Merge branch 'Dev' into fix/microsoft#3885-AADConditionalAccessPolicy

.github/workflows/CodeCoverage.yml

@@ -18,6 +18,7 @@ jobs:
         shell: pwsh
         run: |
           Install-Module ReverseDSC -Force -Scope AllUsers
+          Install-Module DSCParser -Force -Scope AllUsers
           Install-Module PSDesiredStateConfiguration -Force -Scope AllUsers
           Install-Module Pester -Force -SkipPublisherCheck -Scope AllUsers
           [System.Environment]::SetEnvironmentVariable('M365DSCTelemetryEnabled', $false, [System.EnvironmentVariableTarget]::Machine);

.github/workflows/Global - Integration - AAD.yml

@@ -0,0 +1,88 @@
+name: Global - Integration - AAD
+on: [push]
+
+jobs:
+  Integration-Global-AAD:
+    # The type of runner that the job will run on
+    runs-on: windows-latest
+
+    # Only when run from the main repo
+    if: github.repository == 'microsoft/Microsoft365DSC'
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+      - name: Install Microsoft365DSC
+        shell: powershell
+        run: |
+          winrm quickconfig -force
+          $source = "./Modules/Microsoft365DSC/"
+          $destination = "C:\Program Files\WindowsPowerShell\Modules"
+          Copy-Item -Path $source -Recurse -Destination $destination -Container -Force
+          Update-M365DSCDependencies
+      - name: Configure Environment
+        shell: powershell
+        run: |
+          Set-ExecutionPolicy Unrestricted -Force
+          Get-ChildItem "C:\Program Files\WindowsPowerShell\Modules" -Recurse | Unblock-File
+          Set-M365DSCTelemetryOption -Enabled $false
+          Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value 99999
+      - name: Generate {Create} Integration Tests from Examples
+        shell: powershell
+        run: |
+          Import-Module './Tests/Integration/M365DSCTestEngine.psm1'
+          New-M365DSCIntegrationTest -Workload AAD -Step '1-Create'
+      - name: Commit {Create} Integration Tests
+        shell: powershell
+        run: |
+          git config --local user.email "nicharl@microsoft.com"
+          git config --local user.name "NikCharlebois"
+          git add D:/a/Microsoft365DSC/Microsoft365DSC/Tests/Integration/*
+          git pull
+          git commit -m "Updated {Create} AAD Integration Tests"
+          git push
+          $SHA = git rev-parse HEAD
+          echo "commitid=$SHA" >> $env:GITHUB_OUTPUT
+      - name: Run {Create} Integration Tests
+        shell: powershell
+        env:
+          INTEGRATION_USERNAME: ${{ secrets.INTEGRATION_USERNAME }}
+          INTEGRATION_PASSWORD: ${{ secrets.INTEGRATION_PASSWORD }}
+        run: |
+          $CredPassword = ConvertTo-SecureString $env:INTEGRATION_PASSWORD -AsPlainText -Force
+          $Credential = New-Object System.Management.Automation.PSCredential ($env:INTEGRATION_USERNAME, $CredPassword)
+          try
+          {
+            & .\Tests\Integration\Microsoft365DSC\M365DSCIntegration.AAD.Create.Tests.ps1 -Credential $Credential
+          }
+          catch
+          {
+            throw $_
+          }
+
+          try
+          {
+            $Result = Test-DSCConfiguration -Detailed -Verbose -ErrorAction Stop
+          }
+          catch
+          {
+            throw $_
+          }
+
+          Write-Host ""
+
+          if ($Result.InDesiredState -eq $false)
+          {
+            Write-Host -Message "Resources below are not in the Desired State:"
+            foreach ($Resource in $Result.ResourcesNotInDesiredState)
+            {
+                Write-Host $Resource.InstanceName
+            }
+
+            throw "Could not validate that the Tenant is in the Desired State"
+          }
+          else
+          {
+            Write-Host "All resources in the Tenant are in the Desired State"
+          }

.github/workflows/Global - Integration - INTUNE.yml

@@ -0,0 +1,88 @@
+name: Global - Integration - INTUNE
+on: [push]
+
+jobs:
+  Integration-Global-INTUNE:
+    # The type of runner that the job will run on
+    runs-on: windows-latest
+
+    # Only when run from the main repo
+    if: github.repository == 'microsoft/Microsoft365DSC'
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+      - name: Install Microsoft365DSC
+        shell: powershell
+        run: |
+          winrm quickconfig -force
+          $source = "./Modules/Microsoft365DSC/"
+          $destination = "C:\Program Files\WindowsPowerShell\Modules"
+          Copy-Item -Path $source -Recurse -Destination $destination -Container -Force
+          Update-M365DSCDependencies
+      - name: Configure Environment
+        shell: powershell
+        run: |
+          Set-ExecutionPolicy Unrestricted -Force
+          Get-ChildItem "C:\Program Files\WindowsPowerShell\Modules" -Recurse | Unblock-File
+          Set-M365DSCTelemetryOption -Enabled $false
+          Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value 99999
+      - name: Generate {Create} Integration Tests from Examples
+        shell: powershell
+        run: |
+          Import-Module './Tests/Integration/M365DSCTestEngine.psm1'
+          New-M365DSCIntegrationTest -Workload INTUNE -Step '1-Create'
+      - name: Commit {Create} Integration Tests
+        shell: powershell
+        run: |
+          git config --local user.email "nicharl@microsoft.com"
+          git config --local user.name "NikCharlebois"
+          git add D:/a/Microsoft365DSC/Microsoft365DSC/Tests/Integration/*
+          git pull
+          git commit -m "Updated {Create} Intune Integration Tests"
+          git push
+          $SHA = git rev-parse HEAD
+          echo "commitid=$SHA" >> $env:GITHUB_OUTPUT
+      - name: Run {Create} Integration Tests
+        shell: powershell
+        env:
+          INTEGRATION_USERNAME: ${{ secrets.INTEGRATION_USERNAME }}
+          INTEGRATION_PASSWORD: ${{ secrets.INTEGRATION_PASSWORD }}
+        run: |
+          $CredPassword = ConvertTo-SecureString $env:INTEGRATION_PASSWORD -AsPlainText -Force
+          $Credential = New-Object System.Management.Automation.PSCredential ($env:INTEGRATION_USERNAME, $CredPassword)
+          try
+          {
+            & .\Tests\Integration\Microsoft365DSC\M365DSCIntegration.INTUNE.Create.Tests.ps1 -Credential $Credential
+          }
+          catch
+          {
+            throw $_
+          }
+
+          try
+          {
+            $Result = Test-DSCConfiguration -Detailed -Verbose -ErrorAction Stop
+          }
+          catch
+          {
+            throw $_
+          }
+
+          Write-Host ""
+
+          if ($Result.InDesiredState -eq $false)
+          {
+            Write-Host -Message "Resources below are not in the Desired State:"
+            foreach ($Resource in $Result.ResourcesNotInDesiredState)
+            {
+                Write-Host $Resource.InstanceName
+            }
+
+            throw "Could not validate that the Tenant is in the Desired State"
+          }
+          else
+          {
+            Write-Host "All resources in the Tenant are in the Desired State"
+          }

