MicrosoftTeams')) + if (-not $workloads.Name -or -not $workloads.Name.Contains('MicrosoftTeams')) { - $workloads += 'MicrosoftTeams' + $workloads += @{ + Name = 'MicrosoftTeams' + AuthenticationMethod = $resource.AuthenticationMethod + } } } } } - return ($workloads | Sort-Object) + return ($workloads | Sort-Object {$_.Name}) } <# From c32f5535825eb37c3b3d9cbeaef65f31677041d8 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 17:27:38 +0000 Subject: [PATCH 46/49] Updated Resources and Cmdlet documentation pages --- .../cmdlets/Get-M365DSCWorkloadsListFromResourceNames.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/user-guide/cmdlets/Get-M365DSCWorkloadsListFromResourceNames.md b/docs/docs/user-guide/cmdlets/Get-M365DSCWorkloadsListFromResourceNames.md index 78fe1494b5..ba1ff1e78a 100644 --- a/docs/docs/user-guide/cmdlets/Get-M365DSCWorkloadsListFromResourceNames.md +++ b/docs/docs/user-guide/cmdlets/Get-M365DSCWorkloadsListFromResourceNames.md @@ -7,13 +7,13 @@ This function returns the used workloads for the specified DSC resources ## Output This function outputs information as the following type: -**System.Boolean** +**System.Collections.Hashtable** ## Parameters | Parameter | Required | DataType | Default Value | Allowed Values | Description | | --- | --- | --- | --- | --- | --- | -| ResourceNames | True | String[] | | | Specifies the resources for which the workloads should be determined. | +| ResourceNames | True | Array | | | Specifies the resources for which the workloads should be determined. | ## Examples From e44a01498f7f04f2fb76dede58630442e435f953 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 12:48:01 -0500 Subject: [PATCH 47/49] Fixes #3968 --- CHANGELOG.md | 5 + .../MSFT_TeamsMessagingPolicy.psm1 | 91 +++++++++++++------ .../MSFT_TeamsMessagingPolicy.schema.mof | 3 + 3 files changed, 73 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df0ce3685e..82396c9bb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,10 @@ * IntuneDeviceEnrollmentStatusPageWindows10 * Fixed assignments using API call FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) +* TeamsMessagingPolicy + * Added support for properties AllowCommunicationComplianceEndUserReporting, + AllowFluidCollaborate and AllowSecurityEndUserReporting. + FIXES [#3968](https://github.com/microsoft/Microsoft365DSC/issues/3968) * TeamsTeam * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) @@ -59,6 +63,7 @@ * M365DSCDRGUtil * Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + * Support for Multi-Tenancy (Credentials + TenantId). # 1.23.1122.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.psm1 index 5bb84c69a9..a7c77f4b8c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.psm1 @@ -8,10 +8,18 @@ function Get-TargetResource [System.String] $Identity, + [Parameter()] + [System.Boolean] + $AllowCommunicationComplianceEndUserReporting, + [Parameter()] [System.Boolean] $AllowGiphy, + [Parameter()] + [System.Boolean] + $AllowFluidCollaborate, + [Parameter()] [System.Boolean] $AllowMemes, @@ -20,6 +28,10 @@ function Get-TargetResource [System.Boolean] $AllowOwnerDeleteMessage, + [Parameter()] + [System.Boolean] + $AllowSecurityEndUserReporting, + [Parameter()] [System.Boolean] $AllowStickers, @@ -156,32 +168,35 @@ function Get-TargetResource } return @{ Identity = $currentPolicy - AllowGiphy = $policy.AllowGiphy - AllowMemes = $policy.AllowMemes - AllowOwnerDeleteMessage = $policy.AllowOwnerDeleteMessage - AllowStickers = $policy.AllowStickers - AllowUrlPreviews = $policy.AllowUrlPreviews - AllowUserChat = $policy.AllowUserChat - AllowUserDeleteMessage = $policy.AllowUserDeleteMessage - AllowUserEditMessage = $policy.AllowUserEditMessage - AllowSmartCompose = $policy.AllowSmartCompose - AllowSmartReply = $policy.AllowSmartReply - AllowUserTranslation = $policy.AllowUserTranslation - GiphyRatingType = $policy.GiphyRatingType - ReadReceiptsEnabledType = $policy.ReadReceiptsEnabledType - AllowImmersiveReader = $policy.AllowImmersiveReader - AllowRemoveUser = $policy.AllowRemoveUser - AllowPriorityMessages = $policy.AllowPriorityMessages - AllowUserDeleteChat = $policy.AllowUserDeleteChat - ChannelsInChatListEnabledType = $policy.ChannelsInChatListEnabledType - AudioMessageEnabledType = $policy.AudioMessageEnabledType - Description = $policy.Description - Tenant = $policy.Tenant - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + AllowCommunicationComplianceEndUserReporting = $policy.AllowCommunicationComplianceEndUserReporting + AllowGiphy = $policy.AllowGiphy + AllowFluidCollaborate = $policy.AllowFluidCollaborate + AllowMemes = $policy.AllowMemes + AllowOwnerDeleteMessage = $policy.AllowOwnerDeleteMessage + AllowSecurityEndUserReporting = $policy.AllowSecurityEndUserReporting + AllowStickers = $policy.AllowStickers + AllowUrlPreviews = $policy.AllowUrlPreviews + AllowUserChat = $policy.AllowUserChat + AllowUserDeleteMessage = $policy.AllowUserDeleteMessage + AllowUserEditMessage = $policy.AllowUserEditMessage + AllowSmartCompose = $policy.AllowSmartCompose + AllowSmartReply = $policy.AllowSmartReply + AllowUserTranslation = $policy.AllowUserTranslation + GiphyRatingType = $policy.GiphyRatingType + ReadReceiptsEnabledType = $policy.ReadReceiptsEnabledType + AllowImmersiveReader = $policy.AllowImmersiveReader + AllowRemoveUser = $policy.AllowRemoveUser + AllowPriorityMessages = $policy.AllowPriorityMessages + AllowUserDeleteChat = $policy.AllowUserDeleteChat + ChannelsInChatListEnabledType = $policy.ChannelsInChatListEnabledType + AudioMessageEnabledType = $policy.AudioMessageEnabledType + Description = $policy.Description + Tenant = $policy.Tenant + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint } } } @@ -206,10 +221,18 @@ function Set-TargetResource [System.String] $Identity, + [Parameter()] + [System.Boolean] + $AllowCommunicationComplianceEndUserReporting, + [Parameter()] [System.Boolean] $AllowGiphy, + [Parameter()] + [System.Boolean] + $AllowFluidCollaborate, + [Parameter()] [System.Boolean] $AllowMemes, @@ -218,6 +241,10 @@ function Set-TargetResource [System.Boolean] $AllowOwnerDeleteMessage, + [Parameter()] + [System.Boolean] + $AllowSecurityEndUserReporting, + [Parameter()] [System.Boolean] $AllowStickers, @@ -366,10 +393,18 @@ function Test-TargetResource [System.String] $Identity, + [Parameter()] + [System.Boolean] + $AllowCommunicationComplianceEndUserReporting, + [Parameter()] [System.Boolean] $AllowGiphy, + [Parameter()] + [System.Boolean] + $AllowFluidCollaborate, + [Parameter()] [System.Boolean] $AllowMemes, @@ -378,6 +413,10 @@ function Test-TargetResource [System.Boolean] $AllowOwnerDeleteMessage, + [Parameter()] + [System.Boolean] + $AllowSecurityEndUserReporting, + [Parameter()] [System.Boolean] $AllowStickers, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.schema.mof index 3b41477b08..0e29efb6ce 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMessagingPolicy/MSFT_TeamsMessagingPolicy.schema.mof @@ -2,6 +2,9 @@ class MSFT_TeamsMessagingPolicy : OMI_BaseResource { [Key, Description("Identity for the teams messaging policy you're modifying. To modify the global policy, use this syntax: -Identity global. To modify a per-user policy, use syntax similar to this: -Identity TeamsMessagingPolicy.")] string Identity; + [Write, Description("Report inappropriate content.")] boolean AllowCommunicationComplianceEndUserReporting; + [Write, Description("Determines is Fluid Collaboration should be enabled or not.")] boolean AllowFluidCollaborate; + [Write, Description("Report a security concern.")] boolean AllowSecurityEndUserReporting; [Write, Description("Determines whether a user is allowed to access and post Giphys. Set this to TRUE to allow. Set this FALSE to prohibit.")] boolean AllowGiphy; [Write, Description("Determines whether a user is allowed to access and post memes. Set this to TRUE to allow. Set this FALSE to prohibit.")] boolean AllowMemes; [Write, Description("Determines whether owners are allowed to delete all the messages in their team. Set this to TRUE to allow. Set this to FALSE to prohibit.")] boolean AllowOwnerDeleteMessage; From 0dc5e8d7e49965d27d835a8eb237ed72f32f482e Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 18:00:14 +0000 Subject: [PATCH 48/49] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/teams/TeamsMessagingPolicy.