.github/workflows/PublishGitHubPages.yml

@@ -23,8 +23,8 @@ jobs:
         if: always()
         shell: pwsh
         run: |
-          git config --local user.email "nik.charlebois@microsoft.com"
-          git config --local user.name "Nik Charlebois"
+          git config --local user.email "nicharl@microsoft.com"
+          git config --local user.name "NikCharlebois"
           git add D:/a/Microsoft365DSC/Microsoft365DSC/docs/docs/*
           git pull
           git commit -m "Updated Resources and Cmdlet documentation pages"

Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1

@@ -551,12 +551,19 @@ function Set-TargetResource
         Write-Verbose -Message "Creating an Azure AD Administrative Unit with DisplayName {$DisplayName}"
 
         #region resource generator code
-        $policy = New-MgBetaDirectoryAdministrativeUnit -BodyParameter $CreateParameters
+        Write-Verbose -Message "Creating new Administrative Unit with: $(Convert-M365DscHashtableToString -Hashtable $CreateParameters)"
+
+        $jsonParams = ConvertTo-Json $CreateParameters
+
+        # TODO - Replace by cmdlet call which has an issue in 2.11.1
+        $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/administrativeUnits'
+        $policy = Invoke-MgGraphRequest -Method POST -Uri $url -Body $jsonParams
 
         if ($MembershipType -ne 'Dynamic')
         {
             foreach ($member in $memberSpecification)
             {
+                Write-Verbose -Message "Adding new dynamic member {$($member.Id)}"
                 $memberBodyParam = @{
                     '@odata.id' = "https://graph.microsoft.com/v1.0/$($member.Type)/$($member.Id)"
                 }
@@ -949,6 +956,10 @@ function Export-TargetResource
     [OutputType([System.String])]
     param
     (
+        [Parameter()]
+        [System.String]
+        $Filter,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $Credential,
@@ -989,12 +1000,14 @@ function Export-TargetResource
     Add-M365DSCTelemetryEvent -Data $data
     #endregion
 
+
+
+
     try
     {
         $Script:ExportMode = $true
         #region resource generator code
-        [array] $Script:exportedInstances = Get-MgBetaDirectoryAdministrativeUnit -All `
-            -ErrorAction Stop
+        [array] $Script:exportedInstances = Get-MgBetaDirectoryAdministrativeUnit -Filter $Filter -All:$true -ErrorAction Stop
         #endregion
 
         $i = 1

Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/MSFT_AADAttributeSet.psm1

@@ -363,13 +363,19 @@ function Export-TargetResource
     }
     catch
     {
-        Write-Host $Global:M365DSCEmojiRedX
-
-        New-M365DSCLogEntry -Message 'Error during Export:' `
+        if ($_.ErrorDetails.Message -like "*Insufficient privileges*")
+        {
+            Write-Host "`r`n    $($Global:M365DSCEmojiYellowCircle) Insufficient permissions or license to export Attribute Sets."
+        }
+        else
+        {
+            Write-Host $Global:M365DSCEmojiRedX
+            New-M365DSCLogEntry -Message 'Error during Export:' `
             -Exception $_ `
             -Source $($MyInvocation.MyCommand.Source) `
             -TenantId $TenantId `
             -Credential $Credential
+        }
 
         return ''
     }

Modules/Microsoft365DSC/DSCResources/MSFT_AADAttributeSet/settings.json

@@ -3,10 +3,10 @@
     "description": "Represents a group of related custom security attribute definitions.",
     "roles": {
         "read": [
-            "Security Reader"
+            "Attribute Definition Reader"
         ],
         "update": [
-            "Authentication Policy Administrator"
+            "Attribute Definition Administrator"
         ]
     },
     "permissions": {

Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicy/MSFT_AADAuthenticationMethodPolicy.psm1

@@ -357,6 +357,7 @@ function Set-TargetResource
         }
         #region resource generator code
         $UpdateParameters.Add("@odata.type", "#microsoft.graph.AuthenticationMethodsPolicy")
+        Write-Verbose -Message "Updating AuthenticationMethodPolicy with: `r`n$(Convert-M365DscHashtableToString -Hashtable $UpdateParameters)"
         Update-MgBetaPolicyAuthenticationMethodPolicy -BodyParameter $UpdateParameters
         #endregion
     }