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/docs/resources/teams/TeamsMessagingPolicy.md b/docs/docs/resources/teams/TeamsMessagingPolicy.md index 3ee08fae1b..6fee244358 100644 --- a/docs/docs/resources/teams/TeamsMessagingPolicy.md +++ b/docs/docs/resources/teams/TeamsMessagingPolicy.md @@ -5,6 +5,9 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **Identity** | Key | String | Identity for the teams messaging policy you're modifying. To modify the global policy, use this syntax: -Identity global. To modify a per-user policy, use syntax similar to this: -Identity TeamsMessagingPolicy. | | +| **AllowCommunicationComplianceEndUserReporting** | Write | Boolean | Report inappropriate content. | | +| **AllowFluidCollaborate** | Write | Boolean | Determines is Fluid Collaboration should be enabled or not. | | +| **AllowSecurityEndUserReporting** | Write | Boolean | Report a security concern. | | | **AllowGiphy** | Write | Boolean | Determines whether a user is allowed to access and post Giphys. Set this to TRUE to allow. Set this FALSE to prohibit. | | | **AllowMemes** | Write | Boolean | Determines whether a user is allowed to access and post memes. Set this to TRUE to allow. Set this FALSE to prohibit. | | | **AllowOwnerDeleteMessage** | Write | Boolean | Determines whether owners are allowed to delete all the messages in their team. Set this to TRUE to allow. Set this to FALSE to prohibit. | | From 0e9e75172821b47b8a16eeb55a8c92e93a00ab0e Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 30 Nov 2023 13:18:58 -0500 Subject: [PATCH 49/49] Release 1.23.1129.1 --- CHANGELOG.md | 2 +- Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 68 +++++++++++++++++--- 2 files changed, 60 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df0ce3685e..56ffa1546d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.23.1129.1 * AADRoleSetting * Export sorted by DisplayName for better comparison diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index 897f65147e..4e1c82e5b8 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2023-11-22 +# Generated on: 2023-11-30 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.23.1122.1' + ModuleVersion = '1.23.1129.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -140,13 +140,63 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* SPOSharingSettings - * Fixes typo to re-enable export of ExternalUserExpireInDays and - ExternalUserExpirationRequired. -* DEPENDENCIES - * Updated DSCParser to version 1.4.0.0. - * Updated Microsoft.Graph to version 2.9.1. - * Updated MicrosoftTeams to version 5.8.0.' + ReleaseNotes = '* AADRoleSetting + * Export sorted by DisplayName for better comparison + * Enable Filter property to be used on export + FIXES [#3919](https://github.com/microsoft/Microsoft365DSC/issues/3919) + * AADUser + * Added the MemberOf Property. + * IntuneAntivirusPolicyWindows10SettingCatalog + * Skipped settingValueTemplateReference and settingInstanceTemplateReference + for severethreats, highseveritythreats, moderateseveritythreats, + lowseveritythreats as per API requirements observed in the Intune portal. + FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818) + FIXES [#3955](https://github.com/microsoft/Microsoft365DSC/issues/3955) + * IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy, + IntuneAccountProtectionLocalUserGroupMembershipPolicy, + IntuneAccountProtectionPolicy, + * Fixes export if Assignments is set on existing policies + FIXES [3913](https://github.com/microsoft/Microsoft365DSC/issues/3913) + * Add groupDisplayName to Assignments embedded instance + * IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10, + IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10, + IntuneDeviceConfigurationIdentityProtectionPolicyWindows10, + IntuneDeviceConfigurationEndpointProtectionPolicyWindows10, + IntuneDeviceEnrollmentStatusPageWindows10, + IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, + IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) + * IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + * IntuneDeviceEnrollmentStatusPageWindows10 + * Fixed assignments using API call + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + * IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + * IntuneWindowsAutopilotDeploymentProfileAzureADJoined + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + * IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 + * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment + * IntuneDeviceConfigurationPolicyWindows10 + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + * IntuneDeviceEnrollmentStatusPageWindows10 + * Fixed assignments using API call + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + * TeamsTeam + * Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[] + FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890) + * DEPENDENCIES + * Updated DSCParser to version 1.4.0.1. + * Updated Microsoft.Graph to version 2.10.0. + * Updated MSCloudLoginAssistant to version 1.1.0. + * MISC + * M365DSCDRGUtil + * Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892)' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false